In 22.214.171.124 we formally added the ability to show remote connection links on Availability maps. We enhanced the options for this based on customer feedback in 126.96.36.199. While the settings are documented at https://www.sassafras.com/hrl/7.6/kr_availability.html#nomap we find there a lot of questions about how all the Map options might come together. This post seeks to explore and clarify some of these complexities.
What it is Not
This is not a remote connection technology. We are not a connection broker. There is no new protocol involved here. By adding simple links using RDP or VNC to our Availability Maps we are simply helping jump from finding an available computer, to remotely connecting to it. As such, you need to consider the visibility of KeyReporter content as well as accessibility to the workstations. In no way will anything in our software bypass firewalls or actually handle the remote connection.
Since we’re talking about remote connections let’s start with the remote settings. You can now select options on a platform specific basis (Mac, Windows, Linux) which kind of connection data if any you want to show. Since these are set per Floorplan, you can customize each division or tag based map individually. Remember these connection options are shown prominently in the list view, but do also show in the popup for a computer in plan view.
- Not Public will show nothing for computers of this OS.
- Show IP will show the IP address as plain text, not linked. This can be useful for mixed platform guests for Mac or Linux systems. While a Mac will open Screen Sharing for a VNC link, Windows has no handler for this. As such, you may want to just have users copy the IP into their VNC viewer. This is a trade off depending on popularity of OS used by your guests.
- VNC Link will have a vnc://IP address behind the linked Connect text that is shown. Earlier versions would show the address, but for increased security we now just show the word Connect. Mac systems clicking a VNC link spawn Screen Sharing automatically. Windows will do nothing, so you may consider your options and audience.
- RDP Link will make the link download an RDP file that by default uses the IP of the machine to connect to. This can only be opened natively on Windows. MacOS will need an application, usually Microsoft Remote Desktop from the App Store. There are several further ways to customize RDP links.
The toggle for Use Computer Name for RDP Connections will cause the RDP file to be named and contain the computer name instead of IP. If the connecting person is on a VPN that assumes the proper domain, this may be sufficient to connect, and will protect the IP addresses of your systems for security.
The Suffix for RDP Connections will be added to the end of the computer name if using the former option. This allows the connection to use the FQDN of the machine which may be needed depending on the DNS topology. It may also be needed if you have certificates to properly identify the named trust of a machine.
Customizing the RDP Template
Some organizations may need additional settings in their RDP files. A popular example is the use of an RDP Gateway. You can add custom lines to the template on the server and the resulting download will have the needed settings. Lines are added exactly as they would appear in a typical RDP file, nothing special is required. The location of the default template and location to copy it to for making custom additions can be found in our documentation. Any setting allowed in RDP files can be specified, so this is fully customizable.
Mixing up Platforms
So why might you want to change which protocol is used for a platform? The most popular reason is Linux machines. There is an open source implementation of RDP called xRDP that can be installed on linux boxes. With that installed, using RDP instead of VNC offers a much more robust and secure environment, mimicking that of Windows. There is also a build of this available for Mac, as well as at least one other possible product that does the same thing. While much less typical, you could install a VNC server on Windows and use that instead of RDP. We offer you the flexibility to use whatever is the best fit for your environment.
Interactions with Options
The configuration settings for Maps changed to a tabbed layout in 188.8.131.52 to better organize them. On the Options tab are several items that while not new, have potentially interesting impacts on your use of Remote links. You should consider these as you roll out links for public use. The reason for these considerations is we only show Connect links for machines that are in the Available state. You generally do not want someone trying to connect to a machine that is In Use or Off to avoid conflict and frustration.
Suppress Availability for Safety
This setting is designed for late night campus lab settings. If less than 5 users are in a space, no system will actually show as in use. The intent is to help protect a lone user in a lab from any bad behavior on the part of others. However, if you are making a lab available remotely, this can have a problematic impact. You should generally have this off when using Remote, under the assumption that physical use of the space has been terminated at the present time. Otherwise, someone could try to connect to a machine that is in use because it would be marked as Available for safety.
Base on Idle Sessions
This is more tricky. Most computing environments are fully authenticated. In such a setting, maybe you allow multi user logins. As such, maybe if a user is idle for 15 minutes you want to show the system as Available because someone else could log in if the other person wandered off. This can make sense in a physical lab space, but what about Remote? In that case maybe you don’t want to use this, because if you show a system as available when the person has simply gone for a break someone else could try to log on.
