Just try handling the forgotten passwords and accidental email deletions of two dozen small businesses and get a full night of sleep. Companies that have never had IT support and suddenly find themselves with a Small Business Server 2003 machine and the technology services of an enterprise are quick to call upon their VAR or consultant to answer questions about every little oddity. I should know; I recently spent one week implementing Windows Server 2003, Exchange Server 2003, and SQL Server 2000 for a customer who needed to get a custom LOB app up and running. The following two weeks consisted of three or four calls per day.

Perhaps it wouldn’t have been so bad if the customer was local. Instead, he was 300 miles away—far enough for an eight-hour round-trip drive. And while I don’t mind getting paid for time in the car, getting up at 3:00 AM and returning at 10:00 PM is enough to wipe out an entire day from exhaustion. Clearly, there has to be a better way to service a customer than driving back and forth, local or not.

The answer is remote management. Controlling a server from some distance and the client machines under that server makes it possible to deliver IT capabilities to customers all over the world without interacting in person. Naturally, the efficiency of remote management saves significant time and financial resources on both sides of the partnership. And while remote management doesn’t completely negate the importance of periodic lunch meetings, it sure helps facilitate smoother troubleshooting and more accessible monitoring.

Of course, there are some limitations to what you can do with remote management. If one drive in a RAID 1 mirror decides to fail, nothing less than a complete hardware replacement will assuage the issue. Should you require a SCSI controller BIOS update and lack management support outside of Windows, you’ll again need to make the trip to do the upgrade. Remote management isn’t an end-all to field calls or an invitation to add an extra handful of jobs to an already-taxed technician’s workload. Rather, it provides one way to save your customers’ money, reduce travel time, expand your business’s reach, and ensure more of the hours you do have to spend are billable.

Remote Management
Under Your Nose

Believe it or not, if you’ve recently deployed Small Business Server 2003 or Windows Server 2003, the tools to access and control that machine from a remote location are available free of cost. They’re extremely powerful, too. So long as you’ve enabled Remote Desktop for Administration and are using a Windows XP Professional system to reach the server, accessing the necessary application is as easy as clicking the Start button, expanding Programs, Accessories, Communications, and selecting Remote Desktop Connection.

With a Terminal Services connection established, Microsoft offers you the ability to graphically administer Windows Server 2003 (and 2000) systems from Windows XP and OS X. Microsoft actually supports several other client operating systems but through third-party add-ins, according to the company’s documentation. Each connection is configurable to account for low-bandwidth links and also supports remote disconnect to re-establish interrupted sessions. Using Remote Desktop for Administration, you’re able to upgrade a server’s operating system, reboot the machine, and modify domain controller status (not an issue in SBS 2003). It’s claimed that there’s no performance impact on the server and that there’s a provision for two administrators to log in and share a session collaboratively. Terminal Services gives you the flexibility to print locally and over a network, map clipboard functions (cut, paste, copy), redirect serial devices, and remotely install applications.

For an off-site administrator, the ability to control most vital server functions without having to pay for a third-party application is extremely valuable. And if you’ve ever shied away from offering a service package—solid recurring revenue—because of the perceived difficulties involved, you’re missing a golden opportunity as a VAR to address an actual need for which customers will willingly pay to have satisfied. Microsoft’s Remote Desktop feature is the easiest and most fundamental utility in your bag of tricks. Just watch how many folks marvel that you’re able to control their server securely from afar.

Built-In Remote Control Microsoft enables every copy of Windows Server 2003 with remote administration and assistance features, allowing VARs to help SMB customers from afar.

Offering Assistance

When it comes time to address problems on workstation machines, remote management can get a little trickier. To begin, logging onto a client system as an administrator will generally boot whichever user is already authenticated, trashing their unsaved work in the process. Even then, it isn’t always possible to replicate problems, especially when they involve profile settings or access restrictions.

So while it’s possible to use Remote Desktop for Administration to log into the server and utilize the Terminal Services capability to manage a network computer, it’s often easier to use Remote Assistance, another built-in feature inherent to Windows Server 2003 and Windows XP Professional. Remote Assistance allows one computer to remotely view and take control over another desktop system. This interaction is initiated by either the administrator offering help or by the user requesting it. Windows Messenger is one avenue by which the invitation may be extended and Outlook Express is the other. Furthermore, Small Business Server 2003 provides its own means to offer help. The Computers menu within the Server Management window lists configured domain computers. Clicking on them one by one brings up a menu of options in the left-hand window pane. Selecting Offer Remote Assistance will allow an administrator to assume control while the user looks on.

According to Microsoft, Remote Assistance is disabled by default in order to preserve network security. To enable it on client workstations, right-click on My Computer and choose Properties. Click the Remote tab and check the boxes that say Turn on Remote Assistance and Allow Invitations to be Sent from This Computer. With a Remote Assistance session initiated, the client sees all of the administrator’s actions. The two can interact through a chat applet and files may be sent between the two systems through another button.

Security Best Practices

There’s naturally a reason that these administration features are disabled out of the box. Anyone who is able to access Terminal Services—especially on a machine that directly touches the Web—can control the server as if they were sitting right in front of it. Watch the smile on your customer’s face dissolve when he finds out he isn’t the only one with access to the new server investment.

