Goverlan Reach Gateway Services are enabled via the Goverlan Reach Server (GRS). The Goverlan Reach Server is a software component that can be installed on 64-bit only Windows Server 2008 R2 or later.
Implementing a Goverlan Reach infrastructure is done via the following 3 steps:
This configuration applies to corporate infrastructures and to software product vendors who want to support their products via On-Demand support sessions.
At least ONE Primary GRS must be installed on the private network where the Goverlan support operators are located.
This configuration allows for unattended access of any client computer equipped with the Goverlan Reach Client Agent as well as attended access of any other computer via an On-Demand Reach session.
This configuration is defined under Implementing the Master GRS.
Adding Support for Remote Client Sites
A Client Site configuration applies to IT Service Providers who wish to manage their customer sites with Goverlan Reach Gateway Services. Client Sites can also be used by multi-site enterprise environments to extend Reach Services to them.
In order to manage entire client sites remotely without a VPN connection, an additional Secondary GRS needs to be implemented at each client site:
This configuration is defined under Enabling Remote Client Sites with Reach.
Download and Install the GRS
The latest Goverlan Reach Server can be downloaded by logging into my.goverlan.com, selecting the Goverlan Reach Server tab and clicking on Download This Product.
Minimum System Requirements: The Goverlan Reach Server software can be installed on any Windows Server 2008/Server 2008 R2 or later operating system with a minimum of 4GB of RAM and 200MB of available disk space.
Configure the Goverlan Reach Server
Open the Server Configuration window and configure the following options:
A GRS can be a primary server or a dependent server. The primary server is installed within the authoritative site (the site where Goverlan Operators reside). In the case of a MSP implementation, client-site GRS’s will be dependent on the primary (covered later under Enabling Remote Client Sites with Reach).
For this master server, keep this setting as the Primary Goverlan Reach Server.
The port exposed on the internal side of the network used to provide GRS services to your internal machines is defined here. This port should be reachable by all of your machines within the private infrastructure.
The default port number is 22100.
Server Services Authentication
Enter the user ID and password that will be used to start the Goverlan Reach Server and Goverlan Reach Gateway Services.
This account needs to have the following privileges:
- Logon as a service permission
- Local Administrator permission on the server
- DB Creator right if using a MS SQL Server (Optional)
By default, the GRS installer will automatically install a LocalDB database. This file-based database can accommodate medium sized networks of up to 500 nodes. No further configuration is necessary for the LocalDB database.
For larger networks, use the GRS settings to switch to a MS SQL Server/Express instance for the database.
SQL Server Configuration
Change the database type to Microsoft SQL Server and enter the SQL Server details. The Service Account configured in Service Account Configuration is used when Windows Authentication is selected.
If SQL Authentication is required, change the authentication method and enter the SQL account credentials.
Gateway Configuration Steps
The Goverlan Reach Gateway Service requires two TCP ports to be configured. One which is facing the inside of your network, and one that is exposed to the internet through your firewall.
The external TCP port will be used to communicate with external endpoints. Configure your external firewall with a PAT (Port Address Translation) or a NAT (Network Address Translation) rule that is directed at the Goverlan Reach Server’s IP and configured external TCP port.
It is recommended that a friendly DNS name be assigned to the public IP address.
For Example: reach.corpxyz.com would point to the external IP address of the firewall where the rule is configured.
Please refer to your router’s documentation for specific information regarding port forwarding.
About My Organization
Enter the name of your organization in this field (for instance ‘Corp XYZ, Inc.’). This name will be used during On-Demand Support Sessions to brand the package for the remote client. It will also be used as the default container for corporate clients that are connected from outside of your private network.
Publish Gateway configuration to all Goverlan operators via policies
Turn on this option to automatically configure the Goverlan Reach Gateway section of the General Settings of all Goverlan operators via policies. This should be enabled most of the time on the primary Goverlan Reach Server.
Enable Gateway Services on my machines
Turn on this option to enable gateway services on all machines within your infrastructure via policies. Enable this option if you wish laptops within your organization to automatically register with the Gateway server once they are outside of the organization. This enables you to manage these mobile users even when they are connected to a public network. However, it will consume a license every time such event occurs.
Turning off this option will prevent laptops from registering automatically with the Gateway server and consume a license. You will still be able to support these users via On-Demand sessions.
Public Facing Reach Address
Enter the Public DNS Name (or IP address if no DNS name has been configured) exposed to the public facing side of your network, as well as the port number to be used for communication.
Secure with Certificate
In the event that a DNS name is configured, you can associate a public certificate with it. Associating a public certificate will further secure the network connection between your clients to your Reach server by enforcing a TLS handshake.
For assistance configuring a TLS certificate for the server, see Goverlan Reach Gateway and TLS.
It is strongly encouraged to associate an identity certificate to your Reach public facing address. See: Reach Security.
Private Facing Reach Address
Enter the FQDN or IP address of the local server, as well as the port number to be used for communication. This address will be used by Goverlan Operators within your network to communicate with the Reach Server.
Goverlan Reach External Devices Repository
The Goverlan Reach Repository holds active Reach node registration records and is used to browse through the available external endpoints.
The Remove Stale Computer Records setting defines the number of days to wait before removing stale Reach node records. If an external endpoint has not communicated with the Reach server for the configured period, it is automatically removed from the repository.
You can also view and remove stale registrations from the Goverlan Reach Server. Click on View Nodes in the ribbon bar, select Show Registered but disconnected nodes, select the disconnected registrations you wish to delete and click the Delete Records button. Or choose the Clean Records older than XX days option.
This section is irrelevant for On-Demand Only Reach implementations
To consume GRS services, the implemented GRS must advertise its existence on your network. The GRS advertisement enforces that the configured policies and Reach configuration is applied across all Goverlan software within your infrastructure (both Operator and Client side).
The GRS existence can be published using one of the following methods:
Please refer to the GRS User Guide Instruction page explaining these methods.
Start Your Engines
Once you have configured the GRS/REACH server, you are ready to start the services.
- Click on the Server Controls tab and click on Start.
- Click on the Goverlan REACH tab and click on Start the Server.