Remote Control
[ updated May 8, 2020, 11:26 AM ]
“Context -
This was basically the perfect storm. We had just upgraded Ivanti EPM to 2019.3 SU3 and Remote Control now required a tunnel on the CSA which had to be rebuilt from scratch. In addition our Zero Trust required some finessing to get it to cooperate. All of this while most of the company immediately transitioned to working from home. ”
So this was one interesting journey. It finally seems we now have some consistency. Lets see if we can get you working.
Terminology
CSA (Cloud Service Appliance) - This system is used to facilitate communication between the internal core server and external clients. This broker allows us to execute packages / patches / remote control.
UNC (Universal Naming Convention) - A way to identify a shared file in a computer without having to specify (or know) the storage device it is on.
Remote Control Tunnel - A new requirement typically assigned to the CSA to allow remote control.
Remote Control Consent - A policy setting that requires the user to "grant access" to the requester. If the user is not logged in or is not available the request will fail.
Requirements
Client Connectivity Policy
RCviewer.exe (The RcViewer app can be located in the Managementsuite dir and can be copied to any other machines to run on its own). / Ivanti Console
Process
Before we get started, I wanted to let you know that my preference is to use the stand alone portable vs. the console. Response time is improved. Regardless of how these are started; both will default to the RCViewer executable.
Requestor
Upon execution of the RCViewer process you will be taken to the following screen below. Leave the Security Model as is. Update the Core and Credentials. This is important - Login with your Ivanti Credentials. Do not use the credential of the domain or workgroup machine you target. Authentication is facilitated by the Ivanti agent.
Requestor
Authentication
This will introduce a list of systems in Ivanti that you are scoped for (devices you can see in the console). In addition you can filter this list by Display Name / Owner / IP Address. This will only show the first 100.
Lets narrow our focus by using the Search Bar to find our next victim. Click Connect.
Upon doing so you will see the following while we Request permission from the user. Remote Control Consent (policy dependent) is required of the user. If the user grants Consent, we will be connected. If the user is not logged in or unavailable, the process will time out.
User
On the Users end they will see the following from the Requester.
In addition, a persistent notification will be shown while the session is in progress.
Experience
After connected, you can see some additional abilities such as File Transfer and Remote Execute.
Another interesting feature is when Dual Monitors are involved. Selecting the Virtual Monitor allows you to choose a display.
Or both!
Frequently Asked Questions
Q - Can I connect to a system that's off of the company’s network / VPN?
A - Yes...the tool is designed to work inside and outside of the company’s networks.
Q - I am doing a test and have logged in to the target using RDP. I am unable to see any request, why is this?
A request will be shown when you have console access / session 0 only.
Q - Are there any useful tools / steps to use when troubleshooting connectivity?
A - Yes...take note of the following:
Landesk Services - Powershell (elevated) restart-service "*landesk*"
Kill the softmon.exe process (it will restart itself which is ok)
Verify Connectivity - "C:\Program Files (x86)\LANDesk\LDClient\BrokerConfig.exe"
Telnet <CSA IP> 44345 / check for error
Delta Inventory - "C:\Program Files (x86)\LANDesk\LDClient\ldiscn32.exe" /mini
Policy Sync - "C:\Program Files (x86)\LANDesk\LDClient\PolicySync.exe"
Policy Rebuild - "C:\Program Files (x86)\LANDesk\LDClient\vulscan" /changesettings