Remote Desktop allows you to support your users anywhere in the world on both Desktops and mobiles. It comes with dashboard-to-device and device-to-device capabilities, support for Windows Servers, Windows Desktops, Android, and macOS, secure connections with 2-Factor Authentication, and content sharing. Remote Desktop can be used stand-alone or with any other HEIMDAL product component, as part of our UEM solution (Unified Endpoint Management), to achieve remote support anytime, anywhere in the world.
1. Description
2. How does Remote Desktop work?
3. HEIMDAL Agent & HEIMDAL RD Viewer
3. Remote Desktop view
4. Remote Desktop settings
DESCRIPTION
Remote Desktop is a secure and reliable remote desktop application that allows you to support your customers or access unattended computers. It's affordable and it just works. You can configure your office computer for telework in less than a minute and you can securely access your office computer from home, or while you are on the go. Screen-sharing technology enables you to efficiently work remotely at any time, from anywhere in the world.
HOW DOES REMOTE DESKTOP WORK?
Remote Desktop allows you to remotely access and control computers to provide on-demand IT support in seamless agent-to-agent, dashboard-to-agent, and dashboard-to-no-agent (3rd party) communication options. As an IT professional or service provider, support employees, clients, and customers remotely directly from your HEIMDAL Dashboard, without the need for additional tools. Remote Desktop supports Windows OS (other operating systems could be supported in the future) and connects to a remote destination to allow you to troubleshoot users with maximum flexibility. Whether you’re at home, on the road, or in a different time zone, you can provide user support anytime, anywhere, and on any endpoint.
Port filtering
For Remote Desktop to work, you need to allow ports 80, 443, or 7615 and you can configure it to work with many external services such as NTP, SMTP, and LDAP. Larger organizations normally have a policy in place regarding the configuration of their firewalls or proxies. System administrators might want to open port 7615 only to pass the Remote Desktop traffic through directly and keep filtering the rest. They can also configure DNS name exception or IP address exception. Regardless of the network configuration, HEIMDAL Remote Desktop will automatically try different approaches to find working transport (detecting proxy settings, using WinINet, creating a tunnel, making use of the wildcard DNS, etc.).
In order for HEIMDAL Remote Desktop module to work, you need to make sure that 195.201.56.244 (heimdalrd.islonline.net) and 91.217.255.149 (*.islonline.net) are excluded in your Firewall and that the following paths are excluded from your Antivirus product: C:\Program Files (x86)\Heimdal\, %localappdata%\ISL Online Cache\, %programdata%\ISL Online Cache\.
When dealing with a proxy environment, the system/network administrator has to check if an exception can be added. This does not mean that you completely disable the proxy, but just let the HEIMDAL Remote Desktop go through directly and filter the rest. If the proxy supports DNS name exceptions, then allow direct outgoing TCP connection for port 7615 to *.islonline.net. Direct connection offers the best performance and minimum delays. In an ideal world of direct connections and flexible security policies, the story would end here, but since there are many customers behind corporate firewalls/proxies where only HTTP and HTTPS traffic is allowed (so, port 80 and/or 443) and system/network administrators do not want or are not allowed to add exceptions, we also support that and our applications try to find a working transport even in those situations (detect proxy settings, use wininet, create a tunnel, make use of the wildcard DNS - helps with some proxies, etc.).
RSA or ECDSA with Diffie-Hellman Key Exchange
A Remote Desktop session from your local computer to a remote computer is done through an initial TLS connection (Server Connection) that is established once the HEIMDAL Remote Desktop application confirms it is connecting to the remote destination. Once both endpoints (Operator and Client) have established a server connection, they use RSA keys to establish a standard connection between them. This is achieved by negotiating AES 256-bit symmetric encryption keys using the Diffie-Hellman cryptographic algorithm. If available, a direct connection will be established between the two endpoints, allowing the contents of the session to be sent directly from one endpoint to the other. The direct connection is created using keys from the Elliptic Curve Digital Signature Algorithm (ECDSA P-256) to negotiate AES 256-bit symmetric encryption keys, employing the Diffie-Hellman cryptographic algorithm. While the initial standard connection remains active, it now serves solely as a Control Channel, managing the session connectivity without containing any information about the content of the Remote Desktop Data Stream.
AES 256-Bit End-to-End Encryption
Regardless of the connection type (standard connection or direct connection), the content of the Remote Desktop Data Stream between the local and remote computer is transferred through a secure tunnel, protected by symmetrical AES 256-bit end-to-end encryption, to meet the highest security standards.
