What is the Goverlan Reach Gateway?
The Goverlan Reach Gateway provides uninterrupted management of computers regardless of their network location.
Computer nodes equipped with Goverlan Reach can be accessed and managed remotely using Goverlan services whether they are connected to your private network, or anywhere else over the internet, without requiring a VPN bridge.
Goverlan Reach is completely self-hosted and does not depend on any outside services or vendors to establish connections. Since there is no ‘middle-man’ between you and your clients, external points of failure and security dependencies are eliminated.
The Goverlan Reach Access Modes
Goverlan Reach is highly scalable and can be used to manage corporate networks, remote client sites and computer standalone nodes.
Manage Corporate Users
Goverlan Reach Gateway Services can be used to remotely manage corporate users irrespective of their location – in the office, at home or on a business trip.
The Goverlan Reach client automatically detects if the user’s machine is connected to the corporate network or a public network. This allows for seamless management of corporate machines as they transition from the internal network to outside of the organization. Management requests are automatically rerouted to the client’s location allowing un-interrupted support of attended or unattended machines, irrespective of their location.
Manage Client Sites
IT Services Providers or multi-site enterprises can benefit from easy access and management of all their client sites using the Goverlan Reach Gateway Services. All machines in a client site can be managed remotely using Goverlan Services once the site is configured with Reach; this applies even to client machines connected outside of their private network.
Assist Any User On-Demand
Goverlan Reach can also be used for On-Demand support sessions. With On-Demand support sessions, any remote user can be supported once authorized by a simple approval process. On-Demand sessions are useful for corporate BYOD or application customer support environments.
How is Goverlan Reach Licensed?
Your Goverlan account includes a number of free Reach nodes based on the edition you use.
One Reach node license is required for every computer that is actively registered with the Reach Server. This includes active On-Demand support sessions. Reach node licenses are only required for machines that are outside of the Reach Authority’s private network.
How do I know how many Reach licenses are currently used?
License information can be found in the Main View of the Goverlan Reach Server:
What happens once I reach the license limit?
Once you have reached the license limit, new computer nodes and On-Demand support sessions attempting to register to the server will fail.
A notification will be logged in the server’s Execution Log and in the Event Viewer.
Goverlan Reach Gateway Services are enabled via the Goverlan Reach Server (GRS). The Goverlan Reach Server is a software component that can be installed on Windows Server 2008 or later.
Implementing a Goverlan Reach infrastructure is done via the following 3 steps:
This configuration applies to corporate infrastructures and to software product vendors who want to support their products via On-Demand support sessions.
At least ONE Primary GRS must be installed on the private network where the Goverlan support operators are located.
This configuration allows for unattended access of any client computer equipped with the Goverlan Reach Client Agent as well as attended access of any other computer via an On-Demand Reach session.
This configuration is defined under Implementing the Master GRS.
Adding Support for Remote Client Sites
A Client Site configuration applies to IT Service Providers who wish to manage their customer sites with Goverlan Reach Gateway Services. Client Sites can also be used by multi-site enterprise environments to extend Reach Services to them.
In order to manage entire client sites remotely without a VPN connection, an additional Secondary GRS needs to be implemented at each client site:
This configuration is defined under Enabling Remote Client Sites with Reach.
GRS Configuration Steps
Download and Install the GRS
The latest Goverlan Reach Server can be downloaded by logging into my.goverlan.com, selecting the Goverlan Reach Server tab and clicking on Download Product.
Minimum System Requirements: The Goverlan Reach Server software can be installed on any Windows Server 2008/Server 2008 R2 or later operating system with a minimum of 4GB of RAM and 200MB of available disk space.
Configure the Goverlan Reach Server
Open the Server Configuration window and configure the following options:
A GRS can be a primary server or a dependent server. The primary server is installed within the authoritative site (the site where Goverlan Operators reside). In the case of a MSP implementation, client-site GRS’s will be dependent on the primary (covered later under Enabling Remote Client Sites with Reach).
For this master server, keep this setting as the Primary Goverlan Reach Server.
The port exposed on the internal side of the network used to provide GRS services to your internal machines is defined here. This port should be reachable by all of your machines within the private infrastructure.
The default port number is 22100.
Server Services Authentication
Enter the user ID and password that will be used to start the Goverlan Reach Server and Goverlan Reach Gateway Services.
