A Guide to Managing
Remote Users
Helpdesk
Support
April 10, 2000
By John Shireley
Supporting an individual
remote or mobile end user often requires more of your precious time than
supporting a regular LAN user. Remote users tend to have unusual and illogical
problems, and require serious amounts of planning and post-deployment
support, especially the highly mobile ones. Here are some suggestions
for planning your helpdesk approach. Coordinate after-hours’ operations
and broaden the areas of expertise for your staff. They should be trained
in troubleshooting the endless ambiguities of modem or telco switch problems.
Additionally, you will not always be able to use many of the traditional
tools, such as desktop management or control. Remember, if the users can't
get to you, you can't get to them!
If you’re in
an outsourcing relationship you can have them provide much of the actual
connectivity portion of support for your users. They’re not going
to be able to handle every piece of equipment or software configuration
that’s available. But by working with them in advance, you’ll
be able to determine what they can and cannot support efficiently. Standardizing
on equipment and applications will greatly improve how much you can demand
of your outsourcing partner.
Investigate third-party
helpdesk software if you're not already using it. Such applications can
be immensely useful and timesaving. This software also can help you track
individual problems as well as trends that might point to a more centralized
cause, such as an authentication server occasionally failing or a router
flapping. Once you've got a good knowledge base going, it will help you
and your staff remember obscure troubleshooting procedures. The good ones
are expensive, but if you're dealing with a large remote user base, the
cost is more than justified. Obviously installing an expensive helpdesk
application won’t be very cost-effective if you're only using it
to support your remote users. Consider your remote users’ support
needs versus your total support efforts before deployment. The larger
your IT support burden (and managing remote users will certainly increase
it!), the more a centralized trouble-ticket distribution and tracking
system will make sense for you.
Outsourcing
Finally, consider
outsourcing whatever you can unless you have a very large IT department
with plenty of technicians with an abundance of free time. The benefits
of outsourcing your remote user management and support can greatly outweigh
the costs in most cases. Outsourcing will save you both time and money
upon initial deployment, as well as in the future. Good outsourcing firms
will handle all necessary equipment upgrades, as well as maintain your
existing equipment. They contact circuit vendors and handle many of the
other headaches we've discussed here. This is their area of expertise.
Choosing the right
company to partner with can be very rewarding, but always remember that
you're outsourcing part of your access infrastructure, not your policies
on its usage. You determine those policies, so stick to your guns in terms
of developing a strategy with them, and be very proactive about your partnership.
Choosing an outsourcing partner can be a daunting task, but if you apply
the same principles you use when choosing your other vendors you usually
can’t go wrong. Check previous and existing client references. Find
out if they support other networks similar to yours in size and scope,
as well as the number of remote users you’re planning to support.
Investigate their helpdesks options and their flexibility for providing
custom support if you have unusual requirements. Terminating a relationship
with an outsourcing partner can be very painful so make sure it is the
right one for you.
Security
Concerns
We all know how important
security is to our networks, but when dealing with the management of remote
users, you especially need to plan ahead. Remember to balance the elements
of a secure networking environment against convenience to your user and
the cost to your organization. It is virtually impossible to have the
best of all three, so concentrate on your top two and do your best with
the third. The best security options available are not going to be convenient
to end users and are expensive in terms of support and resources. The
most convenient options for users are usually inexpensive, but do not
provide sufficient security. If you don't have your end users authenticate
with passwords when accessing your network, it will be very convenient
for them and inexpensive for you. If you have a complicated security policy
with varying levels of password requirements and exotic hardware, access
to your network is now more secure but also less convenient and certainly
more costly in terms of resources.
For your mobile or
dial-in users, the level of security and complexity is going to increase
exponentially with larger populations. If you're only supporting one mobile
user, you’ll be safe with one point of entry for your network (a
modem or ISDN TA hanging on a server, for instance). This sort of option
is usually available with your server's NOS install options at no additional
cost, whether it’s Novell, NT or Linux. Cost-effectiveness is one
of the most compelling reasons (performance impact issues aside) for instituting
a NOS-based remote-access solution, as it lets you maximize your existing
investments. But there are other good reasons as well, such as a shallower
learning curve than installing a dedicated terminal server or adding auxiliary
authentication devices, such as TACACS or RADIUS servers, into the mix.
