I have been a long time supporter of the Citrix Online GotoAssist product as an excellent way for organizations to provide remote support to their internal associates, but specifically for their remote office workers, work from home employees, and third party customers/partners. Whenever I’m able to, I try to convince a customer to purchase technician licenses for GotoAssist as opposed to pursuing other remote control solutions. The reason why I suggest this is because GotoAssist is a third party brokered remote control solution that is superior to regular remote control such as Remote Desktop, Remote Assistance, VNC, PC Anywhere, and several other vended Systems Management remote control solutions because of the fact that it is a third party brokered remote control solution.
So what is a third party brokered remote control solution and why is it better than (insert other remote control technique here)?
A third party brokered remote control solution means that the support technician and the person they are trying to remote control are only connected via a third party server that relays the screen/keyboard/mouse data between the two systems. What is of critical importance in this design is that both system (the remote controller and the person being remote controlled) have both created an outbound network connection to the third party remote control app server to indicate that they would like to establish a remote control session. This differs from traditional support technician initiated remote control in that you won’t have issues with firewall traversal or network address translation (NAT). See the diagrams below for an explanation of how traditional RDP/VNC, etc. compares to GotoAssist.
Typical RDP/VNC style remote control over the Internet
How GoToAssist and GoToAssist Express works:
The GoToAssist Components works through Firewalls and Proxy servers because both systems initiate established communications outbound from their PCs. Most firewalls/proxies will allow inbound communication as long as it is in response to an outbound request from the inside. This is how GTA/GTAE is able to work through firewalls and proxies with zero configuration necessary.
Now that we’ve explained how brokered remote control works, let’s get into my specific thoughts as to why it’s superior:
- No hardware firewall challenges – Traditional remote control products like RDP, Remote Assistance, VNC, etc. require specific ports to be open on the end users firewall systems. When the end user is only using a software firewall, this is pretty easy to teach them how to do. However, most people have hardware firewalls in the form of a Broadband router that performs basic NAT. Since there are hundreds of different types of hardware firewalls, it would be near impossible to document and explain to an end user how to make the necessary firewall pinhole changes to their specific device. Using GotoAssist, this isn’t necessary.
- No issues remote controlling multiple machines behind the same firewall – If you were going to go the route of modifying firewall rules, you usually will setup a specific pinhole from the outside to the inside for a specific port to a specific machine. For example, you would say Allow TCP/3389 (RDP) to 192.168.1.43. This would allow you to Remote Desktop from the Internet to 192.168.1.43. However, if you also wanted to RDP into another machine on that network, but the client only has a single public IP address (which is quite common for smaller business and home users) then you need to create a firewall pinhole for TCP/3390 (or some other port number) and then reconfigure the other machine to listen for RDP traffic on TCP/3390. While this definitely works, it also makes a lot of work for the remote support technician and requires good documentation so you know which machines are listening on which ports. It’s a mess.
- Security – Using our above examples where we opened up firewall ports to the Internet, keep in mind that while it enables you to remote control their PC over RDP it also allows every other single Internet user to do the same thing. Now someone might argue that “Well the attacker would need to know my IP address.” The answer is no, they simply need to be able to run a port scan of your IP range and they’ll find it. It only takes seconds or minutes at best to find an Internet host that’s allowing RDP. Once the RDP host is found, brute force attacks or worse yet unknown buffer overflows, etc. in the RDP protocol can take place. By using GotoAssist, there is no open inbound ports as the system being remote controlled is being accessed via the third party app server through the outbound established connections. Also, thinking you’re sneaky by statically assigning RDP to some port other than TCP/3389 won’t slow down anyone but the most inexperienced attacker.
- No issues with a group policy glitch that re-enables XP SP2’s software firewall and blocks you out – I’ve been at a few different organizations that have gone through Group Policy snafu’s where all of the sudden their XP SP2 group policy doesn’t apply to their desktops anymore. When this happens, the built-in XP SP2 software firewall gets enabled and effectively locks out your normal remote access ports. Again, using GotoAssist you are not affected by inbound software or hardware firewalls.
- Able to troubleshoot Citrix connection problems or VPN issues – In the consulting that I do for a living, one of the most common issues I run into that requires me to remote control someone’s system is that they are unable to get the Citrix client and/or the VPN Client working. If your remote access solution requires the user to already be inside a Citrix session (shadowing) or using another remote control product over the VPN, then what happens when the user isn’t able to establish those communications methods? You’re supporting them blindly.
