Remote Access Manager White Paper

Executive Summary

The Remote Access Manager (RAM) provides secure, efficient, accessible, feature-rich remote desktop access, enabling IT managers to cut costs while improving quality of service.

Introduction

The Power of Remote Desktop Access

Remote desktop access enables a user to take complete control of a distant computer over an organization's network or the Internet, as if the user was sitting at that computer. This technology has a wide range of uses; some of the most common uses are:

When combined with real-time telecommunication through voice-over-IP or conventional telephony, remote desktop access makes location irrelevant for most IT tasks. Travel expenses are reduced, and organizations with multiple offices can reduce the size of their IT staff. A competent individual or small team can perform most IT tasks across the organization. As a result, every office in an organization can benefit from the same top-notch IT staff. In short, remote desktop access enables IT departments to cut costs while maintaining and even improving quality of service.

Problems with Previous Implementations

Though remote desktop access is a powerful tool, several problems with previous implementations hinder organizations from harnessing the power of this technology effectively.

A New Solution: Remote Access Manager

The Remote Access Manager (RAM) is an innovative remote desktop access package which addresses all of the problems described above.

Deployment, Management, and Security

At the center of RAM is a server which manages all remote access connections across the private network. An organization may install and run its own server, or it may use Serotek's Internet-based server. Network security policies need not be adjusted for each remotely accessible machine, and an organization can make its machines remotely accessible to authorized personnel over the Internet without compromising security. The server provides a Web-based interface for centralized deployment and management of remote access clients and remotely accessible machines (called hosts). In short, the RAM Server offers the convenience of centralized deployment and management without sacrificing security.

Shared Session

RAM puts the remote IT professional in the same Windows session as the end-user. Not only can the two people work with the same applications and documents at the same time, they can also exchange text and even files through the Windows clipboard. This makes remote training and distance learning possible and is also invaluable for technical support.

Accessibility

RAM is fully accessible to visually impaired users. The client features System Access, Serotek's ground-breaking, portable Windows access software. The pricing for each remotely accessible machine is comparable to that of firewall or anti-virus software, making it affordable to organizations of all sizes. Unlike the solutions that are accessible with conventional screen readers, RAM enables visually impaired professionals to perform remote training and help-desk support as easily as their sighted peers. Sighted end-users are given no direct indication that the IT professional is visually impaired; they do not hear the speech output that he or she requires. Unlike conventional screen readers, System Access does not require permanent system configuration changes, so accessibility is not lost when systems are upgraded or repaired. In short, RAM is the most accessible remote desktop access package on the market. Organizations can now easily and cost-effectively benefit from a large and growing pool of competent IT professionals who were previously unable to use remote desktop access software.

RAM Components

RAM consists of three components, the client, the host, and the server.

Client

The client is the program that IT professionals use to remotely access users' machines. It is installed on a portable U3 smart drive, also called a key, so IT professionals can use it on any Windows computer in the office, and potentially outside the office depending on the network security policy. The key contains not only the remote access client but also System Access, so visually impaired IT professionals can quickly and easily gain access to any Windows computer they encounter by plugging in the key.

Host

The host is the program which is installed on each machine that IT staff may need to access remotely. It is provided as a Windows Installer (MSI) package, so IT staff can easily deploy it to thousands of machines at once. Once deployed, the host software sits quietly in the background except when remote access is required. It makes no permanent system configuration changes, except to install itself as a Windows service. Except for an icon in the system tray (normally located at the bottom of the screen), users will not notice that the host software is present until they need it.

The host software plays a crucial role in RAM's accessibility. Because the host software communicates with System Access, it can provide speech output to visually impaired IT professionals when they access it remotely. However, the end-user does not hear this speech output unless he or she is already running a separately installed copy of System Access. If the user is running another known screen reader, the host software recognizes this and informs the IT professional. If the user is running JAWS for Windows or Window-Eyes, the host will even send the screen reader's speech output to the client so the IT professional will hear it.

Hosts can be divided into host groups; each host group has a user account on the RAM Server (described below). A host group may correspond to a department, office, or other organizational unit. Host groups are used to organize large numbers of machines, to set policy, and to ease deployment of the host software.

Server

The server manages all clients, hosts, and connections between the two. As mentioned earlier, an organization can either install and run its own private server or use Serotek's Internet-based server. Serotek's Internet-based server is the most convenient option, since it requires the organization to dedicate minimal resources to RAM. However, deploying a private server is also straightforward, and a private server provides the greatest control over security. Depending on the size of the network, running a private server may be more cost-effective in the long term than using Serotek's server. In both cases, the server provides an easy-to-use, fully accessible, Web-based interface for all management tasks.

A key function of the server is to provide downloadable installation packages for the client and host software. The server automatically configures these packages with information about itself and about the specific client or host group. The IT professional only needs to log in to the server's Web-based interface, download the appropriate package, and install it; no additional configuration is required. This automatic package configuration by the server makes RAM easy to deploy in organizations of all sizes.

The server also plays a vital role in RAM's security. Each host maintains a connection to the server, which notifies the host of remote access requests from clients. When a remote access session begins, the client and the host both make connections to the server, which relays data between them. Thus, no client can gain access to the host except through the server.

