Remote Incident Manager White Paper
Executive Summary
The Remote Incident Manager (RIM) provides secure, efficient, accessible, feature-rich remote desktop access, enabling field technical support providers to cut costs while improving quality of service.
Introduction
The Power of Remote Desktop Access
Remote desktop access enables a user to take complete control of a distant computer over an organization’s network or the Internet, as if the user was sitting at that computer. This technology has a wide range of uses; it is especially useful for field technical support.
When combined with real-time telecommunication through voice-over-IP or conventional telephony, remote desktop access makes location irrelevant for most technical support tasks. Technicians need not face the frustrations of explaining complex step-by-step procedures to end-users; instead, a technician connects to the user’s computer and interacts with it directly to solve the problem. Travel expenses are reduced, and technical problems are resolved more quickly. Field technical support providers need not maintain a full staff in each location they serve. A competent individual or small team can perform most field technical support tasks for a large, scattered user base. In short, remote desktop access enables field technical support providers to cut costs while improving quality of service.
Problems with Previous Implementations
Though remote desktop access is a powerful tool, several problems with previous implementations hinder field technical support providers from harnessing the power of this technology effectively.
-
Some implementations require changes in network security policies, such as firewall and NAT rules, for each remotely accessible machine. Mass deployment of such products for field technical support is impractical, especially in organizations where such adjustments must be made by a network administrator, who naturally does not wish to compromise network security.
-
Some implementations do not support centralized management; instead, they require manual configuration to be repeated for each remotely accessible machine. Mass deployment of such products is clearly impractical.
-
Some implementations, including most that are designed for field technical support, require the involvement of a central Internet server operated by the solution provider. Some of these services cost thousands of dollars per year per technician.
-
Some implementations, such as Microsoft Terminal Services and Citrix Presentation Server (formerly MetaFrame), do not allow the end-user and the technician to share the same Windows session; instead, they create a new session, with its own desktop and running applications, for the technician. Except on Windows Server 2003, they even prevent the end-user from using the computer while the technician is connected. These products are unusable for many technical support scenarios.
-
Some implementations require the technician to specify the desired remote machine by host name or IP address. This is impractical for providing field technical support to a large user base which is potentially scattered across the Internet.
-
Some implementations designed for field technical support are reactive in nature. For instance, they require the user who needs support to start the session through a web browser, thus making significant assumptions about what the user is currently able to do with his or her computer.
-
Only two solutions, Microsoft Terminal Services and Citrix Presentation server, are accessible to visually impaired users via screen readers. Even with these two solutions, a screen reader license must be purchased for each remotely accessible machine, perhaps with a paid add-on for remote access; this is clearly impractical for field support across a large user base. These two solutions also have the session sharing problem described above. Furthermore, conventional screen readers chain their own display driver to the primary driver at installation time; this driver chain may be broken when the primary driver is upgraded or repaired, thus affecting sighted users even when the screen reader is not running. These limitations make it difficult and expensive for field technical support providers to benefit from a sizable pool of competent professionals.
A New Solution: Remote Incident Manager
The Remote Incident Manager (RIM) is an innovative remote desktop access package designed for field technical support, which addresses all of the problems described above.
Deployment, Management, and Security
At the center of RIM is a server which manages all remote access connections. A technical support provider may install and run its own server, or it may use Serotek’s Internet-based server. Network security policies need not be adjusted for each remotely accessible machine. The server provides a Web-based interface for centralized deployment and management of remote access clients and remotely accessible machines (called hosts). In short, the RIM Server offers the convenience of centralized deployment and management without sacrificing security.
Shared Session
RIM puts the technician in the same Windows session as the end-user. Not only can the two people work with the same applications and documents at the same time, they can also exchange text and even files through the Windows clipboard. This is also invaluable for field technical support because the technician can watch the user and show how to perform required tasks or avoid common problems.
Proactive Field Technical Support
RIM provides a unique solution for remote incident-based technical support. This solution is proactive in nature; a system builder, computer technician, or assistive technology specialist installs software on the end-users’ machines in advance, so users can easily activate the feature at any time, even in many circumstances that render the computer otherwise unusable. When a user has a problem, the technician need not specify the desired remote machine by IP address or host name; instead, the technician and user both enter an incident keyword chosen by the technician. If the technician needs to restart the user’s computer while solving the problem, he or she can choose to automatically re-connect to the computer once it is restarted; the technician can even force the computer to restart if it is unable to carry out the normal shutdown procedure. Thus, RIM makes it easy for a technician to serve remote users.
Accessibility
RIM is fully accessible to visually impaired users. The client features System Access, Serotek’s ground-breaking, portable Windows access software. There is no cost per remotely accessible machine, so RIM is affordable regardless of user base size. Sighted end-users are given no direct indication that the technician is visually impaired; they do not hear the speech output that he or she requires. Unlike conventional screen readers, System Access does not chain a custom display driver to the primary driver, so accessibility is not lost when the primary driver is upgraded or repaired. In short, RIM is the most accessible remote desktop access package on the market. Field technical support providers can now easily and cost-effectively benefit from a large and growing pool of competent professionals who were previously unable to use remote desktop access software.
