Need help managing remote computers behind a firewall - Using Casper as an MSP

On 5/17/11 8:14 AM, "Henry Bonath" <henry at thinkcsc.com> wrote: We are trying to set up casper as a Managed Service Provider. I have a new JSS running and have added a few client computers to it.

Not quite sure what you mean by this. Are you yourself the MSP or are you
working with an MSP who's offering you the Casper services?

Right now, I know that everything basically runs over SSH. If say, one of my computers is at a different location, i.e. at a client site. How am I able to connect to it? Is that even possible?

You're limited by what the remote location chooses to allow for outgoing
access.

The burden of communication between the Mac and the JSS falls to the Mac.
That means it has to be able to contact your JSS at HTTP, port 9006, or
HTTPS, port 8443 from inside their remote location. The burden of
communication between you and the Mac falls to you to be able to access it
on port 22, ssh from outside the remote location.

Our company offers vendors direct Internet access that's pretty much
unfettered but others may allow connecting non-company Macs directly to
their internal networks. If that's the case and they have a proxy server
(more than likely) then you'll have no way to manage these machines unless
the user changes to that location's proxy. Furthermore, for you to connect
remotely they'd have to allow incoming SSH access, which they'd be crazy
to do.

Right now, it only seems to work if I have an Open VPN connection to the remote machine. I don't really see this as an option on a large scale. Are there any other users out there that are using Casper in a MSP environment? How do you manage your clients computers?

Last November I met someone from Forget Computers <http://www.
<http://www.at>forgetcomputes.com> at JAMF's National User Group in
Minneapolis. They're offering Mac management services, I believe, using
Casper.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

So how do you do it, then?
(Not you personally; I mean how would one accomplish this?)

Assuming your customer is at a site that either doesn't block outgoing connections or has the computers correctly configured to get through, how do you get through the firewall to get your SSH traffic to the machine? Do you require the client to be on your VPN? Use some other software for remote support? How do you handle updates?

I would think the ideal solution would involve a reverse SSH tunnel from the client to the server. This tunnel would be maintained as long as possible, and would allow the server to push data to the client. This would seem to be the most secure solution to me, though I don't know how feasible it is to maintain that many incoming SSH connections at once...

If Casper weren't already around, that's exactly how I would do it.

Also talk to JAMF about this, as they have a methodology to host a JSS if need be.

Back to the OP, please tell us:

a) where is the Casper server - on your network or the clients?
b) Are all of the clients on one network, or in various places over the Internet?

I manage two JSSes for two different companies. For my primary customer, the JSS exists on the corporate network (in a DMZ), and has open ports 8443 and 80 to the Internet. This means that client computers can check in no matter where they are on the Internet, as long as they can get outbound Internet access without restriction.

For my secondary customer, their JSS resides "in the cloud" on Amazon EC2. The clients are literally all over the world, and again, as long as they can get to the Internet unrestricted, they can be managed. The only place they can't is when they are connected to the corporate LAN (nasty BlueCoat authenticating proxy box interferes with the JAMF binary being able to access the server in the cloud). I'm currently building a new Win2KR8 VM on their network to replace the "cloud" JSS, with the intent of opening 8443 and 80 to the outside world as well.

So, I think what you are looking to do can be done, it's just not clear from your initial message what your exact scenario is.

--Robert

My JSS is in my "cloud" we are a hosting provider with our own datacenter.
I have 8443 opened up incoming to my firewall (the one that the JSS is behind)
I also have nothing blocked on the outgoing side of my firewall.

My client machines are all over the state of Ohio behind various firewalls.

What I am wanting to accomplish is a reliable management system with remote desktop access.
i.e. a client calls into my help desk, my help desk staff are able to hop in and remotely control/assist clients wherever they are.

On the PC side, we use a product called N-Able which gives us exactly this functionality.
It works by the client tunneling into the server, and then proxying through the server to your desktop to allow remote access.

I am really hoping that Casper is a solution for us, I manage another JSS at a local school district and it's proven to be a great solution for them. I really would like to have it available for my hosted clients as a way to remotely support and manage them.

Any insight is appreciated!

-Henry

Casper doesn't host the remote session server side. Instead it the binary creates a vnc session from a ssh command.

The schools would need to enable SSH & VNC access from your JSS's Public IP.

Regards,

Ben.

Actually, that wouldn't do it. They'd need to enable SSH (only) access from every potential location you could use Casper Remote to connect to them. Remote does not go through the server at all.

Correct. Remote only hits the server for authentication and then it is
point to point.

j
-- Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

That's what I meant, promise :P

Either way it's not hosted centrally. Unless you were to run Casper remote remotely....

Regards,

Ben.

As others have said, Casper, specifically Casper Remote, is not going to work, since you need access to the VNC ports on the client. Even if you had those ports open on a router, if there are many computers behind it (NAT) there'd be no way to direct it to the relevant machine.
On May 18, 2011, at 5:01 PM, Henry Bonath wrote:

I could think of scenarios where you could either VPN into their network, and address them via their private IP, or have them VPN into your network. Either way you could use vnc and/or the computer management account/settings (in System Preferences->Sharing). However, neither is elegant/seamless.

You may need to look into something like LogMeIn. I've used it with a couple of customers for remote troubleshooting (much faster than driving 30-60 minutes onsite). No idea what the pricing would be for the environments/number of clients you'd need. It is cross-platform and there's also LogMeIn Ignition for iPhone/iPad remote control of machines.

--Robert

There's also GoToAssist, and TeamViewer. I'm sure Google can provide details.

You might also want to look at a program I wrote a few years ago, called sVNC. It was designed for this exact situation, but the setup is mostly manual (on the server [admin/support] side; the client [user-facing] side is trivial to use). I can't guarantee that it still works; I stopped developing it when Leopard came out with Screen Sharing, but you might still find it useful.

Here's the link:
http://svnc.sourceforge.net/

Also look at simplehelp.

There support is poor, but it's cheap.

It's java based so no need to preinstall, clients visit a webpage to initiate the screen sharing session.

Handy for those higher ups with issues @ home.

Regards,

Ben.

I forgot to mention; sVNC is fully open-source under the GPL. (And free, of course)
I can help you get it working, if you want.