Getting Started with Unattended Access

How do I get started?

The very first thing is to make sure Unattended Access is turned on:

  1. To enable Unattended Access, log in to the Admin By Request portal and head over to SRA > Settings > Unattended Access Settings.

  2. Select Authorization in the left menu and, from the AUTHORIZATION tab, ensure that Allow Unattended Access  is turned On:

How do I setup a Managed Service?

A managed service  is a way of operating Unattended Access  so that your infrastructure allows an outbound connection to establish a secure tunnel from your respective endpoints and that these have the Admin By Request endpoint client installed.

Using Admin By Request's Managed Service for Unattended Access is the default. If you decide on this option when first enabling Unattended Access, no configuration is required; all you need to do is:

  1. Ensure your endpoints have the Admin By Request endpoint client installed.

  2. Connect to an endpoint (see below).

If this is not the first time enabling Unattended Access and you have previously configured an on-premise gateway, the following tasks are needed to setup a managed service using a Cloudflare tunnel:

How do I setup a Self-hosted Implementation?

A self-hosted implementation  means that you run Unattended Access  on-premise inside your own infrastructure, including the ability to run Docker containers. To establish a secure tunnel, your infrastructure must also allow outbound connections to Cloudflare.

The following tasks are needed to setup a self-hosted implementation:

Upgrading Unattended Access On-Premise (Self-hosted)

An environment variable was introduced from version 2.0.9 that needs to be present in order for your gateway to function properly. The variable is called AUTH__TOKEN and, if missing in your environment, you can add it to your Docker setup to enable the next docker compose pull to complete successfully.

AUTH__TOKEN needs to be set for all three images: Connector, Proxy and Discovery. The value of the AUTH__TOKEN variable can be anything you choose - it just needs to be the same across the different services. We recommend setting it to a UUID value or something of similar complexity.

In the case of a Docker compose file, the change would look like this:

Once these changes have been made, you can run the following commands (in order):

Copy
sudo docker compose pull
sudo docker compose up -d

This will spin up the containers using the new image and the newly added AUTH__TOKEN variable.

NOTE:

If you spin up a new gateway using the portal, you will not need to change anything manually. The required changes will be incorporated into the docker compose file generated by the portal.

Discovery

When using the self-hosted on-premise setup, the Discovery module is also available. The Discovery module automatically looks at the current network in which it is running and reports findings back to the portal about endpoints responding on ports 3389, 22 or 5900/5901.

This gives you the advantage of not having to manually map endpoints that are not running the Admin By Request endpoint client. This also has the benefit of mapping your network(s) automatically to your Admin By Request inventory, allowing you to connect to agent-less devices like routers, firewalls etc.

Refer to Configuring Discovery for more information on Discovery.