Remote Support Overview

What is Remote Support?

Remote Support is part of the Secure Remote Access product by Admin By Request, that allows you to share screens and remotely control devices inside of your Admin By Request inventory, while using all of the well-known features of the Admin By Request ecosystem, such as: inventory, auditlog, settings and sub-settings, approval flows etc.

Remote Support allows either end users or IT admins to initiate a secure, just-in-time, remote support session – allowing them to share and control the end-user's device – and tear everything down once the session is done – eliminating any access points for bad actors.

This document covers getting started with Product Enrollment and Remote Support. It also describes key settings that can be administered from the portal.

Prerequisites

In order to use the full power of Remote Support, there are a number of requirements:

Access to the portal at https://www.adminbyrequest.com/Login
Admin By Request for Windows 8.4.0, Build 31936+ on each client
Admin By Request API - port 443 for the following:
- api1.adminbyrequest.com (if your data is located in the USA)
- api2.adminbyrequest.com (if your data is located in Europe)
- api.adminbyrequest.com
Outbound MQTT broker connectivity - port 8883 for the following:
- FastTrackHubUS1.azure-devices.net (if your data is located in the USA)
- FastTrackHubEU1.azure-devices.net (if your data is located in Europe)
Cloudflare connectivity:

UDP outbound - port 7844 for the following:

region1.v2.argotunnel.com
region2.v2.argotunnel.com

And for firewalls that enforce Server Name Indication (SNI):
- cftunnel.com
- h2.cftunnel.com
- quic.cftunnel.com

Refer to https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/ for more information on Cloudflare's "tunnel with firewall" configuration.

The endpoint needs to be enrolled with an Admin By Request Secure Remote Access license (see Product Enrollment).

How does Remote Support work?

Remote Support is based on the same gateway concept as the Unattended Access gateway, which is also part of the Admin By RequestSecure Remote Access product. It allows a just-in-time setup between the gateway and the endpoint by establishing a secure Cloudflare tunnel.

Once the tunnel is established, a just-in-time server session is created on the endpoint – allowing for screen sharing and remote control via the browser.

Once the session is terminated or expires, the tunnel and the server session are terminated, leaving the endpoint in the same state as before the remote support session.

The setup is fully cloud-based and does not require any on-premise setup besides what’s mentioned in the prerequisites:

The flow for a Remote Support session can be initiated either by an end user or by an IT administrator via the portal .

End user initiated

The end user requests a Remote Support session from their endpoint – providing a reason for the request.
The IT admin approves (or denies) the request via the Admin By Request portal.

IT admin initiated

The IT admin navigates to a specific device in the Admin By Request portal inventory and clicks Support on the relevant endpoint to initiate a remote support session.
The end user is asked to approve the incoming Remote Support session from the IT admin.
Upon approval, a secure Cloudflare tunnel is initiated between the Admin By Request gateway and the endpoint and a just-in-time server session is created on the endpoint.
The IT admin is now connected to the endpoint via the secure tunnel and the remote support session commences.

Once the session is terminated – or expires – the session server and the tunnel are terminated.

The session is logged in the audit log in the Admin By Request portal, allowing for the IT admin to access documentation about each remote support session – as well as download a recording of each session (if recording is enabled).