2

i need to be able to access a customer's SQL Server, and ideally their entire LAN, remotely.

They have a firewall/router, but the guy responsible for it is unwilling to open ports for SQL Server, and is unable to support PPTP forwarding.

The admin did open VNC, on a non-stanrdard port, but since they have a dynamic IP it is difficult to find them all the time.

In the past i have created a VPN connection that connects back to our network. But that didn't work so well, since when i need access i have to ask the computer-phobic users to double-click the icon and press Connect

i did try creating a scheduled task that attempts to keep the VPN connection back to our office up at all times by running: 

>rasdial "vpn to name" username password

But after a few months the VPN connection went insane, and thought it was both, and neither, connected an disconnected; and the vpn connection wouldn't work again until the server was rebooted.

Can anyone think of a way where i can access the customer's LAN that doesn't involve

  • opening ports on the router
  • needing to know their external IP
  • customer interaction of any kind

Blah blah blah

  • use vpn
  • vnc protocol has known weaknesses
  • you are unwise to lower your defenses
  • it's not wise to expose SQL Server directly to the internet
  • you stole that line from Empire

Customer doesn't care about any of that. Customer wants things to work.

Update 5/2/2011

Customer called this morning with things not working. This massive internet where everyone in the world is connected to each other - tet i can't administer a server 25 minutes away.

Ian Boyd
  • 5,293
  • 14
  • 60
  • 82
  • If you can't successfully walk a person through a GoToMeeting, Logmein Rescue, or Co-Pilot session, then perhaps you're not cut out for this line of work. – gravyface May 05 '11 at 02:49

5 Answers5

0

Have them use a dynamic DNS service, and then connect to that DNS name via VNC.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • Tried that. But for various reasons, various dyndns update programs get stuck, or stalled, or fail, or lose their credentials, or the account has gotten disabled. These are all solvable problems; but when the customer calls for the first time in 6 months i can't be trying to debug why their dyndns isn't updating, or why their WinVNC service isn't running, or isn't accepting connections (especially since i can't connect to the machine to diagnose it, and they know nothing about computers) – Ian Boyd Jun 08 '10 at 11:18
  • But if this happens because the customer is calling you, why do you have a requirement of "no customer interaction of any kind" ? You've got them on the phone, you could tell them "Please do X so that I may troubleshoot this remotely." How far are you from this client? You know that F2F time is good customer service, especially if it's 6 months between visits. – mfinni Jun 08 '10 at 13:50
  • It's not "no customer interaction", it's "customer does not have to do anything to let me gain access". If they have to browse to browse to a web-site, enter a url in ie, find a program on the start menu or click an icon on the desktop: we're reaching the limit of their capabilities. If them calling me on the phone were enough to make remote access happen - i'd be golden. About 15 minutes away. – Ian Boyd Jun 16 '10 at 02:25
  • Customer called again today. The dns name isn't resolving. Further evidence that dynamic DNS isn't a good solution. – Ian Boyd May 02 '11 at 13:10
  • It's been almost a year since this suggestion. Why isn't the DNS name resolving? It's not like DNS is some crazy bleeding-edge technology. If the infrastructure is unreliable, then you're always going to be having problems with any remote-access solution, period. – mfinni May 02 '11 at 13:44
  • Customer called again today. The dns name isn't resolving. So again, i'm hoping for suggestions on how to solve this problem. – Ian Boyd Jan 12 '12 at 15:16
  • Talk with the dynamic DNS vendor. Do some troubleshooting. – mfinni Jan 12 '12 at 15:27
  • Looks like the dyndns.org account i created for them is no longer valid. Presumably the account was closed due to lack of IP updates. Presumably the dyndns client software failed and stopped sending updates. Which doesn't help me this time, or the last time, or the time before that, or the time before that. Copilot/Logmein are beyond their capabilities. A world wide network connecting all computers, and i'm going to have to drive 40 minutes so i can delete a row. – Ian Boyd Jan 12 '12 at 15:34
  • " Presumably the dyndns client software failed and stopped sending updates." - This may be true, and if that's something that's going to impact the service, you should be monitoring it. – mfinni Jan 12 '12 at 16:25
0

Fog Creek Copilot offers a one-click connect service which is based on VNC (IIRC) and is fairly inexpensive and requires no user interaction on the remote side once it's installed and configured (and the connection confirmation is disabled). Requires no firewall changes on their network.

If the basic VNC connection works fine for you, install a dynamic DNS client on the server and have it update a static hostname which you can use to connect as long as a port is opened (as you've indicated).

