LakelandOffice
asked on
Would like to be able to remote into a customers network
We are a copier company. We provide support for the copy machines. To access the machine currently, we have to remote into a computer on the customers network using LogMeIn Rescue. From there we can access the copy machine using the web interface through the internet browser on the customers computer. This requires the users interaction as well as taking up a computer at the users location. Additional problems with this setup is that sometimes the computer that I remote into has problems. I'm looking for a way to be able to connect to the web interface on the networked copy machine without any interaction with the user, without using the users computer and (the big one) without modifying any setting on the users firewall. This would need to work with any make of copy machine. All of the copy machines have a standard web interface. Any ideas?
Without making any change to the firewall, it's impossible. You would have to, at the least, forward a certain port to the copy machine's internal IP address.
ASKER
If I installed a computer there I could setup an unattended remote session to that computer which would give me access to the RUI on the copy machine. This can be done without modifying the users network or firewall. It's very expensive installing a computer at each customers location, mainly because of licensing. I can load Linux on this machine much cheaper but then I can't use LogMeIn Rescue to remote into a Linux machine. I'm looking for a device that that would have a browser on it that I can remote into or a way to remote into a Linux box without modifying the firewall.
The only other option that i see would be; connecting via RDP to a server or workstation on that network.
They would need to create an account for remote access on said machine(s) for you to accomplish this.
Without editing rules on the firewall or the requirement of user interaction; you options are pretty limited.
They would need to create an account for remote access on said machine(s) for you to accomplish this.
Without editing rules on the firewall or the requirement of user interaction; you options are pretty limited.
VPN, port forwarding, logmein or similar are the only 3 ways I can think of.
The only way to get to the web interface of the copier itself from the outside is to set up a NAT (Network Address Translation) in their router that essentially says 123.45.67.89 = 192.168.xx.xx
Meaning the customer would need a valid (paid for) public static IP that translates in their router to a local private IP. With that done, and the appropriate port (whatever the Copier's web service is listening on) ANYONE including yourself would get the copier's web interface when they browse to http://123.45.67.89:xxx
They could get around paying for a static address by using a Dynamic DNS service but the end result would be the same.
Unfortunately LogMeIn/GoToAssist/GoToMyP C/ChunkVNC are your only options for unattended support. GoToAssist/GoToMyPC offer unattended support, once set up, that does not require user interaction.
Meaning the customer would need a valid (paid for) public static IP that translates in their router to a local private IP. With that done, and the appropriate port (whatever the Copier's web service is listening on) ANYONE including yourself would get the copier's web interface when they browse to http://123.45.67.89:xxx
They could get around paying for a static address by using a Dynamic DNS service but the end result would be the same.
Unfortunately LogMeIn/GoToAssist/GoToMyP
ASKER
VPN won't work because the firewall would need to be modified and same with port forwarding. I have a logmein account but I can only remote into windows or apple machines and that can be expensive installing 3000 of those for every customer.
Logmein has a free version. Works great.
ASKER
michaelaknight - that requires modification of the firewall which can't be done. Not that we don't have the ability but these are customers and their IT depts may have issues with that or they are a mom and pop shop and they have no idea how to get into their firewall because they didn't even know they had one. This is why modifying the router or firewall in anyway is off the table.
ASKER
aarontomosky - i have the full paid version of LogMeIn rescue and that works on windows and apple computers. It's too expensive installing 3000 windows or apple computers because we would need one at every customers location, its mainly because of software licensing. LogMeIn rescue or standard logmein doesn't work on a linux machine.
Well that's the thing, if you want to add devices to log into from outside, you'd have to specify that in the firewall.
RDP would work if the clients already have RDP allowed through the firewall, but then you're going to need your clients to give you a network user ID and password. Same thing for VPN, and frankly, I would hope they would not do that (grant network access to a non-employee).
A computer or other unattended device with an always-on and open connection to logmein is also making the network vulnerable. As a network admin, I would not allow it, and I would be understanding that there is some overhead involved in having a partner support the copiers.
RDP would work if the clients already have RDP allowed through the firewall, but then you're going to need your clients to give you a network user ID and password. Same thing for VPN, and frankly, I would hope they would not do that (grant network access to a non-employee).
A computer or other unattended device with an always-on and open connection to logmein is also making the network vulnerable. As a network admin, I would not allow it, and I would be understanding that there is some overhead involved in having a partner support the copiers.
ASKER
Scottws1 - and there is my dilemma which is why I'm on here. I can modify the router and do whatever I want but there are MANY instances that I can't modify the router. Most of our customers don't have an IT dept, the router they have is a cheap basic one and may not have the options that we need or they have a good router but nobody knows the password. I would agree that have an open connection does make it vulnerable but it would still involve some hacking to do any damage and most of these places aren't worth the trouble to hack. The hacker would spend a few hours hacking a network to steal a church newsletter. A good portion of our customers have 2-3 computers and that is it. There are so many speed bumps with modifying the routers that it's just not an option. An unattended option has it's security flaws but it is still rather secure and not much easier to hack the network than without the option.
There has got to be some device somewhere or a cheap way to do it. If not, I need to patent one.
There has got to be some device somewhere or a cheap way to do it. If not, I need to patent one.
You are dealing with a diverse customer base.
Some may be technical and some may not.
It is these limitations that will require you to do it the current way or the unattended option.
Some may be technical and some may not.
It is these limitations that will require you to do it the current way or the unattended option.