This account needs to have the following privileges:
- Logon as a service permission
- Local Administrator permission on the server
- DB Creator right if using a MS SQL Server (Optional)
By default, the GRS installer will automatically install a LocalDB database. This file-based database can accommodate medium sized networks of up to 500 nodes. No further configuration is necessary for the LocalDB database.
For larger networks, use the GRS settings to switch to a MS SQL Server/Express instance for the database.
SQL Server Configuration
Change the database type to Microsoft SQL Server and enter the SQL Server details. The Service Account configured in Service Account Configuration is used when Windows Authentication is selected.
If SQL Authentication is required, change the authentication method and enter the SQL account credentials.
Reach Gateway Configuration Steps
The Goverlan Reach Gateway Service requires two TCP ports to be configured. One which is facing the inside of your network, and one that is exposed to the internet through your firewall.
The external TCP port will be used to communicate with external endpoints. Configure your external firewall with a PAT (Port Address Translation) or a NAT (Network Address Translation) rule that is directed at the Goverlan Reach Server’s IP and configured external TCP port.
It is recommended that a friendly DNS name be assigned to the public IP address.
For Example: reach.corpxyz.com would point to the external IP address of the firewall where the rule is configured.
Please refer to your router’s documentation for specific information regarding port forwarding.
Automatically publish these settings to all Operators
This option controls the way the Reach configuration is pushed to all of your machines within your infrastructure and should be turned ON in most cases. Do not disable this option unless you have implemented a dedicated GRS server and a separate Reach server.
Name of this Organization
Enter the name of your organization in this field (for instance ‘Corp XYZ, Inc.’). This name will be used during On-Demand Support Sessions to brand the package for the remote client. It will also be used as the default Reach container for corporate clients that are connected from outside of your private network.
Public Facing Reach Address
Enter the Public DNS Name (or IP address if no DNS name has been configured) exposed to the public facing side of your network, as well as the port number to be used for communication.
Secure with Certificate
In the event that a DNS name is configured, you can associate a public certificate with it. Associating a public certificate will further secure the network connection between your clients to your Reach server by enforcing a TLS handshake.
It is strongly encouraged to associate an identity certificate to your Reach public facing address. See: Reach Security.
Private Facing Reach Address
Enter the FQDN or IP address of the local server, as well as the port number to be used for communication. This address will be used by Goverlan Operators within your network to communicate with the Reach Server.
Goverlan Reach Repository
The Goverlan Reach Repository holds active Reach node registration records and is used to browse through the available external endpoints.
The Remove Stale Computer Records setting defines the number of days to wait before removing stale Reach node records. If an external endpoint has not communicated with the Reach server for the configured period, it is automatically removed from the repository.
You can also view and remove stale registrations from the Goverlan Reach Server. Click on View Nodes in the ribbon bar, select Show Registered but disconnected nodes, select the disconnected registrations you wish to delete and click the Delete Records button. Or choose the Clean Records older than XX days option.
This section is irrelevant for On-Demand Only Reach implementations
To consume GRS services, the implemented GRS must advertise its existence on your network. The GRS advertisement enforces that the configured policies and Reach configuration is applied across all Goverlan software within your infrastructure (both Operator and Client side).
The GRS existence can be published using one of the following methods:
Please refer to the GRS User Guide Instruction page explaining these methods.
Start Your Engines
Once you have configured the GRS/REACH server, you are ready to start the services.
- Click on the Server Controls tab and click on Start.
- Click on the Goverlan REACH tab and click on Start the Server.
IT Service Providers can support entire client sites via Goverlan Reach Gateway Services. To do so, each client site must be equipped with a Secondary Goverlan Reach Server.
Implementing a Secondary GRS
Login to my.goverlan.com, select the Goverlan Reach Server product under the Licenses section, then click on the Add License option. Specify a relevant name for your license and use this one to sign-in to the Secondary Goverlan Reach Server.
The initial configuration of the Goverlan Reach Server at the client site uses the same procedures as described earlier in this user guide. However, you need to configure this server with a Secondary Relationship with the Primary GRS.
Configuring the Server Relationship
Under the Relationship category of the GRS Settings, select This server depends on a Primary Goverlan Reach Server.
GRS Reach Public Address
Enter the public address of Reach Services exposed by the Primary Goverlan Reach Server. If this address is a FQDN that was configured with a TLS Certificate, then enable the option Certify Server Identity.