Use Cases

Client Deployment

  1. The client user logs in to the server's Web-based interface using any browser.

  2. The server directs the user to a page from which he or she can download the client installer.

  3. The user presses the "Continue" button. The server informs the user that it is preparing the download.

  4. Within a few seconds, the download normally starts automatically. If not, the server provides a link with which the user can manually start the download.

  5. After downloading the installer, the user runs it.

  6. The installer prompts the user to insert his or her U3 Key to Freedom, which was previously prepared by the user or system administrator. Alternatively, if the user has already inserted the key, the installer detects it immediately.

  7. The installer presents information about the inserted key. If the key is in fact a U3 Key to Freedom, the user may either proceed with that key or insert another one. Otherwise, the installer informs the user that this key is not a U3 Key to Freedom and prompts the user to insert another one.

  8. Once the user has inserted a U3 Key to Freedom and confirmed that he or she wants to use that key, the installer installs the RAM Client on that key.

  9. The installer informs the user when it is finished. If the user is currently running System Access from the key that was just converted to a RAM Client key, the installer may need to restart System Access.

  10. The key is now ready to use.

Host Deployment

  1. The IT professional logs in to the server's Web-based interface with any browser.

  2. The server directs the user to a page from which he or she can download the host installation package for Windows Installer.

  3. The user presses the "Continue" button. The server informs the user that it is preparing the download.

  4. Within a few seconds, the download normally starts automatically. If not, the server provides a link with which the user can manually start the download.

  5. After downloading the package, the IT professional may run it manually on each machine if the number of machines is small, or automatically deploy it to all machines at once using a system management tool such as Microsoft Systems Management Server.

  6. Once installed, the host software on each machine automatically connects to the server and is ready for remote access. No additional action per host machine is required.

Remote Access Session

  1. The IT professional starts the RAM client using his or her U3 key.

  2. The IT professional enters the host name or IP address of the remote machine and sets other options for the session. If the IT professional does not know the host name or IP address of the remote machine, he or she can ask the remote user to move to the host software's icon in the system tray and read that icon's ToolTip.

  3. The host software prompts the remote user to either accept or reject the IT professional's request for remote access. The host displays either the IT professional's name or a generic name such as "Help Desk"; the IT professional can configure this through the RAM server.

  4. The remote user presses Control+Shift+Y to accept the request or Control+Shift+N to reject it.

  5. Assuming the remote user accepts the request, the IT professional is connected and ready to work within a few seconds. Both sides are notified when the connection is established.

  6. Either the IT professional or the remote user can end the session. Both sides are notified when the session ends.

Questions and Answers

Security

Do any ports need to be opened for the host machines?

No.

Are remote sessions encrypted?

Yes; all remote sessions, including file transfers, are encrypted end-to-end using Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL).

Can Serotek eavesdrop on sessions relayed by its Internet-based server?

No. Session key negotiation and encryption are performed end-to-end between the client and the host; the server merely relays data as-is. Therefore, the server is unable to decipher the data that it relays. This also applies to file transfers; in fact, the server is unaware that a file transfer is even being performed.

What measure have been taken to prevent buffer overruns, which may be exploited to execute arbitrary code?

Most of RAM, including all code which communicates with the network, is written in the high-level Python programming language. Like Java and the .NET Framework, Python automates all memory management, so buffer overruns are impossible.

On which ports does the private server listen for incoming connections?

By default, the private server listens only on TCP port 7260; this port number is configurable. This single port handles both HTTP and RAM's proprietary protocols. The private server can be configured to also listen on the standard HTTP port.

Does RAM comply with HIPAA?

Yes. For more information, please refer to our web site at www.serotek.com.

Private Server

Does the private server require a server version of Windows?

No; the private server runs on Windows XP as well as Windows Server 2003.

Does the private server require a database package such as Microsoft SQL Server?

No; the private server uses a built-in, high-performance, low-overhead, zero-configuration database engine.

Does the private server require a web server package such as Microsoft Internet Information Server?

No; the private server uses a built-in, high-performance, low-overhead web server.

Does the private server conflict with an existing web server on the same machine?

No; the private server does not listen on the standard HTTP port by default, though it can be configured to do so.

Does the private server depend on any software apart from the operating system?

No; the private server is a self-contained package which will run on any Windows XP or Windows Server 2003 system.

Does the private server require that its administrator have desktop access to the server machine?

No. Because the private server is packaged for Windows Installer, installation can be non-interactive. After installation, all management is performed using a web browser.

What limitations exist on the number of host machines that can connect to the private server?

The private server imposes no hard limit on the number of host machines that can connect to it; this number is limited only by CPU speed, available memory, and bandwidth.

Conclusion

Remote desktop access is an immensely powerful tool for IT staff in organizations of all sizes. The Remote Access Manager addresses the problems that most hinder organizations from harnessing the power of remote desktop access effectively. It provides security, convenience, powerful features, and accessibility in an integrated, affordable package. For more information or to inquire about deploying RAM in your organization, please contact your Serotek representative or visit our web site at www.serotek.com.

Back