Getting Started with Unattended Access

How do I get started?

The very first thing is to make sure Unattended Access is turned on:

  1. To enable Unattended Access, log in to the Admin By Request portal and head over to SRA > Settings > Unattended Access Settings.

  2. Select Authorization in the left menu and, from the AUTHORIZATION tab, ensure that Allow Unattended Access  is turned On:

How do I setup a Managed Service?

A managed service  is a way of operating Unattended Access  so that your infrastructure allows an outbound connection to establish a secure tunnel from your respective endpoints and that these have the Admin By Request endpoint client installed.

Using Admin By Request's Managed Service for Unattended Access is the default. If you decide on this option when first enabling Unattended Access, no configuration is required; all you need to do is:

  1. Ensure your endpoints have the Admin By Request endpoint client installed.

  2. Connect to an endpoint (see below).

If this is not the first time enabling Unattended Access and you have previously configured an on-premise gateway, the following tasks are needed to setup a managed service using a Cloudflare tunnel:

    1. Ensure that your endpoints have the Admin By Request endpoint client installed

    2. In the portal, go to SRA > Settings > Unattended Access Settings.

    3. Select the Gateways  menu and, from the CLOUD tab, ensure that Allow cloud gateway is On:

    NOTE:

    The CLOUD tab becomes visible only when an on-premise gateway is created. If no on-premise gateway exists, Unattended Access will use the managed service option, which is enabled by default and requires no configuration.

    Configuring an on-premise gateway means disabling the cloud gateway (see How do I setup a Self-hosted Implementation?) which is why the CLOUD tab becomes available when a gateway is created.

    That’s it. The Admin By Request agent will now attempt to establish a secure tunnel via an outbound call - allowing connections directly via the managed gateway.

  2. NOTE:

    In order to allow Admin By Request to connect to your endpoints, they need to allow traffic on the following ports:

    • RDP - 3389

    • SSH - 22

    • VNC - 5900 and 5901

    1. From the portal, head over to your Inventory and make sure you're in the Secure Remote Access view. Select an endpoint with the Admin By Request client installed:

    2. Click the Remote link for this endpoint, enter User name  and Password  and click Connect:

    After a few seconds, the connection appears directly in your browser.

How do I setup a Self-hosted Implementation?

A self-hosted implementation  means that you run Unattended Access  on-premise inside your own infrastructure, including the ability to run Docker containers. To establish a secure tunnel, your infrastructure must also allow outbound connections to Cloudflare.

The following tasks are needed to setup a self-hosted implementation:

    1. Ensure that your endpoints have the Admin By Request endpoint client installed.

    2. In the portal, go to SRA > Settings > Unattended Access Settings.

    3. Select the Gateways menu and, from the CLOUD tab, ensure that Allow cloud gateway is Off:

    4. Click Save if making changes.

    1. In the portal, from the Gateways menu, select the ON-PREMISE tab. This shows the current gateways for your tenant:

    2. Click Add New, followed by Save. This will create a new Gateway with the default name Gateway 1:

    3. Click the words Install gateway. This displays a view that allows access to the Docker compose file used for the installation:

      The Docker compose file contains all the information necessary to orchestrate the Docker containers required to make Unattended Access work.

    4. Click Copy YML to clipboard to copy the Docker compose file to your clipboard.

    5. Add a new docker-compose.yml file to your Docker host, paste in the content and run the following command:

      Copy 
      sudo docker compose up -d

      This will spin up the containers and communicate back to the Admin By Request portal with all of the necessary information. Furthermore, a secure tunnel will be initiated between Cloudflare and the Connector container.

  3. NOTE:

    In order to allow Admin By Request to connect to your endpoints, they need to allow traffic on the following ports:

    • RDP - 3389

    • SSH - 22

    • VNC - 5900 and 5901

    1. From the portal, head over to your Inventory and make sure you're in the Secure Remote Access view. Select an endpoint with the Admin By Request client installed:

    2. Click the Remote link for this endpoint, enter User name  and Password  and click Connect:

    After a few seconds, the connection appears directly in your browser.

Upgrading Unattended Access On-Premise (Self-hosted)

An environment variable was introduced from version 2.0.9 that needs to be present in order for your gateway to function properly. The variable is called AUTH__TOKEN and, if missing in your environment, you can add it to your Docker setup to enable the next docker compose pull to complete successfully.

AUTH__TOKEN needs to be set for all three images: Connector, Proxy and Discovery. The value of the AUTH__TOKEN variable can be anything you choose - it just needs to be the same across the different services. We recommend setting it to a UUID value or something of similar complexity.

In the case of a Docker compose file, the change would look like this:

Once these changes have been made, you can run the following commands (in order):

Copy 
sudo docker compose pull
sudo docker compose up -d

This will spin up the containers using the new image and the newly added AUTH__TOKEN variable.

NOTE:

If you spin up a new gateway using the portal, you will not need to change anything manually. The required changes will be incorporated into the docker compose file generated by the portal.

Discovery

When using the self-hosted on-premise setup, the Discovery module is also available. The Discovery module automatically looks at the current network in which it is running and reports findings back to the portal about endpoints responding on ports 3389, 22 or 5900/5901.

This gives you the advantage of not having to manually map endpoints that are not running the Admin By Request endpoint client. This also has the benefit of mapping your network(s) automatically to your Admin By Request inventory, allowing you to connect to agent-less devices like routers, firewalls etc.

Refer to Configuring Discovery for more information on Discovery.