Check-in with server
This setting is the time interval between the synchronization cycle of the Primary GRS. This mainly defines how often the Secondary Server will contact the Primary Server for any setting updates and policy changes.
Name this site
Enter the name of the client site. This name is used during reporting of events and to categorize accessible computers from this site.
Redirect the following Services
Services that will redirect to the Primary GRS:
- Global Policies Assignment – All Global Policies for this site are provisioned via the Primary GRS.
- Site Access via Goverlan Reach Gateway Services – Grant remote management services of this site’s machines to the Primary GRS (ON by default).
- Site Audit Reporting – Forward all auditing events to the Primary GRS.
Test Connection with Primary
Once the relationship between the Primary and Secondary GRS is configured, click this button to confirm proper connectivity with the Primary GRS. If the test fails, review the error message to make adjustments.
Finalizing the Site Configuration
Once the relationship is configured, start the Goverlan Reach Server service via the Server Controls tab.
There are still two things that need to be completed to fully support the client site:
- Advertising the GRS across the sites’ internal network (see Advertising the Goverlan Reach Server)
- Pushing the Goverlan Reach Client to the site machines (see Deploying the Goverlan Reach Client)
That’s it! The client site can now be completely managed remotely from within the Primary Goverlan Reach network.
Once the GRS is configured, started and advertised, Goverlan Services on any machine will be available as long as it is running the Goverlan Reach Client Agent.
The Goverlan Client Agent is a secure, low-footprint, un-intrusive and stable agent that can be started on-demand or installed as a service when unattended system access is needed. Use the following instructions to push the Goverlan Client Agent as a service on remote machines.
Pre-installing Agents on a Site
Pre-installing agents are required when configuring a remote client site with Reach Services. For private corporate networks, this is optional as the Goverlan software can remotely maintain the agents on an as needed basis.
To pre-install the Goverlan Client Agents within a site, use the Goverlan Agent Manager that can be found in the Application menu of any Goverlan software, including the Goverlan Reach Server:
Configure a set of machines to process by selecting an Active Directory Domain, an IP range or individual machines.
Select all machines within the view and click on Install/Update Agents.
Installing the Agent on Off-Site Machines
Once the Goverlan Reach Gateway Services have been configured and started, any machine can be remotely accessed over the internet if configured for your Reach Authority. This is done by sending an Assistance Instruction email to a remote user to have them start the Reach Client.
This process can also be used to install the Reach Client as a service enabling unattended remote management services to that node:
- Open any Goverlan Operator software such as the Goverlan Remote Control
- Click on On-Demand Goverlan Reach tab that is under My Devices on the left column of the Console, click Send Request then select Generate a client email.
Confirm that Enable Permanent Install Mode is activated before generating your client email
- Send the email to the remote user
Once the remote user receives the email and runs the downloaded executable, the user will be prompted to choose an execution mode. Instruct the remote user to enable the Authorize Permanent Access option then click on the Provide Unattended Access button.
Accessing Reach Nodes
Once the Goverlan Reach infrastructure is implemented, Reach equipped computers start monitoring to determine whether they are inside or outside of the Reach authoritative network.
- If Reach nodes are within the private network, they can be managed using the standard access methods via Active Directory or directly by specifying the system’s network address.
- If Reach nodes are outside the private network, they can be managed by browsing through the Goverlan Reach Repository.
Goverlan Reach Repository
The Goverlan Reach Repository holds all registrations of computer nodes that are outside of your private network. Computer nodes are organized by folders defined by Reach Site names as well as by any Active Directory hierarchy of remote client sites. The Reach Repository can be browsed, searched and used to configure the scope credentials for a set of machines.
Browsing the Reach Repository
To browse the Reach Repository, simply double click on any container within the Goverlan Reach folder. This will disclose the child containers for your Reach, starting with Reach Site Names.
Open a Reach Site folder to display its nodes. If a Reach Site is configured with its own Active Directory hierarchy, it will be displayed in the Reach Repository.
The active/offline status of a Reach node is indicated via its computer icon. Offline nodes cannot be managed as they are either Powered OFF, or may be back on the private network (in case of travelling corporate users).
Searching the Reach Repository
Reach nodes can be found by searching the Reach Repository. The Reach Search features are available while browsing the Reach Repository and every time a computer name is requested within the Goverlan interface.