In some lab settings all machines automatically log in to a service account on boot for convenience. If you make systems like that available remotely, you have a few problems to consider. The idle behavior is certainly one of those, but the sharing of the credentials for that service account for remote connecting could be another. This is probably not ideal from a security or convenience standpoint. As mentioned, it is recommended to not use this idle setting in Remote configurations, but it’s good to be aware of its impact for your environment.
There are two related idle settings in KeyConfigure. In Config -> General Settings -> Idle the last item is important for this as it determines the idle period. You may also want to turn on Write events to log when user sessions are idle while you’re here. The benefit to having this enabled is in reporting. Some login reports will have an optional column for Idle Time. This helps determine things like of the 50 hours a computer was used, was it active for that time, or was 48 of it idle because the user left it running and never came back.
Treat Off as Available
Again, we would recommend you turn this off for Remote settings. In a physical situation some people prefer to show an off system as Available as the assumption is it just needs to be turned on to be used. In a Remote situation of course you can’t turn a machine on, and you can’t connect to it. If it were to show as available, it creates connection failures and frustration.
Note that in general, the use of this setting relies on an administrative setting. In KeyConfigure under Config -> General Settings -> Idle you will find a checkbox for Track client computer startup and shutdown. Turning this on to track these system events is required to be able to know the on/off state of the machine in Maps.
The layout of Floorplans for labs is a great visualization tool and very popular. However, knowing the layout of the room and where the available computer sits is hardly useful information in a remote desktop environment. By default when you draw a floorplan that is the view of the division. While you can toggle to the list view, many at this time want that as the default because it is concise and has rows of computers with the connection links. There are several options for working with different views without discarding all your hard drawn plans.
Make a new Tab
One easy approach is to make a new Map Set or Tab. Simply click the + to make a new set. In many cases you can leave it based on Division, and maybe give it a name like Remote Computing. On this new tab, you can quickly click through your divisions to add them. Each one you just turn on remote links, make visible to public, and click Add. Do not make a floorplan, we’re just making quick list views. And that’s it, you’re done in a minute or three. You can then change the settings of the default tab to make it not public for the time being. In the future, you can flip the tab visibility bringing back your drawn versions and hiding the quick list versions.
An alternative is to make a Tag based map tab. You may decide that instead of 5 labs being separate, with everything being remote let’s just make one big list. Using Value Tags on all the computers in those 5 divisions, you can then make a tag based map set with one item listed that contains all those computers. Because tabs are essentially meta data, this in no way disrupts your previous configurations and division structure. For more on tags see https://www.sassafras.com/hrl/7.6/tags.html#valuedtags and note we have an Admin Script for managing tags in bulk.
Another popular option is not using KeyReporter as the main user experience portal. Instead you can embed any KeyReporter object into another website. Because there are a rich number of options for URLs when doing this, you can customize the view. Click the above link to see information on how you can do this, and what options are available. You could for example have a frame on your site that shows all available computers only. No navigation bars from KeyReporter, none of the In Use or Off computers, etc. You could even do this in list view using existing Floorplans so as to not have to make a new tab as discussed in the previous section.
There was concern with out initial implementation that showed the IP address of the machines, and rightfully so. In a setting where this is a public IP, we’re giving a public way to see what machines are available by what platform and where to attack them. As a result, the 184.108.40.206 release hides this information behind a Connect link. Further, using the above settings you can use DNS names instead of IPs for RDP sessions. However, this may still not be enough.
You can also consider putting the whole of KeyReporter behind authentication, as discussed in TN2884.
Life moves pretty fast. If you don’t stop and read a blog once in a while, you could miss it. To paraphrase a famous quote anyway. With things changing fast these days, pulling together our new features and older features to see how they work together may be important. You might just find there was a cool way of using the product you hadn’t considered. As always, if you have any questions our support team is ready to help.
Author: Yadin Flammer
With a history in desktop support, systems administration, diverse software solutions, and creative problem solving, Yadin joined Sassafras after 15 years as a customer. His impact on the support team has been exceeded only by the exponential increase in bad puns and office plant life expectancy since his arrival.