Unattended Access Overview

What is Unattended Access?

Unattended Access is a feature of Secure Remote Access that allows you to connect remotely to your servers and network endpoints directly from your browser, using a lot of the well-known Admin By Request features like: inventory, auditlog, settings and sub-settings, approval flows, integrations etc.

The implementation of Unattended Access can use either a "Cloud" or an "On-premise" gateway, eliminating the need for VPN and jump servers, while still maintaining a secure and segregated setup.

This document covers getting started with Product Enrollment, Unattended Access and Vendor Access. It also describes key settings that can be administered from the portal.

Prerequisites

In order to use the full power of Unattended Access, there are a number of requirements:

Using Cloud gateway (managed service)

  • Access to the portal at https://www.adminbyrequest.com/Login

  • Admin By Request for Windows 8.4.0+ on each client

  • Admin By Request API - port 443 for the following:

    • api1.adminbyrequest.com (if your data is located in Europe)

    • api2.adminbyrequest.com (if your data is located in the USA)

    • api.adminbyrequest.com

  • Outbound MQTT broker connectivity via Websockets- port 443 for the following:

    • FastTrackHubEU1.azure-devices.net (if your data is located in Europe)

    • FastTrackHubUS1.azure-devices.net (if your data is located in the USA)

  • Cloudflare connectivity:

  • The endpoint needs to be enrolled with an Admin By Request Secure Remote Access license (see Product Enrollment).

  • For Windows endpoints, RDP needs to be enabled on port 3389 on each device.

Using On-premise gateway (self-hosted)

  • Access to pull Docker images from adminbyrequest.azurecr.io

  • Admin By Request API - port 443 for the following:

    • connectorapi1.adminbyrequest.com (if your data is located in Europe)

    • connectorapi2.adminbyrequest.com (if your data is located in the USA)

  • Outbound MQTT broker connectivity via Websockets- port 443 for the following:

    • FastTrackHubEU1.azure-devices.net (if your data is located in Europe)

    • FastTrackHubUS1.azure-devices.net (if your data is located in the USA)

  • Cloudflare connectivity:

  • In order for the on-premise gateway to be able to discover devices on the network, these need to be available to the gateway on ports 3389 (RDP), 22 (SSH) or 5900/5901 (VNC).
Using Vendor Access

A further prerequisite applies to Vendor Access, where SSO must be enabled for each user who will login to the Vendor Access  page (https://access.work).

How does Unattended Access work?

The idea behind Unattended Access is to allow users to connect to your remote endpoints using nothing but their browsers.

In order to achieve this, the browser creates a Secure WebSocket connection to a Docker-based gateway, hosted either in your own infrastructure (self-hosted) or as a managed service.

The connection is made via a secure Cloudflare tunnel, as shown in the following diagram:

The gateway comprises three different images:

  • Connector
    Handles validation and translation of the data between the portal and the proxy container, as well as managing logs, health checks and other data.

  • Proxy
    Establishes a protocol connection between Admin By Request and your endpoint using either RDP, SSH or VNC.

  • Discovery
    Handles automatic discovery of connectable devices running on the same network as the gateway.

What next?

As well as outlining how to get started with Unattended Access, this article describes the customization options available and provides reference documentation for various settings that can be changed in the portal.

The next section covers licensing endpoints for Secure Remote Access via Product Enrollment. After that, Getting Started lists the initial steps for enabling Unattended Access, followed by the steps required for a managed cloud service, and then the steps required for a self-hosted implementation.