One of the simplest ways to augment security is to enable strong password policies. Windows Server 2003 prompts you to do this several times anyway during remote access setup and Internet configuration, but the idea is that you want strong passwords (seven characters or more with a combination of uppercase, lowercase, and numeric entries). It’s also a good idea to change that password on a scheduled basis. I have run into resistance imposing all strong password criteria in businesses unaccustomed to heightened security measures, but, at the very least, lock down all admin privileges to keep server access minimal.

Third-Party Alternative: Symantec’s pcAnywhere performs many of the same functions as Microsoft’s bundled software, adding better encryption, conferencing support, and mobile access.

Another important step in protecting a remotely administered network is to properly configure the point of entry—in most cases, a hardware or software firewall. A Small Business Server 2003 box is potentially running several vulnerable services, including email on port 25, VPN on port 1723, Terminal Services on 3389, FTP on port 21, a Web site on port 80, and five or six other connected components. Closing unneeded ports, either through IIS 6.0 or ISA Server 2004, ensures traffic doesn’t permeate the network through vulnerabilities in each application, even if those vulnerabilities consist of brute-forced passwords.

Monitoring: Another Puzzle Piece

Management Hardware HP’s Integrated Lights-Out card enables server control even when the power is off.

Understanding how to employ Remote Assistance and Remote Desktop for Administration is the first step in commanding a customer’s remote network. However, Matthew Sutton, CEO of HyBlue, Inc., says that the actual remote access package is only part of a larger management platform.

“VARs today are most often reactive when it comes to addressing customer issues. When there’s a problem, they get a phone call and scramble for a solution. When a predominant majority of communications center on fixing problems, relationships may be taxed.”

Monitoring provides the means to track security problems, potential hardware failures, and critical errors before they negatively impact availability. Windows Server 2003 features a comprehensive list of performance and usage logging capabilities to keep remote administrators up to speed on the health of networks under their care. By leveraging a combination of the Event Logs, the System Monitor, Microsoft’s Health Monitor 2.1, and Server Status Reports you can determine how heavily a server is being utilized, if the network is experiencing targeted attacks, and the success of daily backups. The initial setup process even allows the results of monitored events to be mailed out on a regular basis. The convenience of getting a daily report in your inbox makes it that much easier to set customers up with a regular service plan.

E-Mail on the Go Did you know not to scan Exchange’s database with anti-virus software? HyBlue’s monitoring suite will help diagnose this and other common problems remotely.

The downside for busy administrators is that monitoring delivers a lot of information—almost too much to parse through on a daily basis. Sutton’s HyBlue (www.hyblue.com) attempts to distill relevant data by proactively scanning an installed sensor and prioritizing the events that it reports back. Sutton’s primary example is the implementation of virus scanning software on a machine with Exchange Server 2003. In short, you’re not supposed to scan an open Exchange database, else it corrupts. HyBlue will detect the AV software, help identify the directories to exclude from future scans, and send a TechNet guide on how to repair the damaged Exchange store.

HyBlue charges $50 per month per server for that feature, but if you’re charging each customer the recommend $200 per month for proactive monitoring and spending a fraction of your time perusing lengthy error logs populated with irrelevant data, the service should pay for itself. Workstations may also be covered for an additional $5 per month each. Best of all, HyBlue is transparent to your customer. It’s sold to you as an empowering tool that helps catch problems before they endanger mission critical applications. That’s true power for a busy VAR.

Remote Hardware

Most of the time, a robust software solution is more than enough to keep a server up and running. But what happens in the event of a power outage? Say your UPS implementation did its job and safely shut the server down after 30 minutes of downtime, right before it ran out of juice. Now the server is off after-hours and email is bouncing because the customer’s ISP doesn’t spool messages. Short of having an employee drive back over and turn on power, your hands are tied.

Fortunately, there are hardware-based remote management solutions. The one I’ve used most is HP’s iLO (Integrated Lights-Out) processor, an add-in card that plugs directly on compatible HP servers or resides directly on HP motherboards. The iLO processor gets its own IP address assigned statically or through DHCP and is accessible through either a command line interface or a Web browser. There are a few different implementations of the control chip itself, but basic functionality includes hardware monitoring (fan speeds, temperature, etc), the ability to cycle power, turn a server on or reset it, and a virtual serial port to access Windows Server 2003 emergency management services. iLO Advanced adds USB virtual media to boot a remote server using a local floppy disk or CD, a graphical remote console, and Terminal Services integration. Either option facilitates potent control over a server regardless of operational state.

Pass the Remote

The prospect of answering hardware and software questions from 300 miles away can be daunting, even for the most adventurous VARs. But there’s no denying the allure of recurring revenue—pure profit—from service. Remote management is the key to efficiency on your side and value for your customer. It doesn’t matter if you use Microsoft’s built-in features, purchase a third-party suite such as Symantec pcAnywhere or Citrix GoToMyPC, or contract another company to cover your backside by proactively monitoring client machines, as HyBlue does. The critical action point here is that you familiarize yourself with remote management and explore its potential.