To search while browsing the Reach Repository, right-click the parent container to search and select the Search feature:
Enter a partial node name including wild card (*) before or after the search string to view all reach nodes matching your search criteria within the selected container.
To connect to Reach Nodes or search for Reach nodes when prompted for a computer name, enter the prefix REACH: followed by the node name or search string. For instance, to open a remote control session to an external Goverlan Reach machine named: SOME-OUTMAC-001, enter:
The connection string above assumes that SOME-OUTMAC-001 is registered to the root of the Goverlan Reach Repository. However, most Goverlan Reach nodes will use an organization name or their local Active Directory Domain information to register themselves.
If the exact path of a Goverlan Reach node is not known, the node can be searched for using the * wild card character in the connect string. For instance, enter REACH: SOME-OUTMAC-001* and a search for SOME-OUTMAC-001 will be initiated, irrespective of its location within the Goverlan Reach Repository.
Other search examples:
|REACH:*||Returns the entire repository|
|REACH:CLIENT-ORG/*||Returns all machines registered in the
|REACH:Domain Controllers*||Returns all machines registered in any Active Directory container titled Domain Controllers across all client sites.|
Configuring Credentials for Unattended Reach External Devices
Goverlan Services require Windows credentials to perform any action on a remote system. The provided credentials must hold the necessary level of privileges to execute the action requested.
By default, remote control sessions require Local Administrative privileges (this can be configured).
Goverlan automatically prompts for credentials if the action taken has failed due to a lack of privileges. Per-machine credentials, and per-container credentials can be configured as well.
If the remote endpoint is located at the root of the Goverlan Reach Repository, or if a unique administrator password is configured for each endpoint, per-machine credentials must be specified.
To configure per-machine credentials you can either:
- Initiate a management action on the remote machine and wait for the Goverlan credentials prompt.
- Configure the credentials the first time you connect to the machine:
Once the credentials have been configured, they will be reused for subsequent connections to the same machine. These credentials can be modified or removed via the Credentials Manager.
Credentials for a scope of machines can be configured on any of the parent containers. Right click on a Goverlan Reach Repository container and select Configure Credentials for this Realm:
Specify the credentials to be used for all the nodes that belong to this realm. Make sure to indicate the proper domain authority in your credentials:
Once the credentials are configured, they are stored in the Goverlan Credentials database that can be accessed via the Application menu:
The Credential Manager can be used to view and modify configured credentials.
On-Demand Reach Access
Starting a Reach On-Demand Support Session
Using Goverlan Reach Gateway Services, you will be able to remotely access any user, anywhere as long as they are connected to the internet. This is done via Reach On-Demand Support Sessions.
To initiate a Goverlan Reach On-Demand session, Operators click on the On Demand Goverlan Reach tab:
- Generate a client email – Automatically launches your default email client with a template that includes the weblink to download the Goverlan Reach client that pertains to your configured Goverlan Reach server.
- Copy Web-link to clipboard – The weblink will be available from your clipboard to paste in a live chat session or custom e-mail.
- Enable Permanent Install Mode: Enable this option to generate a client support package. The remote user will be presented with an option to permanently install the Goverlan Reach Client on the user’s machine as a service. Permanent installations will make the node available for both attended and unattended support session. If this setting is turned off, the user can only start on-demand support sessions.
The Goverlan Reach Web-Link redirects the client to our default Client Portal in which the Goverlan Reach Client agent will be available. Once this is opened, the user will be prompted to start the support session.
If the Reach Client is started without local administrative privileges, the user is presented with an option to grant such privileges. Ask the user to enable this option if you wish to gain access to UAC prompts.
Once the user starts the support session, they are presented with a Session ID:
As best practice, your Goverlan Reach Server public facing address should be configured with a TLS identity certificate. Service identity validation is then confirmed to the end user. The user can click on the “Server identify verified” link to display certificate information:
If your Reach Server public facing address is not configured with an identity certificate, the Reach Session ID window will turn red as follows:
Connecting to the Reach Session ID
Once the Session ID is transmitted to the Operator, the Operator can perform any Goverlan management task on the remote system by using REACH:SESSION-ID as a computer name.