Justin Scott
  • 8,798
  • 1
  • 28
  • 39
  • i've used copilot, a lot. It requires them to browse to a web-site, click a link, run a program, and enter a number. You'd be surprised how hard that can be for some users. (i much prefer copilot over glance, though) – Ian Boyd Jun 08 '10 at 11:19
  • i once spent 10 minutes on the phone trying to talk a customer through copilot. ("In the address bar", "The bar at the top", "What do you see?", "No, those are google search results, you typed it in the google toolbar. Type it in the address bar." "The bar at the top" "Try hitting Alt+D" "No, those are google search results again. You have to put it in the address bar." "Okay, try this. Click the file menu, and select Open" "Oh, hmmm. Try pressing the Alt key" "No, just the alt key, then release it, the file menu should appear." "No, just once" "Then open" "Which version of Windows are yo..." – Ian Boyd Jun 08 '10 at 11:26
  • (see what i'm saying?) – Ian Boyd Jun 08 '10 at 11:26
  • Yes, I've felt the pain. The OneClick service is slightly different though. Once it's installed the client just stays running and you can connect any time without further intervention or action from the user on the remote side. – Justin Scott Jun 08 '10 at 14:06
  • Link to this `OneClick` application? On the downside, it could be possible that this (indeed any program) might fail to operate correctly after running in the background for many months, or years. We have a world-wide network, providing high-speed connection between everyone on the planet: yet i can't connect to a customer who's 10 miles away. Security is the bane of the internet - the great possibilities are destroyed by security. – Ian Boyd Jun 16 '10 at 02:29
  • Information is available on their "Learn More" page at: https://www.copilot.com/LearnMore/ The issue you stated could apply to ANY program or service. Things change, especially over years. As for security, it's just something you have to deal with, and that's a good thing. You think spam and viruses are bad now? If it weren't for the security we have the Internet would be entirely overrun and unusable with garbage. – Justin Scott Jun 16 '10 at 14:19
  • @Justin Scott: i understand the need for security. But security is the *bane* of the internet. Some better system needs to be invented. Passwords, enabling/disabling, domain controllers, authentication servers, features off-by-default, secure-by-default, disabled-by-default: broken-by-default. – Ian Boyd Jul 07 '10 at 16:09
  • ...we have a global connection, where data can flow between any two computers in a fraction of a second: but i can't access the computer of a customer who is a 40 second walk from here. – Ian Boyd Jul 07 '10 at 16:11
  • @Ian Boyd - I manage dozens of servers in data centers in four states. Many of them are mission-critical for the businesses that use their services and some fall under fairly strict security guidelines. As I said, given the current state of things, you just have to deal with it. If it's all configured properly then it's really not so bad. However, if something goes wrong with the configuration on the customer's side, well, then NO remote access solution is going to meet your needs and hands will have to be applied in person to fix it. – Justin Scott Jul 08 '10 at 00:44
  • @Justin Scott: Fortunately i don't have to maintain software for you. We do have customers like that, and dealing the bureaucracy is always not fun. But in this case i'm talking about real people, who want real support - and don't have over the top security theater. – Ian Boyd Jul 08 '10 at 14:25
  • Customer called again today. VNC isn't accessible, so i'm stuck. – Ian Boyd May 02 '11 at 13:21
  • If you have to go put hands on it, perhaps install GoToMyPC on the target computer and see if that will work as a remote access solution. It's similar to CoPilot OneClick but from a more well-known vendor, doesn't require ports to be opened or keeping track of the IP address. – Justin Scott May 04 '11 at 19:16
  • Unfortunately if they have an issue with their border router or Internet provider, nothing you do on the server is going to help that. – Justin Scott May 04 '11 at 19:16
  • @Ian - I feel your pain with the entering a URL/website scenario. In those situations, I usually pre-empt the situation by sending them a URL in an email that they can click on. – Mark Henderson May 05 '11 at 05:42
  • Dammit. Have to go out there again. On a Sunday. On a Valentine's Day. I wish there was some way to access SQL Server remotely over the Internet without needing anyone there. – Ian Boyd Feb 14 '16 at 23:21
  • @Ian, I feel for you, I do, but numerous solutions have been presented and you've shot them all down. Let me add another one... cellular. Get a CradlePoint router and a USB cellular modem with a data plan and connect it to their network. Downside is the cost of the data plan (e.g. $50/mo from Verizon Wireless plus the initial setup fees for a static IP if you're inclined). I manage several remote networks in rural parts of MS and AR this way... works like a charm. – Justin Scott Feb 15 '16 at 03:29
0

Personally I would never let a vendor connect to my network without my explicit permission and presence. My suggestion (which is really a suggestion for them and not you) would be to use a third party solution like GoToMeeting, Webex, etc to allow you to connect to their server(s) with their participation.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • The downside to that is it requires their participation; which would be fine if they didn't have to use a computer while doing it. Not everyone is computer savvy (i.e. trying to talk them through a program over the phone is a problem - which technology should be able to fix) – Ian Boyd Jun 08 '10 at 11:17
  • i once spent 10 minutes on the phone trying to talk to customer through entering a url into their browser. – Ian Boyd May 02 '11 at 13:19
  • Can you fly up here, go to there site, so i can direct you to `copilot.com` and enter in the number? i need access to cutomer's SQL Server remotely. – Ian Boyd Jan 12 '12 at 15:38
  • Can you fly up here this morning; i need access to the customer's site again this morning. i'll be leaving here shortly to drive there. – Ian Boyd Aug 13 '12 at 13:08
  • Can you fly up here this morning; i need access to the customer's site again this morning. i'll be leaving here shortly to drive there. – Ian Boyd Dec 15 '14 at 14:34
0

i'm going to answer my own question and say there is no answer.

Except perhaps Teredo; but it suffers from the same problem (unreliable).

Ian Boyd
  • 5,293
  • 14
  • 60
  • 82
0

Install Logmein free on the server and client machines.

DanBig
  • 11,423
  • 1
  • 29
  • 53