Goverlan v6

1
Introducing Goverlan, one of the most robust,
flexible and cost effective remote administration
solutions on the market. First released in 1998,
it has since become the primary and most
preferred remote administration solution for many
businesses around the world. Chosen for its cost
effectiveness, ease of use and unsurpassed
flexibility, Goverlan is a favorite amongst user
support teams, system administrators and
enterprise administrators alike. This
presentation will first demonstrate how Goverlan
can lower the Total Cost of Ownership of your
network, followed by a description on the
Goverlan Remote Control product, and finally we
will show how easy and securely Goverlan can be
implemented in the enterprise.
www.pjtec.com
2
Total Cost of Ownership / Return On
Investment Due to the expansion of
geographically large networks, supporting and
administering remote users and machines is a
daunting task. It requires an increase in user
support and system administration staff resulting
in a higher Total Cost of Ownership (TCO).
Goverlan's design began in 1997, in the midst
of a very busy and large user support group.
Goverlan was the direct byproduct resulting from
the immense task of remotely supporting and
administering a growing number of users and
machines while maintaining a reasonable
headcount. Goverlan offers its customers a
unique approach specifically designed to lower
the TCO of Microsoft Windows based networks by
increasing the productivity of your user support
teams as well as automating trouble shooting and
administrative tasks.
www.pjtec.com
3
Total Cost of Ownership / Return On Investment
    Cost Effective Licensing Goverlan is
licensed on a per user basis, not on a per node
basis. You need to purchase one license for each
administrator or support person utilizing
Goverlan. A single administrator can support an
unlimited number of users or machines. Our
licensing schema makes Goverlan one of the most
cost effective Remote Control solutions on the
market.
www.pjtec.com
4
Total Cost of Ownership / Return On Investment
    No costly installation / maintenance No
software agents need to be pre-installed on your
machines. As with all Remote Administration
products, a software agent must be installed on
remote machines. However, Goverlan Agents can be
installed and updated automatically by Goverlan.
You do not need to spend time and money in agent
deployment prior to using Goverlan. You can
also choose to use the available Goverlan Agents
installation package and dispatch it or include
it into a clone template. All configuration
settings can be distributed using Active
Directory Group Policies providing an effortless
integration into your environment. No database
back-end is required. Goverlan queries data
directly from the network, not from a central
database that can contain non-current data and is
costly to maintain. User/Machine problems are
quickly diagnosed and repaired real-time.
www.pjtec.com
5
Overview The Goverlan Remote Control product has
been adopted by large organizations throughout
the world as their enterprise wide remote control
solution. One reason for this is that Goverlan
Remote Control can be implemented effortlessly
and securely within the enterprise. Automatic
agent deployment / maintenance as well as global
configuration setting distribution allows you to
use Goverlan Remote Control from Day 1, without
requiring you to spend time and money on
implementation. Goverlan Remote Control is also
a favorite because of the end-user experience it
provides. Its intuitive interface is convenient
and pleasing, which is particularly important
when multiple remote control sessions are active.

• In this section
• Feature Offerings
• Ease of Implementation
• Security
• Authorization Protocol
• Client Side Settings
• Client Side Notifications
• Auditing
• Secure Communication Channels

www.pjtec.com
6
Organize your machines The Favorites panel
allows you to configure machine objects in order
to quickly access them whenever needed. Adding
machines to the Favorites list is very flexible.
You can configure domain machine accounts, import
machine names from a file or even use the
Goverlan IP Scanner to add machines from a
network segment. The Favorites panel is also
used to perform administrative tasks on a remote
machine. You can manage the client agents, view
remote session history logs, open a chat session
or send an instant message.
www.pjtec.com
7
Remote Control multiple machines
simultaneously Goverlan allows you to remote
control multiple machines simultaneously. When
doing so, each remote control session is nested
within it own tab in the workspace which can be
reorganized in many ways.
www.pjtec.com
8
Multi-monitor client support Remote controlling
a machine equipped with two or more monitors is
fully supported by Goverlan. A monitor selector
is automatically displayed in a non-intrusive
fashion allowing you to switch the focus from one
screen to another in real-time. There is no
limit on how many monitors Goverlan can support.