External Security Audits and Penetration Testing
Regular systematic security audits and narrowly focused penetration tests are crucial for each remote desktop software provider responsible for information security. They allow a company to remedy potential weaknesses and vulnerabilities identified. Independent security audits and penetration tests of the HEIMDAL Remote Desktop system are conducted on a regular basis and reveal that HEIMDAL is a trustworthy service providing a very high level of security.
Brute Force Intrusion Protection
A brute-force attack is a trial-and-error method that calculates every combination that could make up a password or decrypt an encrypted file. In a brute force attack, automated software is used to generate a large number of consecutive guesses until the correct one is found. HEIMDAL's Remote Desktop has configured rate limiting for login and connection attempts to prevent brute-force attacks by limiting the maximum number of failed login attempts for a user or for a specific address in a defined period.
Data Minimization
The data (session content) transferred between operators and clients during remote desktop sessions is NOT stored on the HEIMDAL servers. Servers will store the data listed in the Metadata table. HEIMDAL strives to handle and store only the minimal required data necessary for our service to operate and to provide our customers with session reports and history necessary for their business needs.
Remoting with Remote Desktop
Once the Remote Desktop module is enabled on a computer, the HEIMDAL RD Agent is installed to allow the incoming connections. To connect to another computer you have to download and install the HEIMDAL RD Viewer app (which is automatically installed when your computer is assigned the Supporter role or can be downloaded from the HEIMDAL Dashboard -> Guide section -> Download and install tab) is used to connect from the outbound computer to the inbound computer. The HEIMDAL RD Viewer works only if you remote to another computer from the HEIMDAL Dashboard or from the HEIMDAL Agent (Supporter role required) and it does NOT work as a standalone tool.
The Remote Desktop module can be used in 3 ways:
A. Connecting remotely from the HEIMDAL Dashboard to any HEIMDAL Agent Enduser (with Remote Desktop enabled)
The HEIMDAL Dashboard administrator can connect to any of the computers that have the Remote Desktop module enabled by navigating the Products -> Remote Desktop -> Remote Desktop view and by clicking the Connect icon in the Actions column:
This will display a pop-up that notifies the user to continue to connect to the inbound computer or to get the HEIMDAL RD Viewer application downloaded and installed (if not present on the computer). If HEIMDAL RD Viewer is installed, the user can press the Yes button and the application will connect you to the selected computer. The end-user that you are connecting to needs to allow the remote session if the Unattended Remote Desktop session option is not enabled in the Group Policy applying to that computer. In case you are trying to connect remotely using the HEIMDAL Dashboard from a computer that already has the HEIMDAL Agent installed, you will need the Supporter role assigned to the current computer in order to be able to connect.
Here is a short tutorial:
B. Connecting remotely from the HEIMDAL Agent (Supporter role needed) to any HEIMDAL Agent Enduser (with Remote Desktop enabled)
The HEIMDAL Dashboard administrator can assign the Supporter role to a hostname to allow any user on that specific computer to connect to any of the computers that are applying one or multiple Group Policies where the Supporter is assigned the Supporter role. Assigning/Unassigning the Supporter role is done by the HEIMDAL Dashboard administrator from the Products -> Remote Desktop -> Remote Desktop view by selecting the hostname and by selecting the actions from the dropdown menu:
Once a computer gets the Supporter role, any user on that computer can start a Remote Desktop session from the HEIMDAL Agent (using the right-click function -> Start RD Session on the Heimdal icon located in the System Tray).
Clicking the Connect button will start the HEIMDAL RD Viewer and will connect the user to the end-user. Remote Desktop allows you to invite one or more Supporters to the same remote session, but you can also transfer the remote session to another Supporter device. The Transfer URL column is used for the transfer, while the Invite URL column is used for the invite.
Here is a short tutorial:
C. Connecting remotely from the HEIMDAL Dashboard/HEIMDAL Agent to an end-user (without the HEIMDAL Agent) using the invitation link
The HEIMDAL Dashboard administrator can connect remotely from the HEIMDAL Dashboard to any end-user that does not have the HEIMDAL Agent installed by pressing the Invite to remote session button from the Products -> Remote Desktop -> Remote Desktop view:
The Supporter can use the HEIMDAL Agent to remote to any end-user that does not have the HEIMDAL Agent installed by pressing the Invite button in the HEIMDAL Agent:
To allow the Supporter to send an invitation to a remote session, he needs to be allowed to do that in the HEIMDAL Dashboard -> Products -> Remote Desktop -> Remote Desktop by selecting the Supporter and by setting the Supporter role to Allow for Invite to remote sessions:
Using the invite functionality will run the HEIMDAL RD Viewer and will generate a session code for the end-user:
The next step is to press the Invite button and insert the email address of the end-user to send him the session code URL:
After receiving the invitation link, the end-user can click on the invitation link and download the HEIMDAL RD Client application that should allow the HEIMDAL Dashboard administrator to connect to the remote session. HEIMDAL RD Client does not require Administrator permissions to be run and works only with the session code provided by the HEIMDAL Dashboard administrator. Once the session has ended, the HEIMDAL RD Client will not work anymore.