RIM Components
RIM consists of three components, the client, the host, and the server.
Client
The client is the program that technicians use to remotely access end-users’ machines. It is installed on a portable U3 smart drive, also called a key, so technicians can use it on any Windows computer they encounter. The key contains not only the remote access client but also System Access, so visually impaired technicians can quickly and easily gain access to any Windows computer they encounter by simply plugging in the key.
Host
The host is the program which is installed on each end-user’s machine. It is provided as a Windows Installer (MSI) package, so system builders and technicians have flexibility in deployment options. Once deployed, the host software sits quietly in the background except when remote access is required. It makes no permanent system configuration changes, except to install itself as a Windows service. If not for a small icon in the system tray (normally located at the bottom of the screen), users would not notice that the host software was present until they needed it.
The host software plays a crucial role in RIM’s accessibility. Because the host software communicates with System Access, it can provide speech output to visually impaired technicians when they access it remotely. However, the end-user does not hear this speech output unless he or she is already running a separately installed copy of System Access. If the end-user is running another known screen reader, the host software informs the technician. If the end-user is running JAWS for Windows or Window-Eyes, the host will even send the screen reader’s speech output to the client so the technician will hear it.
Server
The server manages all clients, hosts, and connections between the two. As mentioned earlier, a field technical support provider can either install and run its own private server or use Serotek’s Internet-based server. Serotek’s Internet-based server is the most convenient option, since it requires the customer to dedicate minimal resources to RIM. However, deploying a private server is also straightforward. Depending on the size of the user base, running a private server may be more cost-effective in the long term than using Serotek’s server. In both cases, the server provides an easy-to-use, fully accessible, Web-based interface for all management tasks.
A key function of the server is to provide downloadable installation packages for the client and host software. The server automatically embeds all necessary configuration information in these packages. The system builder or technician only needs to log in to the server’s Web-based interface, download the appropriate package, and install it; no additional configuration is required. For the host software, the server can also email installation instructions to end-users on behalf of the technician. This automatic package configuration by the server makes RIM easy to deploy to a user base of any size.
The server also plays a vital role in RIM’s security. Each host maintains a connection to the server, which notifies the host of remote access requests from clients. When a remote access session begins, the client and the host both make connections to the server, which relays data between them. Thus, no client can gain access to the host except through the server.
Use Cases
Client Deployment
-
The technician logs in to the server’s Web-based interface using any browser.
-
The server directs the technician to a page from which he or she can download the client installer.
-
The technician presses the “Continue” button. The server informs the technician that it is preparing the download.
-
Within a few seconds, the download normally starts automatically. If it does not, the server provides a link with which the technician can manually start the download.
-
After downloading the installer, the technician runs it.
-
The installer prompts the technician to insert his or her U3 Key to Freedom, which was previously prepared by the technician or Serotek. Alternatively, if the technician has already inserted the key, the installer detects it immediately.
-
The installer presents information about the inserted key. If the key is in fact a U3 Key to Freedom, the technician may either proceed with that key or insert another one. Otherwise, the installer informs the technician that this key is not a U3 Key to Freedom and prompts the technician to insert another one.
-
Once the technician has inserted a U3 Key to Freedom and confirmed that he or she wants to use that key, the installer installs the RIM Client on that key.
-
The installer informs the technician when it is finished. If the technician is currently running System Access from the key that was just converted to a RIM Client key, the installer may need to restart System Access.
-
The key is now ready to use.
Host Deployment by a Technician or System Builder
-
The technician or system builder logs in to the server’s Web-based interface with any browser.
-
The technician or system builder chooses to download the host installation package.
-
The server informs the technician or system builder that it is preparing the download.
-
Within a few seconds, the download normally starts automatically. If not, the server provides a link with which the technician or system builder can manually start the download.
-
Because the host software is provided as a package for Windows Installer, technicians and system builders have flexibility in how they deploy it. A technician serving a small user base may copy the package to his or her U3 key and install it in person. A system builder may include the package in an automated system setup procedure. Refer to the next use case for information on installation by end-users.
-
Once installed, the host software on each machine automatically connects to the server and is ready for remote access. No additional action per host machine is required.
Host Installation by End-Users
-
The technician logs in to the server’s Web-based interface with any browser.
-
The technician chooses to send the a host installation link to end-users by email.
-
If the server does not have the technician’s complete contact information on file, it presents a form in which the technician enters the needed information.
-
The technician enters the name and email address of each end-user to which the link should be sent.
-
The server sends a personalized message from the technician to each end-user with the installation link and the technician’s contact information.
-
When the end-user receives the message, he or she activates the link in the message to install the package.
