Remote Support Overview

What is Remote Support?

Remote Support is part of the Secure Remote Access product by Admin By Request, that allows you to share screens and remotely control devices inside of your Admin By Request inventory, while using all of the well-known features of the Admin By Request ecosystem, such as: inventory, auditlog, settings and sub-settings, approval flows etc.

Remote Support allows either end users or IT admins to initiate a secure, just-in-time, remote support session – allowing them to share and control the end-user's device – and tear everything down once the session is done – eliminating any access points for bad actors.

This document covers getting started with Product Enrollment and Remote Support. It also describes key settings that can be administered from the portal.

Prerequisites

In order to use the full power of Remote Support, there are a number of requirements:

Access to the portal at https://www.adminbyrequest.com/Login
Admin By Request for Windows 8.4.0+ on each client
Admin By Request API - port 443 for the following:
- api1.adminbyrequest.com (if your data is located in Europe)
- api2.adminbyrequest.com (if your data is located in the USA)
- api.adminbyrequest.com
Outbound MQTT broker connectivity via Websockets- port 443 for the following:
- FastTrackHubEU1.azure-devices.net (if your data is located in Europe)
- FastTrackHubUS1.azure-devices.net (if your data is located in the USA)
Cloudflare connectivity:

UDP outbound - port 7844 for the following:

region1.v2.argotunnel.com
region2.v2.argotunnel.com

If your firewall supports Server Name Indication (SNI), you need to allow the following URLs (UDP outbound - port 7844):
- cftunnel.com
- h2.cftunnel.com
- quic.cftunnel.com

Refer to https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/ for more information on Cloudflare's "tunnel with firewall" configuration.

The endpoint needs to be enrolled with an Admin By Request Secure Remote Access license (see Product Enrollment).

How does Remote Support work?

Remote Support is based on the same gateway concept as the Unattended Access gateway, which is also part of the Admin By RequestSecure Remote Access product. It allows a just-in-time setup between the gateway and the endpoint by establishing a secure Cloudflare tunnel.

Once the tunnel is established, a just-in-time server session is created on the endpoint – allowing for screen sharing and remote control via the browser.

Once the session is terminated or expires, the tunnel and the server session are terminated, leaving the endpoint in the same state as before the remote support session.

The setup is fully cloud-based and does not require any on-premise setup besides what’s mentioned in the prerequisites:

The process flow for a Remote Support session can be initiated either by an IT administrator via the portal (admin-initiated) or by an end user at the endpoint (user-initiated).

Process - Admin-initiated

The process by which an administrator establishes a remote support session is:

The administrator navigates to a specific endpoint in the Admin By Request Portal inventory and clicks the Support link associated with that endpoint. This action initiates a Remote Support connection.
The Admin By Request client on the endpoint receives an instruction from the MQTT Broker to fetch settings using the Admin By Request API.
The user at the endpoint is prompted that an administrator requests to initiate a Remote Support session. The user must approve the request for the session to continue.
Upon approving the request, the Admin By Request client opens a Cloudflare Tunnel via an outbound UDP call on port 7784 using the QUIC Protocol.
The Admin By Request client creates a just-in-time VNC server on the endpoint and instructs the Admin By Request API that the endpoint is awaiting a connection.
The Gateway is instructed to forward the VNC connection through the tunnel opened by the endpoint.
A secure WebSocket connection is established between the administrator's browser and the Gateway. The response stream from the VNC connection is routed back to the browser using this secure connection.

KEY POINTS

Once the session is terminated – or expires – the session server and the tunnel are terminated.
The session is logged in the audit log in the Admin By Request portal, allowing for the IT admin to access documentation about each remote support session – as well as download a recording of each session (if recording is enabled).
Based on the settings, each Remote Support session can be adapted with various security and compliance features like: Multi-Factor Authentication (MFA), view-only access, session expiration and session recording.

Process - User-initiated

The process by which a user establishes a remote support session is:

The user requests a Remote Support session from the Admin By Request client running on their endpoint.
An administrator accepts the request from the Admin By Request portal.
The Admin By Request client on the endpoint receives an instruction from the MQTT Broker to fetch settings using the Admin By Request API.
The user at the endpoint is prompted that an administrator requests to initiate a Remote Support session.
Upon accepting the request, the Admin By Request client opens a Cloudflare Tunnel via an outbound UDP call on port 7784 using the QUIC Protocol.
The Admin By Request client creates a just-in-time VNC server on the endpoint and instructs the Admin By Request API that the endpoint is awaiting a connection.
The Gateway is instructed to forward the VNC connection through the tunnel opened by the endpoint.
A secure WebSocket connection is established between the administrator's browser and the Gateway. The response stream from the VNC connection is routed back to the browser using this secure connection.