www.pjtec.com
9
Send Instant Messages It is sometimes necessary
to warn a user before you remote control their
machine. Goverlan provides a instant messaging
mechanism which allows you to display a text
message on the client's screen prior to or during
a remote control session.
www.pjtec.com
10
Chat with one or more users For two way
communication, use the Goverlan Chat feature. The
chat feature allows you to initiate a dialog with
one or more remote user.
www.pjtec.com
11
Wake On LAN Goverlan provides a Wake On LAN
feature which uses the Magic Packet technology
designed by AMD. The Magic Packet technology
is used to remotely wake up a sleeping or powered
off PC over the network.
www.pjtec.com
12
Ease of Implementation Automatic Agent
Installation Maintenance One major expense in
deploying a new remote control solution is the
pre-installation and maintenance of a software
agent on all machines. However, this is not a
concern with Goverlan Remote Control. Goverlan
Agents can be installed and maintained
automatically by Goverlan. When a remote
control session is initiated on a remote machine,
Goverlan first checks if the agents are already
installed. If they are not, Goverlan
automatically installs them over the network
(since the Goverlan Agents are less than 1MB in
size, this is a fairly swift operation). If the
agents are already present, Goverlan checks if
they are the appropriate version for a successful
connection and will update them if
necessary. Many of redundancy checks have been
added to this process so that if the agents are
corrupted or failing in any way, they are
re-installed. This results in very stable and
reliable connections.
www.pjtec.com
13

• Ease of Implementation Automatic Agent
  Installation Maintenance
• Even though the Goverlan Agent installation is
  automated, this process can be fully controlled
  by the administrator
• Goverlan can be configured to prompt for
  approval before installing or updating the
  Goverlan Agents on a remote machine.
• The Goverlan Agents can be pre-installed on
  large set of machines using a Scope Action
  (Goverlan Remote Administration Suite only).
• A Goverlan Agents installation package is
  available to pre-install the agents on your
  remote machine or to be included in a machine
  build template.
• A machine can be configured not to have Goverlan
  Agents installed on it or it can be set into a
  version-freeze mode so that the currently
  installed agents cannot be updated.

www.pjtec.com
14

• Ease of Implementation Automatic Client
  Settings Distribution
• In order to facilitate Goverlans implementation
  even further, all Goverlan client settings can be
  distributed globally.
• All Goverlan client settings are located in the
  registry of a machine which makes it easy to
  distribute them using a script or through an
  installation package. Goverlan also provides the
  following methods of distribution
• Using a Group Policy Object A Goverlan Group
  Policy Admin Template is available to be
  integrated in Active Directory. Every client
  setting, including the communication ports used
  by Goverlan, can be globally set using this
  template (Note Goverlan Remote Control client
  settings are described later in this
  presentation).

www.pjtec.com
15

• Ease of Implementation Automatic Client
  Settings Distribution
• Using a Scope Action You can also use the
  Goverlan Scope Action feature (Goverlan Remote
  Administration Suite only) to distribute the main
  remote control client settings real-time on your
  machines.