- Proxy aware – Many of the clients I work for have Internet Proxy servers in their offices. Traditional remote control products will not work through a proxy as they are not proxy aware. GotoAssist, however, can work through a proxy server.
Now that we’ve discussed brokered remote control and why it’s superior, I’d like to take some time discussing GotoAssist Express Beta and why I think it’s so cool:
Citrix Online has been selling GotoAssist as one of it’s hosted product offerings ever since the acquisition of ExpertCity back in December of 2003. A few months ago, Citrix announced the beta release of something called GotoAssist Express. I’m unsure whether GotoAssist Express is intended to be a completely separate product with separate use case scenarios or the evolution of the next generation of the product. Regardless of the reason, I’m amp’d up about it. Here’s why it’s so much better than regular GotoAssist (in my opinion):
- Web 2.0 look and feel – The user interface for GoToAssist Express Beta is very Web 2.0 looking with glossy reflections, etc. While some may be tiring of this look by now, I still like it. Here’s a screen shot of the support staff interface page:
- Simplicity of starting a session – In the old GotoAssist you would launch the host component (for the technician or remote support rep) and then you would direct the person that you wanted to remote control to http://www.gotoassist.com/xx/myco (where xx and myco were specific branding components for your companies homepage). With GoToAssistExpress it’s setup to be a bit easier to get people into your support session. With GotoAssist Express, when you launch the host component shown above, the application generates a 9-digit control code that ensures that only you and your customer get connected. Then you have the option of emailing the URL directly to your customer or to just copy/paste the URL and you can send it through your own means (Instant Messenger comes to mind). Finally, you could always just telephone the person and tell them to go to www.fastsupport.com and enter the 9-digit support code. It couldn’t get any easier than this.
- Chat client – GTAE has a built-in 2-way chat client that allows the technician and customer to communication like a regular IM type client. While this feature has always been in GTA, I wanted to comment on it because I think it’s so much more valuable to use than traditional methods like launching Notepad and typing back and forth. One of the greatest things about the chat client is that it always pops into the foreground when an incoming chat message appears. This is particularly helpful when you’ve asked the user to work on something for 10 minutes and let you know when they’ve reproduced the issue. You can get on to other things and resume support when the popup chat message appears.
- Drawing Tools – While I haven’t used these much yet, I can definitely see where they would be valuable for a training session. Rather than driving the keyboard and mouse for the user, you could give them verbal instruction and draw circles and arrows and all sorts of stuff on their desktop. Very cool feature.
- Remote control of Mac clients – I read Seth Godin’s blog whenever I can and he had a blog entryrecently that made a lot of sense to me. Apple is beginning to develop a problem. They are beginning to sway lots of people to their platform. When that happens, how do they continue to insist they are the underdog and that we should all “think different”. They are eventually going to need to re-invent their marketing tactics. While the marketing issue is Apple’s problem to solve, there are many more people buying Macs these days and those people will need support too. So GTAE allows you to remote control them. This is great news as it’s one of the limiting things with the original GTA. While I’m hopeful that Mac host support will exist one day, having Mac client support is a huge benefit.
- Multisession GoToAssist Ease of Use – The new user interface makes it really easy to operate on multiple GoToAssist sessions as they appear as little virtual session screens within the host application. See the following screenshot !!!
- Unattended Remote Support – This has to be the single greatest feature of GTAE. Unattended support works like this, you start a support session with a user. After you’re connected with the user you want to support, you click a button named Setup Unattended Support. Like this:
Once you’ve chosen to “Setup Unattended Support”, you’ll be prompted for authentication. Then remote controlled user will be prompted to confirm they want to enable unattended support. If they choose to allow it, you are prompted to create a Nickname or alias for this machine and then a password. The password will be later used when attempting to connect to the unattended remote support session.
To use the “Unattended Remote Support” sessions you’ve setup, simply launch the GTAE program. After signing into GTAE, you simply right-click the GTAE system tray icon and choose “View Unattended Support Computers” from the context menu. When you choose this option, you’ll receive a screen like this one:
Now simply click on the computer you want to perform the remote support on and click the “Connect” button. You’ll be prompted for the password that you defined earlier and that’s it. I can’t say enough about how great this is for weekend support duties.