I appreciate your situation!
The problem of course starts with the printers present an http interface on the local, private LAN and that is it. This and all other addresses on the private LAN are generally inaccessible from the internet.
So, you are stuck with the "physics" of the situation. There is no way around the absolutes. They are what they are.
A checklist of notions:
1) Make the printer a web server.
Not too likely for the printers you are probably dealing with.
Not too likely with the networks and customers you are dealing with.
Not too likely because you'd need another public IP address.
Summary: not an option for you for three good reasons.
2) Use a private VPN
Not too likely because of customer contraints.
Not too likely because you'd need another public IP address OR have to get into the customer internet gateway
*if* it's VPN capable.
Summary: not an option for you for 2 or 3 good reasons.
3) Use a 3rd party VPN (well, that's what you're doing now really)
You have already demonstrated that it's possible.
It works.
etc.
So, I think that *3 is really your only choice. I don't know what features LogMeIn offers these days. I'm using GoToAssist Express from Citrix. There's no limit to the number of "Unattended" computers re: setup. The limit is with how many at ONCE I believe. I don't recall bumping into that limit .. ever.
Anyway, I'd put it on *more than one* client computer as unattended if they will stand for that. And, I would make sure I had liability protection. One price / many computers / many customers......
Requires two levels of logins. Use really tough passwords at both levels. Don't let any computers memorize them.
You could also look into Bomgar. I think that requires that you buy a server and have it on the web. Even so, I'm not sure that they have unattended connections but it's likely. You may not think that this is the cheapest way to go though.... have to do the math.
The problem of course starts with the printers present an http interface on the local, private LAN and that is it. This and all other addresses on the private LAN are generally inaccessible from the internet.
So, you are stuck with the "physics" of the situation. There is no way around the absolutes. They are what they are.
A checklist of notions:
1) Make the printer a web server.
Not too likely for the printers you are probably dealing with.
Not too likely with the networks and customers you are dealing with.
Not too likely because you'd need another public IP address.
Summary: not an option for you for three good reasons.
2) Use a private VPN
Not too likely because of customer contraints.
Not too likely because you'd need another public IP address OR have to get into the customer internet gateway
*if* it's VPN capable.
Summary: not an option for you for 2 or 3 good reasons.
3) Use a 3rd party VPN (well, that's what you're doing now really)
You have already demonstrated that it's possible.
It works.
etc.
So, I think that *3 is really your only choice. I don't know what features LogMeIn offers these days. I'm using GoToAssist Express from Citrix. There's no limit to the number of "Unattended" computers re: setup. The limit is with how many at ONCE I believe. I don't recall bumping into that limit .. ever.
Anyway, I'd put it on *more than one* client computer as unattended if they will stand for that. And, I would make sure I had liability protection. One price / many computers / many customers......
Requires two levels of logins. Use really tough passwords at both levels. Don't let any computers memorize them.
You could also look into Bomgar. I think that requires that you buy a server and have it on the web. Even so, I'm not sure that they have unattended connections but it's likely. You may not think that this is the cheapest way to go though.... have to do the math.
ASKER
fmarshall - logmein does allow for multiple unattended sessions but would need a computer to connect to. That would either be the customers computer or one that we put in. I can get a basic pc to do the trick for around $200 each but with 3000 machines out there we are looking at over half a mil. Just a tad too pricy for what we would gain. I could go much cheaper with a linux box but not sure how I would do an unattended remote session into linux.
Here is an article to show you how to share the desktop in Ubuntu.
http://www.debianadmin.com/remote-desktop-sharing-in-ubuntu.html
http://www.debianadmin.com/remote-desktop-sharing-in-ubuntu.html
ASKER
This is a vnc connection which is IP based. Primarily used to remote into a computer on the same network. If used outside the network, the firewall must be modified in order to work.
The link I provided was just one example of many different ways that you can connect to a linux box.
I understand that you would like an alternative solution versus how you are currently doing things.
No matter how you slice it, firewalls will HAVE to be modifed in order to open a port, foward a port, set up port triggering etc.
All solutions offered above are viable.
There is going to be a lot of overhead involved, if you decide to something different that what you are currently doing now.
I understand that you would like an alternative solution versus how you are currently doing things.
No matter how you slice it, firewalls will HAVE to be modifed in order to open a port, foward a port, set up port triggering etc.
All solutions offered above are viable.
There is going to be a lot of overhead involved, if you decide to something different that what you are currently doing now.
ASKER
Yes, they are all viable if I modify the firewall, but i won't be able to modify the firewall. It would need to be a device of some sort that can run on port 80 or 443 to initiate the connection. It would need to run similar to an unassisted remote login like logmeinrescue. No firewall modifications are needed for that but a windows or mac computer is needed. Thought maybe someone on here has come across something that I can't find. It is not impossible to do, just someone may not have come out with it.
I just downloaded and installed a fascinating little application to accomplish a feat that has eluded me for quite some time now. It may also help you. Here is the link.
https://www.crossloop.com/home.htm My situation was the desire to login to my OSX box from a Windows environment in and outside of my LAN. This has filled the bill quite nicely. No firewall modifications necessary.
https://www.crossloop.com/home.htm My situation was the desire to login to my OSX box from a Windows environment in and outside of my LAN. This has filled the bill quite nicely. No firewall modifications necessary.
ASKER
Have used crossloop for years. Still requires a PC at the remote location.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.