For cases where the remote user cannot receive the email or link, they can download the Heimdal RD Client from the below link and type in the session code to start a RD connection with the supporter:
https://heimdalsecurity.com/remote-support
Here is a short tutorial:
HEIMDAL Agent & HEIMDAL RD Viewer
The HEIMDAL Agent is used in the Agent-to-Agent scenario, where the Supporter can connect to any computer that is applying the same Group Policy as the Supporter or other Group Policies where the Supporter is assigned with the Support Role. The Remote Desktop view below displays a list of all the hostnames of the computers from all the Group Policies where the computer is assigned as a Supporter.
The HEIMDAL RD Viewer is used in every scenario where the administrator starts a remote session and connects to another computer within the company or outside the company. The HEIMDAL RD Viewer does not require the input of any login credentials or passwords because it is managed by the HEIMDAL Agent or by the HEIMDAL Dashboard.
The options on top of the HEIMDAL RD Viewer app allow you to perform different actions or to get additional information about the computer to which you are connected.
Remote Desktop recordings
Every remote session can be recorded manually (by the operator) by pressing the Record button in the HEIMDAL RD Viewer. After pressing the Record button, the HEIMDAL RD Viewer will ask you where to save the recording. Remote sessions can be recorded automatically (on the remote computer) by enabling Automatically record Remote Desktop sessions and made available in the HEIMDAL Dashboard (under Recordings view). The recordings are available only in the scenarios where the HEIMDAL Agent is involved (the Invite to remote session / non-Heimdal agent scenarios do not support recordings). Recordings are saved in the C:\ProgramData\Heimdal Security\RemoteDesktop\Recordings path as *.isr files and are archived and uploaded to the HEIMDAL storage, indefinitely (no storage size limit). The recordings are stored for 3 months. A recording can be played with the HEIMDAL Remote Desktop Player (available in the Guide -> Download and install section).
REMOTE DESKTOP view
The Remote Desktop view displays all the computers running on Windows OS that are visible in the Management -> Active Clients view. The collected information is placed in four views: Standard, History, and Recordings. On the top, you see a statistic regarding the number of Attended sessions and the number of Unattended sessions.
-
Standard
This view displays a table with all the endpoints in your environment and the following details: Hostname, Username, Supporter, Non Agent Connections, IP Address, Version, Last Seen, and Actions.
The Filters button allows you to filter All entries, by Endpoint, by Supporter with invite permissions, or by Supporter without invite permissions. -
History
This view displays a table of all the remote sessions performed in your environment and the following details: From (Hostname), To (Hostname), To (Username), Session Duration, Start Time, and Session Type. The sessions displayed in this view are HEIMDAL Dashboard to HEIMDAL Agent, HEIMDAL Agent to HEIMDAL Agent and HEIMDAL Dashboard to the non-HEIMDAL end-user (with the available information).
This view refreshes and populates with new information every 24 hours.
- Recordings
This view displays a table of the recordings saved to the HEIMDAL storage and the following details: Recorded on (Hostname), Filename, Timestamp, Password, and Action.
The Show Only Supporters radio button allows you to filter only the hostnames that have been assigned the Supporter role. The Invite to remote session button allows the administrator to invite another user to a private remote session by sending a session code that the user can use to download the HEIMDAL RD Client and join the remote session. The Download CSV functionality allows you to generate and download a CSV report that includes all the information corresponding to each view.
REMOTE DESKTOP settings
By enabling the Remote Desktop, the HEIMDAL Agent will enable the network filter that will protect the computer from accessing malicious domains or URLs.
Remote Desktop - turn ON/OFF the Remote Desktop and allow Supporters from your organization to connect remotely to other computers;
Unattended Remote Desktop session - allows the Supporter to automatically connect remotely to any endpoint in your organization without needing the end user's approval. When connecting to an attended remote session, the end-user will get a pop-up to Accept or Reject the incoming connection;
Automatically record Record Desktop sessions - allows the remote computer (applying this Group Policy) to record the remote session and makes it available to be downloaded from the HEIMDAL Dashboard.
The Supporters section displays a list of all devices & usernames that are assigned the Supporter role to be able to perform a remote session from within the HEIMDAL Agent on the computers applying the specified Group Policy/Group Policies. The bin button allows you to remove any Supporter from the Supporter list.
IMPORTANT
Recordings are stored for 3 months. The HEIMDAL RD Agent can be deployed through Infinity Management.