www.pjtec.com
16
Security Goverlan has been designed to be
flexible, reliable and powerful. However,
security has always been a foremost priority.
This section describes the various layers of
security implemented into the Goverlan Remote
Control product.
www.pjtec.com
17
Authorization Protocol A machine can be
configured to automatically approve or prompt for
the approval of a remote control session (see
Client Side Settings). However, before this
happens, Goverlan will first authenticate who
initiated the remote control session and then
approve it. By default, only members of the
local Administrators group are authorized to
initiate remote control sessions on a machine.
Any request from users who do not hold local
administrative privileges is rejected. However,
you can configure a machine or a set of machines
to authorize remote control sessions from
non-local admin users by creating a local group
named Goverlan Remote Control Admins. Any member
of this group will be authorized to initiate
remote control sessions on a machine, even if
they do not belong to the local Administrators
group. This group can either be created in the
local account database of a machine, in which
case it only applies to that machine, or it can
be created in a domain, in which case it applies
to all machines which belong to that domain. For
advanced configurations, you can also use a Group
Policy Object to populate that group with
different member sets on a per-site basis.
www.pjtec.com
18
Client Side Settings The Client Side Security
Settings is a set of options which control how a
remote control session should be approved and
which action should be taken once the remote
control session has ended. These settings can be
configured using the Goverlan Control Panel
Applet of a machine (only available once the
agents are installed), or can be distributed on
remote machines using a Group Policy Object or a
Goverlan Scope Action (see Easy Implementation in
this presentation). Note Only local
administrators are allowed to modify these
settings using the control panel applet.
www.pjtec.com
19
Client Side Settings For instance, you can
configure a machine to prompt the console user to
approve or reject a remote control session. When
a remote control session is initiated, and if a
console user is currently logged-in and the
machine is not in a locked state, a prompt is
displayed. If no user is currently logged-in or
if the machine is in a locked state, the remote
control session is accepted or rejected based on
current settings. If the remote user is the same
as the user initiating the remote control
session, the prompt is bypassed.
www.pjtec.com
20
Client Side Settings You can also configure
machines to display a post-remote control session
notification. When this option is enabled, a
Goverlan notification is displayed after the
remote control session has terminated. This
option is useful if Prompt for Approval is not
enabled and a user needs to be notified of remote
control sessions while he/she was away.
www.pjtec.com
21
Client Side Notifications During a remote
control session, a notification banner and task
bar icon are displayed on the remote controlled
machine. These notifications warn the console
user that the machine is currently being viewed
and operated by a remote user. Note Goverlan
is equipped with a Stealth Mode option which
disables all user side notifications. This option
is by default disabled and does not bypass
auditing.
www.pjtec.com
22
Auditing In order to ensure a secure
environment, Goverlan provides multiple auditing
mechanisms in order to monitor remote control
activities on a machine.

• Application Event Log
• Goverlan registers all remote control events in
  the Application Log as follows
• A remote control session has been requested but
  has not been authorized (Event ID 6501)
• Event Message A remote control session initiated
  by DOMAIN\UserID has been refused. DOMAIN\UserID
  is not a local administrator and has not been
  explicitly authorized to remote control the local
  computer.
•  
• A remote control session has started (Event ID
  6502)
• Event Message A new remote control session has
  been started by the remote user DOMAIN\UserID
  from computer DOMAIN\ComputerID - IP Address.
   The currently logged-in user is LocalUserID.  
•  
• A remote control session has ended (Event ID
  6505)
• Event Message The remote control session
  initiated by the remote user DOMAIN\UserID has
  ended.

www.pjtec.com
23
Auditing
Remote Control Session History Log Goverlan keeps
a log of every remote control session executed on
a local machine. This log can be viewed by using
the Goverlan Control Panel Applet of a machine or
it can be queried from the Favorites section of
the Goverlan Remote Control program.
You can also use a Goverlan Scope Action to
generate a report of the remote control session
history logs for a set of machines (Goverlan
Remote Administration Suite only).
www.pjtec.com
24
Secure Communication Channels If you are
considering to implement Goverlan in your
environment, you may need an understanding of the
Security Model used by Goverlan in order to
ensure that it will not create a security breach
on your network. The section describes how
Goverlan secures its communication during a
client / server connection.
www.pjtec.com
25
Secure Communication Channels The Goverlan
Agents use 3 TCP socket ports for communication
(by default 21157, 21158 and 21159). One port is
used by the Goverlan Service and the other two
are used by the Goverlan Remote Control server.
Of these three ports, only the Goverlan Service
port is always opened. The other two are only
opened during an active remote control session.
Every Goverlan client/server communication is
authenticated and encrypted by Goverlan. The
initial authentication handshake is processed
through Microsoft SSPI and the encryption is
done using the strongest available cipher common
on the client and server. This makes Goverlan
communication extremely secure and safe against
malicious hacking.
Security Service Provider Interface Allows
client and server to establish and maintain a
secure channel, providing confidentiality,
integrity, and authentication.
www.pjtec.com
26
Secure Communication Channels The SSPI level and
encryption type used for a Goverlan client /
server communication can be viewed using the
System Information window of a machine in the
Goverlan Management Console (Figure 1) or by
opening the Connection Statistics window of the
Goverlan Remote Control product (Figure 2).
Figure 2
Figure 1 (Goverlan Remote Administration only)
www.pjtec.com
27
need more power? Consider the Goverlan Remote
Administration Suite for a product comparison
chart click here.
www.pjtec.com