Unattended Access Overview

Introduction

Secure Remote Access enables IT administrators and vendors to access critical systems remotely while maintaining robust security and compliance. This topic introduces key terms such as unattended access, cloud gateways, on-premise gateways and the prerequisites for different configurations.

Subsequent topics cover getting started, product enrollment and modifying gateway configurations.

Related information

What is Unattended Access?

Unattended Access is a feature of Secure Remote Access that allows you to connect remotely to your servers and network endpoints directly from your browser, using a lot of the well-known Admin By Request features like: inventory, auditlog, settings and sub-settings, approval flows, integrations etc.

The implementation of Unattended Access can use either a "Cloud" or an "On-premise" gateway, eliminating the need for VPN and jump servers, while still maintaining a secure and segregated setup.

What is a cloud gateway?

A cloud gateway is a centrally managed, cloud-based network access point that securely routes traffic between users, cloud services, and internal resources. It acts as an intermediary, enforcing security policies, authentication, and traffic filtering while eliminating the need for traditional VPNs.

What is an on-premise gateway?

An on-premise gateway is an internal security appliance or software-based solution that enables secure, controlled access to internal corporate resources from external or remote locations.

Unlike a cloud gateway, an on-premise gateway resides within the organization's network perimeter, providing greater control over security, performance, and compliance.

Why deploy one?

An on-premise gateway is a good option if you already have one or more gateways in your environment.

Other common use cases for deploying an on-premise gateway:

  1. Secure internal application access: Employees or third-party vendors need to securely access on-premise applications without exposing them to the internet.

  2. Regulatory compliance: Organizations handling sensitive data (e.g., financial, healthcare, defense) must enforce strict security policies and data localization.

  3. Air-gapped networks: Industries like defense, manufacturing, and critical infrastructure require isolated network access that avoids direct cloud exposure.

  4. High-performance remote work: Low-latency access to local servers and applications for performance-critical tasks.

The following table summarizes the differences between the two gateway types.

Feature

Cloud Gateway

On-Premise Gateway

Connectivity

Traffic routed via cloud host’s global network

Securely routes traffic within the internal network

Data Storage

Cloud-hosted

Local/on-premise storage options

Security Model

Cloud-based security policies

Local security enforcement with internal controls

Network Dependency

Relies on cloud host’s infrastructure

Functions within LAN, can operate offline for local access

Performance

Cloud host-optimized

Direct internal traffic routing, lower latency

Prerequisites

In order to use the full power of Unattended Access, there are a number of requirements, listed under the following headings:

Your data is stored in a data center that is located in one of two geographic locations - one in Europe and one in the USA.

To determine your data center, go to page Tenant Settings > API Keys in the portal and check which API prefix is shown under About API Keys. The API prefix will be one of the following:

  • https://dc1api.adminbyrequest.com   (Europe)

  • https://dc2api.adminbyrequest.com   (USA)

Make a note of your prefix - among other things, this is the domain used when an API Key is created.

You can also see your API prefix on the API web pages (e.g. Public API > Auditlog API). However, a small script runs in the background that determines to which data center you are attached, so JavaScript must be enabled in your browser for this to work.

  • Access to the portal at https://www.adminbyrequest.com/Login

  • Admin By Request for Windows 8.4.0+ on each client

  • Admin By Request API - port 443 for the following:

    • api1.adminbyrequest.com (if your data is located in Europe)

    • api2.adminbyrequest.com (if your data is located in the USA)

    • api.adminbyrequest.com

  • Outbound MQTT broker connectivity via Websockets- port 443 for the following:

    • If your data is located in Europe:
      ten nodes (FastTrackHubEU1.azure-devices.net to FastTrackHubEU10.azure-devices.net)

    • If your data is located in the USA:
      ten nodes (FastTrackHubUS1.azure-devices.net to FastTrackHubUS10.azure-devices.net)

  • Cloudflare connectivity:

  • The endpoint needs to be enrolled with an Admin By Request Secure Remote Access license (see Product Enrollment).

  • For Windows endpoints, RDP needs to be enabled on port 3389 on each device.

  • Access to pull Docker images from adminbyrequest.azurecr.io

  • Admin By Request API - port 443 for the following:

    • connectorapi1.adminbyrequest.com (if your data is located in Europe)

    • connectorapi2.adminbyrequest.com (if your data is located in the USA)

  • Outbound MQTT broker connectivity via Websockets- port 443 for the following:

    • If your data is located in Europe:
      ten nodes (FastTrackHubEU1.azure-devices.net to FastTrackHubEU10.azure-devices.net)

    • If your data is located in the USA:
      ten nodes (FastTrackHubUS1.azure-devices.net to FastTrackHubUS10.azure-devices.net)

  • Cloudflare connectivity:

  • In order for the on-premise gateway to be able to discover devices on the network, these need to be available to the gateway on ports 3389 (RDP), 22 (SSH) or 5900/5901 (VNC).

A further prerequisite applies to Vendor Access, where SSO must be enabled for each user who will login to the Vendor Access  page (https://access.work).

How does Unattended Access work?

Architecture

The idea behind Unattended Access is to allow users to connect to your remote endpoints using nothing but their browsers.

In order to achieve this, the browser creates a Secure WebSocket connection to a Docker-based gateway, hosted either in your own infrastructure (self-hosted) or as a managed service.

The connection is made via a secure Cloudflare tunnel, as shown in the following diagram:

The gateway comprises three different images:

  • Connector
    Handles validation and translation of the data between the portal and the proxy container, as well as managing logs, health checks and other data.

  • Proxy
    Establishes a protocol connection between Admin By Request and your endpoint using either RDP, SSH or VNC.

  • Discovery
    Handles automatic discovery of connectable devices running on the same network as the gateway.

Process

The process by which a user establishes an unattended access session is:

  1. The user initiates a connection from the Admin By Request Portal.

  2. The Admin By Request client on the unattended endpoint receives an instruction from the MQTT Broker to fetch settings using the Admin By Request API.

  3. The settings response instructs the Admin By Request client to open a Cloudflare Tunnel by making an outbound UDP call on port 7844 using the QUIC Protocol.

  4. The Gateway is instructed to forward the RDP, SSH or VNC connection through the tunnel opened by the endpoint.

  5. A secure WebSocket connection is established between the user's browser and the Gateway. The response stream from the RDP, SSH or VNC connection is routed back to the browser using this secure connection.

The process is illustrated in the following diagram:

What next?

As well as outlining how to get started with Unattended Access, this article describes the customization options available and provides reference documentation for various settings that can be changed in the portal.

The next section covers licensing endpoints for Secure Remote Access via Product Enrollment. After that, Getting Started lists the initial steps for enabling Unattended Access, followed by the steps required for a managed cloud service, and then the steps required for a self-hosted implementation.