For instance, to initiate a remote control session to the Session ID 668-557-954, the connection string would be: REACH:668 557 954
Ending a Support Session
Upon first connection with the remote client, the support session is started and the user sees the following screen:
It is important to understand that On-Demand Reach Support Sessions do not need to start and end with a remote control session. The Reach Session ID can be used and re-used with other Goverlan Services. For instance, you can connect to the remote system directly from other Goverlan Tools such as the Goverlan Task Manager, initiate file transfers, or push power actions even if no remote control session is active.
As long as the remote user doesn’t end the session by clicking End Support Session, you can use the Goverlan services to manage the remote machine.
Once the user terminates the session, the option to keep or remove the Reach Session Starter is presented:
Selecting Yes generates a shortcut on the user’s desktop that can be used at any time to re-open a support session.
Reviewing Operator Actions
During an On-Demand Reach session, all Operator actions are audited and logged. If the end user selects to review the support action upon exit, the log is displayed once the support session ends.
Branding End User Experience
By default, the parent organization name configured in your Goverlan Reach Server settings is used to brand Goverlan Reach sessions. This name is used in the On-Demand Goverlan Reach session email, support session interface and is the name of the shortcut generated on the user’s desktop.
The Goverlan Reach experience can be further customized by creating a self-hosted, On-Demand Goverlan Reach landing page with a convenient public DNS name that includes a download button for the On-Demand Goverlan Reach client executable.
The On-Demand Goverlan Reach support landing page should auto-download the Goverlan Reach Client executable that was generated from a prior On-Demand Goverlan Reach web-link.
Reach Gateway Security
See also: Goverlan Security
The Goverlan solution has been embraced by the Enterprise for its secure implementation. The Goverlan Reach Gateway Services now extends Goverlan to the outside, therefore security is a priority in its design. The following section lists a short set of primary security validation points implemented within Goverlan Reach Gateway Services. If you need further information, contact our Support Team.
Server Identity Verification
To guarantee the identity of the Reach Authority and prevent domain name high-jacking and service rerouting, a TLS handshake can be enforced between the client and the server.
To enable a TLS handshake, you must bind a Public Certificate issued by a Trusted Root Authority to the Reach public facing FQDN. This is done in the Reach Settings of the Goverlan Reach Server options:
If TLS identity verification is enabled, client machines will reject any connection to a Reach server that fails validation.
All client/server communications are encrypted using the strong AES 256bit cipher specification.
Authenticated and approved actions
Reach clients are manageable via the Goverlan Services, however, Reach does not automatically grant privileges to a machine. Goverlan uses native Windows security to authenticate the Reach Operator and requires appropriate credentials to perform any action on the local machine. If an Operator doesn’t hold explicit privileges to perform an action, then they will be prompted to provide appropriate credentials.
By default, a Reach Operator must hold Local Administrative privileges on a machine in order to remote control it. Other management actions are approved based on the required privilege of the action as configured within Windows.
Goverlan automatically authenticates operators using Microsoft’s SSPI technology (Security Service Provider Interface). Microsoft’s SSPI technology allows clients and servers to establish and maintain a secure channel, provide confidentiality, integrity, and authentication. Using SSPI, Goverlan guarantees the identification of the Operator to the client and impersonates the administrator’s credentials locally to authorize the request.
Goverlan audits all remote system accesses and reports it locally in the system’s event log as well as centrally to the Goverlan Reach Server. Additionally, during On-Demand Remote Support session, the end user can review support actions performed on their system at any time.
No outside Operators Allowed
As an additional security measure, Goverlan Operators are not authorized to use Goverlan Reach Gateway Services if they are outside of the organization. A Goverlan Operator can only request Reach Services if they are within the private network where the Reach Server is installed.
Troubleshooting Reach Gateway Services
If an endpoint fails to register within the Reach Repository, the following may be the cause:
- Reach settings were not detected or configured properly
- Reach Server is out of licenses
- Reach Server identity failed to be validated
- Client’s internal/external state failed to be detected properly
The best way to gather extended information on the client’s machine is by opening the Application Log of the local Event Viewer and look for Goverlan Services source events.
When the Goverlan Client Agent starts, it will produce a set of Event Log messages to describe the previously described agent initialization steps:
- Whether a Goverlan Reach Server was detected
- Whether the Goverlan Reach Gateway Services was detected
- The current internal/external state of the local machine (if Reach configured)
If Reach configuration is detected and the client failed to register itself, an event log entry will be injected with the reason for failure.