Hi,
Last night I wrote an email the the support team at Devsolutions, but thought I'd throw it open to others to see if this is a feasible idea.
I have been playing on and off with RDM for some time but I haven’t really looked at its full potential. I believe the application will pretty much do what I’m looking for (maybe with additional software) but I’d though I’d check before perusing any further.
We are a small team (5 techies) but manage a large number of remote servers and services using a variety protocols (mainly HTTPS (not remote desktop, but still remote management), SSH, VNC, etc.) and to do this we use a few access servers (will be Windows 2008) depending on the endpoint we are managing. The endpoints themselves site behind multiple corporate firewalls so the management of these services has to be initiated from the relevant access server. However, the connection to these access servers is generally via RDP, which means the techies are on their workstations/laptops, then RDP into an access server and can then remotely manage the relevant endpoint via the RDP session. However, there are a number of issues with this.
Firstly, the RDP sessions on a Windows box (not in Terminal Services mode) is limited to 2 per server. Secondary, RDP isn’t necessarily the securest protocol in the world. Thirdly, whilst the techies can easily RDP to the access server it they are on our site, if they are at the customer site they still may need this RDP access, which itself can often be blocked by the customers firewall rules – and often we don’t have simple physical access or local IP access to the relevant endpoints.
I initially thought of running RDM clients on the access servers, but I don’t think this would be the simplest solution – you would still need to use RDP to get into the access servers, and potentially set up separate password stores.
So, I was thinking that if we could create an SSL tunnel (something like sTunnel with uses OpenSSL) from the techies laptops to the access servers, they could then use the tunnel remote manage the endpoint in question using RDM on locally on their workstation/laptop, essentially using the access servers as a proxy. Because there are multiple access servers, I don’t think a single VPN would work without setting up some complex routing rules, but if each of the access servers were able to accept a tunnel connection, then maybe RDM could be used to direct the relevant connections using the relevant tunnel. Is this feasible, if not could RDM be used in another way? Has anyone setup anything similar to this, if so what did you use and how did you set it up?
The other issue we have is that of password security yet maintaining synchronisation. If I’m correct, RDM can connect through a backend MS SQL DB and maintain an offline cache thus enabling the techies to always have the latest passwords. Is this correct? What are the security implications of this, such as how are the passwords stored?
I look forward to your response.
Chris
edited by swinster on 11/18/2012
edited by swinster on 11/18/2012
edited by swinster on 11/18/2012
Last night I wrote an email the the support team at Devsolutions, but thought I'd throw it open to others to see if this is a feasible idea.
I have been playing on and off with RDM for some time but I haven’t really looked at its full potential. I believe the application will pretty much do what I’m looking for (maybe with additional software) but I’d though I’d check before perusing any further.
We are a small team (5 techies) but manage a large number of remote servers and services using a variety protocols (mainly HTTPS (not remote desktop, but still remote management), SSH, VNC, etc.) and to do this we use a few access servers (will be Windows 2008) depending on the endpoint we are managing. The endpoints themselves site behind multiple corporate firewalls so the management of these services has to be initiated from the relevant access server. However, the connection to these access servers is generally via RDP, which means the techies are on their workstations/laptops, then RDP into an access server and can then remotely manage the relevant endpoint via the RDP session. However, there are a number of issues with this.
Firstly, the RDP sessions on a Windows box (not in Terminal Services mode) is limited to 2 per server. Secondary, RDP isn’t necessarily the securest protocol in the world. Thirdly, whilst the techies can easily RDP to the access server it they are on our site, if they are at the customer site they still may need this RDP access, which itself can often be blocked by the customers firewall rules – and often we don’t have simple physical access or local IP access to the relevant endpoints.
I initially thought of running RDM clients on the access servers, but I don’t think this would be the simplest solution – you would still need to use RDP to get into the access servers, and potentially set up separate password stores.
So, I was thinking that if we could create an SSL tunnel (something like sTunnel with uses OpenSSL) from the techies laptops to the access servers, they could then use the tunnel remote manage the endpoint in question using RDM on locally on their workstation/laptop, essentially using the access servers as a proxy. Because there are multiple access servers, I don’t think a single VPN would work without setting up some complex routing rules, but if each of the access servers were able to accept a tunnel connection, then maybe RDM could be used to direct the relevant connections using the relevant tunnel. Is this feasible, if not could RDM be used in another way? Has anyone setup anything similar to this, if so what did you use and how did you set it up?
The other issue we have is that of password security yet maintaining synchronisation. If I’m correct, RDM can connect through a backend MS SQL DB and maintain an offline cache thus enabling the techies to always have the latest passwords. Is this correct? What are the security implications of this, such as how are the passwords stored?
I look forward to your response.
Chris
edited by swinster on 11/18/2012
edited by swinster on 11/18/2012
edited by swinster on 11/18/2012