-
Usage Reports – While Usage Reports are not a new feature to GTA, I find them particularly helpful and wanted to comment on them briefly. I really think the Usage Reports in GTAE are a life saver for consulting firms. Why? Because I’m sure there are tons of consultants out there that are just like me and frequently forget to document the time they spend on their clients. While I don’t have a consulting services manager who hounds me for my time, I also don’t get paid when I don’t accurately bill for the time that I spend working on clients. The usage reports in GTAE help me reconstruct where I’ve spent time so that I can then bill clients appropriately. Here’s a quick example of what a usage report looks like:
-
Diagnostic reports – Not unlike the reports you gather through MSInfo32, GTAE allows you to request a diagnostic report from the remote controlled computer. While this probably won’t tell you where your support issues are, it’s always easier to browse through a diagnostic report than to go through 15 different screens/actions within Windows to generate the same information. To generate a diagnostic report, you click on Diagnostics and then Request Diagnostic Report.
At this point in time, the person being remote controlled will be asked permission to allow the diagnostic report to be generated. When they accept the request, you’ll see a window on your system like this:
- File Transfer – GTAE always supported file transfer to a client machine. But what’s really cool about GTAE Beta is that you can perform file transfers via Drag and Drop. Simply find a file on your desktop and drag it into the remote session and the user will be prompted to accept the file transfer. How cool is that?
- Reboot and Reconnect In Safe Mode – How many times have you needed to reboot someone’s machine and then re-connect back into it? I’m not sure if this is an issue any more, but in previous versions of GTA, the customer had to be present to re-acknowledge that they wanted to be remote controlled again. With GTAE, you can issue a reboot and automatically reconnect into your GTAE session. What is also very cool about this feature is that you have the option to reboot into Safe Mode with Networking. This is a perfect option for trying to troubleshoot a system that has malware/trojans/viruses on it since many of those components will not be able to load when in safe mode. Here’s a quick screenshot of the option to reboot.
And here’s the screen that you see while the machine is in the process of rebooting:
I will say that the reboot/reconnect is not completely foolproof, since a machine that is domain joined will still sometimes prompt you with “Ctrl-Alt-Del” to sign on before you’re able to reconnect. So you won’t always be guaranteed that you’ll be automatically reconnected. Thus it’s probably a good idea to have the end user nearby when you invoke the remote reboot just in case.
So if there’s all these great things about GoToAssist Express Beta, is there anything that’s not good about it?
From my initial testing, it doesn’t appear that GTAE supports remote controlled a session that is already remoted via RDP. So for those environments that are heavily leveraging VDI infrastructure (i.e. RDP’ing to a VM/Blade, etc) you’ll be out of luck trying to use GTAE to remote control their sessions and will need to rely on something like Remote Assistance. GTAE seems to remote control the Console session of the system, so you’ll only be able to use it to remote systems that are connected to the actual console of a system. Despite this limitation, GTAE still has some great features for the consumer side of remote control and even for 90% of your corporate assets.
How does one get access to GotoAssist Express Beta?:
You just need to sign-up for an account. It’s free. 🙂 For now anyway….
My hopes for the release of GotoAssist Express:
GotoAssist Express is still a beta product, but it already offers some pretty compelling advantages over the previous generation GotoAssist. In addition, it offers tons of benefits over a regular remote control product. That being said, as an independent consultant I can’t rationalize purchasing a monthly technician license for the few times a month that I need to perform a remote control session for a customer. I’m usually onsite with my customers (most of which are Chicago based), so I only need it for emergency purposes. That being said, here are my wishes for the release of GotoAssist Express.
- A by-the-drink purchasing model for those independent guys that really don’t want to spend a monthly technician cost for the 3-4 times a month that they might need to do this. I think this would also work out great for larger organizations that might have 500 support technicians and want to allow all of them to use the product without having to figure out who’s using whatever shared account at that time. Each person could be given the client and the organization could pay just for what their using. Yes, I’m suggesting that Citrix Online moves to a ASP/Utility Computing/SAAS licensing model. While one could argue that monthly subscriptions fits the ASP/Utility/SAAS model, I think it really needs to be metered on usage. You pay for what you use. Out of all the products in the world, this is one where I really see by-the-drink metered licensing making a lot of sense.
- Now that I’m a Mac bigot user I’d love to see a host component that runs on OSX. However, in the meanwhile I’m more than happy to use the product via VMWare Fusion (which is a fantastic product BTW).
Agree? Disagree? Let me know with a comment...