-
The web page referenced in the message includes detailed instructions for the end-user.
-
Internet Explorer shows the Information Bar, telling the user that the page wishes to use an ActiveX control.
-
The user presses Alt+N to activate the Information Bar, then presses Space to open the Information Bar’s context menu if it does not open automatically.
-
The user chooses “Install ActiveX Control” from the menu.
-
Internet Explorer shows the user that the ActiveX control is called “Remote Access Host” and has been signed by Serotek.
-
The user activates the Install button in this dialog by pressing Alt+I.
-
The host software is installed. The web page notifies the user when installation is complete.
Remote Incident
-
The technician chooses a keyword for this incident, such as the first name of the technician or user.
-
The technician starts the remote incident client from his or her U3 key, enters the keyword, and sets other options for the incident.
-
The end-user presses Control+Shift+Backspace from anywhere in his or her system to invoke the remote incident feature of the host software.
-
The host prompts the end-user for the incident keyword, both visually and through speech output, even if the end-user’s screen reader or other assistive technology is not functioning.
-
The end-user enters the keyword provided by the technician. The host echoes the letters the end-user types both visibly and audibly.
-
Within a few seconds, the technician is connected to the end-user’s computer and is ready to work.
-
The host provides these options with regard to speech output:
-
If the technician needs speech output and the end-user’s computer is not running a known screen reader, the host automatically starts System Access. In this case, only the technician hears the speech output.
-
If a supported screen reader is running and functioning properly on the end-user’s computer, both the end-user and the technician will hear that screen reader’s speech output.
-
If a supported screen reader is running but not functioning properly, or if the end-user is running a screen reader that the host software recognizes but does not support, the technician can terminate that screen reader and start System Access. Again, only the technician will hear the speech output in this case.
-
-
If the technician needs to restart the end-user’s computer, he or she can choose to automatically re-connect to the computer after it is restarted.
-
If the technician performs a normal Windows shutdown, RIM will first ask if he or she wants to continue the session after the computer is restarted.
-
If the technician is unable to perform a normal shutdown due to the state of the end-user’s computer, he or she can initiate an immediate, forced reboot. RIM will prompt for confirmation before proceeding with such a reboot. In this case, the technician will automatically be re-connected to the end-user’s computer after it is restarted.
-
-
After disconnecting from the end-user’s computer, the technician can leave a comment about the incident, for record keeping and reporting.
Questions and Answers
Security
Do any ports need to be opened for the host machines?
No.
Are remote sessions encrypted?
Yes; all remote sessions, including file transfers, are encrypted end-to-end using Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL).
Can Serotek eavesdrop on sessions relayed by its Internet-based server?
No. Session key negotiation and encryption are performed end-to-end between the client and the host; the server merely relays data as-is. Therefore, the server is unable to decipher the data that it relays. This also applies to file transfers; in fact, the server is unaware that a file transfer is even being performed.
What measure have been taken to prevent buffer overruns, which may be exploited to execute arbitrary code?
Most of RIM, including all code which communicates with the network, is written in the high-level Python programming language. Like Java and the .NET Framework, Python automates all memory management, so buffer overruns are impossible.
On which ports does the private server listen for incoming connections?
By default, the private server listens only on TCP port 7260; this port number is configurable. This single port handles both HTTP and RIM’s proprietary protocols. The private server can be configured to also listen on the standard HTTP port.
Does RIM comply with HIPAA?
Yes. For more information, please refer to our web site at www.serotek.com.
Private Server
Does the private server require a server version of Windows?
No; the private server runs on Windows XP as well as Windows Server 2003.
Does the private server require a database package such as Microsoft SQL Server?
No; the private server uses a built-in, high-performance, low-overhead, zero-configuration database engine.
Does the private server require a web server package such as Microsoft Internet Information Server?
No; the private server uses a built-in, high-performance, low-overhead web server.
Does the private server conflict with an existing web server on the same machine?
No; the private server does not listen on the standard HTTP port by default, though it can be configured to do so.
Does the private server depend on any software apart from the operating system?
No; the private server is a self-contained package which will run on any Windows XP or Windows Server 2003 system.
Does the private server require that its administrator have desktop access to the server machine?
No. Because the private server is packaged for Windows Installer, installation can be non-interactive. After installation, all management is performed using a web browser.
What limitations exist on the number of host machines that can connect to the private server?
The private server imposes no hard limit on the number of host machines that can connect to it; this number is limited only by CPU speed, available memory, and bandwidth.
Conclusion
Remote desktop access is an immensely powerful tool for field technical support, regardless of user base size. The Remote Incident Manager addresses the problems that most hinder field technical support providers from harnessing the power of remote desktop access effectively. It provides security, convenience, powerful features, and accessibility in an integrated, affordable package. For more information or to inquire about deploying RIM in your organization, please contact your Serotek representative or visit our web site at www.serotek.com.