Accessing External Devices

Accessing External Devices

Once the Goverlan Reach infrastructure is implemented, Reach equipped computers start monitoring to determine whether they are inside or outside of the Reach authoritative network.

  • If External Devices are within the private network, they can be managed using the standard access methods via Active Directory or directly by specifying the system’s network address.
  • If External Devices are outside the private network, they can be managed by browsing through the Goverlan Reach Repository.

Goverlan Reach Repository

The Goverlan Reach Repository holds all registrations of computer nodes that are outside of your private network. Computer nodes are organized by folders defined by Reach Site names as well as by any Active Directory hierarchy of remote client sites. The Reach Repository can be browsed, searched and used to configure the scope credentials for a set of machines.

Browsing the Reach Repository

To browse the Reach Repository, simply double click on any container within the Goverlan Reach folder. This will disclose the child containers for your Reach, starting with Reach Site Names.

Open a Reach Site folder to display its nodes. If a Reach Site is configured with its own Active Directory hierarchy, it will be displayed in the Reach Repository.


Only the Active Directory path of registered computers is displayed within Reach.

The active/offline status of a Reach node is indicated via its computer icon. Offline nodes cannot be managed as they are either Powered OFF, or may be back on the private network (in case of travelling corporate users).

Searching the Reach Repository

External Devices can be found by searching the Reach Repository. The Reach Search features are available while browsing the Reach Repository and every time a computer name is requested within the Goverlan interface.

To search while browsing the Reach Repository, right-click the parent container to search and select the Search feature:

Enter a partial node name including wild card (*) before or after the search string to view all External Devices matching your search criteria within the selected container.

To connect to External Devices or search for External Devices when prompted for a computer name, enter the prefix REACH: followed by the node name or search string. For instance, to open a remote control session to an external Goverlan Reach machine named:  SOME-OUTMAC-001, enter:

The connection string above assumes that SOME-OUTMAC-001 is registered to the root of the Goverlan Reach Repository. However, most Goverlan External Devices will use an organization name or their local Active Directory Domain information to register themselves.

If the exact path of a Goverlan Reach node is not known, the node can be searched for using the * wild card character in the connect string. For instance, enter REACH: SOME-OUTMAC-001* and a search for SOME-OUTMAC-001 will be initiated, irrespective of its location within the Goverlan Reach Repository.

Other search examples:

REACH:* Returns the entire repository
REACH:CLIENT-ORG/* Returns all machines registered in the
CLIENT-ORG container
REACH:Domain Controllers* Returns all machines registered in any Active Directory container titled Domain Controllers across all client sites.

Configuring Credentials for Unattended Reach External Devices

Goverlan Services require Windows credentials to perform any action on a remote system. The provided credentials must hold the necessary level of privileges to execute the action requested.

By default, remote control sessions require Local Administrative privileges (this can be configured).

For External Devices that are not joined to the domain or when a device has left the domain

A Local Account that is a part of the Local Administrators Group is needed.

For External Devices that are on an a remote site with a domain

A Domain or Local Account that is a part of the Local Administrators Group is needed.

Goverlan automatically prompts for credentials if the action taken has failed due to a lack of privileges. Per-machine credentials, and per-container credentials can be configured as well.

Per-Machine Credentials

If the remote endpoint is located at the root of the Goverlan Reach Repository, or if a unique administrator password is configured for each endpoint, per-machine credentials must be specified.

To configure per-machine credentials you can either:

  • Initiate a management action on the remote machine and wait for the Goverlan credentials prompt.
  • Configure the credentials the first time you connect to the machine:

Once the credentials have been configured, they will be reused for subsequent connections to the same machine. These credentials can be modified or removed via the Credentials Manager.

Per-Container Credentials

Credentials for a scope of machines can be configured on any of the parent containers. Right click on a Goverlan Reach Repository container and select Configure Credentials for this Realm:

Specify the credentials to be used for all the nodes that belong to this realm. Make sure to indicate the proper domain authority in your credentials:

Credential Manager

Once the credentials are configured, they are stored in the Goverlan Credentials database that can be accessed via the Application menu:

The Credential Manager can be used to view and modify configured credentials.


On-Demand Reach Access

Starting a Reach On-Demand Support Session

Using Goverlan Reach Gateway Services, you will be able to remotely access any user, anywhere as long as they are connected to the internet. This is done via Reach On-Demand Support Sessions.

To initiate a Goverlan Reach On-Demand session, Operators click on the On Demand Goverlan Reach tab:

  • Generate a client email – Automatically launches your default email client with a template that includes the weblink to download the Goverlan Reach client that pertains to your configured Goverlan Reach server.
  • Copy Web-link to clipboard – The weblink will be available from your clipboard to paste in a live chat session or custom e-mail.
  • Enable Permanent Install Mode: Enable this option to generate a client support package. The remote user will be presented with an option to permanently install the Goverlan Reach Client on the user’s machine as a service. Permanent installations will make the node available for both attended and unattended support session. If this setting is turned off, the user can only start on-demand support sessions.

The Goverlan Reach Web-Link redirects the client to our default Client Portal in which the Goverlan Reach Client agent will be available. Once this is opened, the user will be prompted to start the support session.

If the Reach Client is started without local administrative privileges, the user is presented with an option to grant such privileges. Ask the user to enable this option if you wish to gain access to UAC prompts.

Once the user starts the support session, they are presented with a Session ID:

Security Note

As best practice, your Goverlan Reach Server public facing address should be configured with a TLS identity certificate. Service identity validation is then confirmed to the end user. The user can click on the “Server identify verified” link to display certificate information:

If your Reach Server public facing address is not configured with an identity certificate, the Reach Session ID window will turn red as follows:

Connecting to the Reach Session ID

Once the Session ID is transmitted to the Operator, the Operator can perform any Goverlan management task on the remote system by using REACH:SESSION-ID as a computer name.

For instance, to initiate a remote control session to the Session ID 668-557-954, the connection string would be: REACH:668 557 954


Spaces and dashes can be used to specify a session ID, so REACH: 668557954 or REACH: 668 557 954 or REACH: 668-557-954 are all acceptable entries.

Ending a Support Session

Upon first connection with the remote client, the support session is started and the user sees the following screen:

It is important to understand that On-Demand Reach Support Sessions do not need to start and end with a remote control session. The Reach Session ID can be used and re-used with other Goverlan Services. For instance, you can connect to the remote system directly from other Goverlan Tools such as the Goverlan Task Manager, initiate file transfers, or push power actions even if no remote control session is active.

As long as the remote user doesn’t end the session by clicking End Support Session, you can use the Goverlan services to manage the remote machine.

Once the user terminates the session, the option to keep or remove the Reach Session Starter is presented:

Selecting Yes generates a shortcut on the user’s desktop that can be used at any time to re-open a support session.


Reviewing Operator Actions

During an On-Demand Reach session, all Operator actions are audited and logged. If the end user selects to review the support action upon exit, the log is displayed once the support session ends.


The audit log is also registered in the Application log of the event viewer.

Was this article helpful?

Related Articles