An important component
of security is implementing good virus protection. An infected system
can spread chaos throughout your network, thus effectively performing
a successful denial-of-service attack on your network that can provide
additional opportunities to would-be attackers. Whether you deploy server
or client-level protection methods, make sure that your policies are adhered
to as closely as the rest of your security dictums and that your virus
protection is absolutely pervasive. One weak link in the chain is all
it takes to break it.
An additional, and
sometimes overlooked, component, is physical security of your roving users’
laptops. Many of your users simply aren’t aware that if their systems
are stolen or used by an unauthorized person, they are constituting a
major breach of your security. Cached passwords, crypto keys and other
security devices can fall into the wrong hands. Your users need to protect
their systems and treat them for what they are: potential access points
to your corporate network and sensitive files, literally the keys to the
kingdom. You should strongly consider and encourage local file and access
encryption, as well as implement desktop-level firewalling. Some excellent
personal firewall products have developed the past few years that offer
features for protecting your users against a security problem that they
may not have conceived– someone hacking into their notebooks or desktops
while they’re connected to the Internet.
Managing and supporting
remote users who are accessing your network via the Internet also presents
some unique challenges. These include obstacles not encountered
in direct-dial approaches, such as carrying your traffic over a public
network and securing both its transit as well as its sending and receiving
ends. There are several means of achieving a secure environment for them
(and you) that basically fall into two generic categories consisting of
hardware and software.
Hardware solutions
typically require a fixed location, and essentially consist of "black
box" technology that boils down to proprietary (or semiproprietary)
devices using encryption schemas for exchanging secure traffic between
two or more remote locations, usually using WAN links. They can also consist
of matching pairs of equipment that use more standard or well-known mechanisms
such as IPsec.
One of the primary
advantages of using a strictly hardware-based solution for a single at-home
user of a small remote office is that generally there are no configuration
changes or client software that needs to be loaded on each workstation,
assuming the workstation isn’t portable. More about this technique
for a remote network is covered in the section below, but supporting a
single remote user can be done with similar conditions. The hardware (in
most cases, a router) sits in between the remote host and your network
via connecting to the host on one interface (usually Ethernet), and to
the connectivity device (usually an analog or cable modem, ISDN TA or
other device) on the other side. The hardware solution performs all the
work, and essentially remains invisible to the client. However, any form
of encryption does add additional overhead to any connection. Once again
we have the convenience factor versus expense versus security equation.
Encryption generally can require you to either concede some speed, or
some bucks to buy a bigger pipe, unless your needed throughput is relatively
trivial. Larger broadband connection types (where throughput is faster)
are more effected because of the increased amount of traffic being processed.
Another benefit to hardware-based encryption/security devices as far as
TCP/IP connectivity is concerned, is that they are absolutely platform-independent,
and don’t care what kind of client you hang on them.
Make sure that any
hardware solutions you consider support central management. Some firewalls
do not allow access to them from their "external" (public) interface,
and once in place, can’t be managed from the outside. Several features
that may become important to you later on are support for SNMP (for inclusion
in network monitoring efforts), logging to a standard format such as syslog,
and multiple configuration interfaces for console-level access including
telnet. GUI management tools can be useful, but often the more "down
and dirty" text-based console/shell access gives you more granular
control.
Alternatively, you
can use software-based encryption and authentication solutions. These
are usually found in the form of a client application that must be installed
on the remote host, and either a hosting server application, or a hybrid
that has a client software component, and a dedicated hardware device
(usually a router or firewall). A good resource can be found at:
For example you could
configure something like an IPsec-compliant VPN client on a remote workstation,
and configure the complementing service on your access router at your
central network site. Bear in mind that you shouldn’t do this behind
a router or firewall unless it is using NAT, since the re-addressing confuses
the IPsec connection. Configuring the client is usually straightforward
once you’ve worked with the software vendor and ironed out all of
the wrinkles before deployment on a user’s system. Configuring, managing
and maintaining the client largely depends on how the vendor has written
the installation and loading portions. Make sure you thoroughly familiarize
yourself with the software so that you will be able to effectively troubleshoot
in the event of a problem. This secure tunnel allows traffic to cross
a public network, such as the Internet, in a protected manner. Unfortunately,
very few vendors provide client licensing for more than a few OS platforms.
Until standards like IPsec receive wider usage acceptance and improve
on some of the compatibility issues they’ve been struggling with,
you’ll want to test all the platforms’ clients you expect to
be using before choosing a vendor.
|
REPORTS
ANALYTICS
Follow 
