Devices

Remote Session

Introduction to Remote Session

The Remote Session feature in LogicMonitor provides a secure way to remotely access and operate on devices from within your LogicMonitor portal. Remote sessions are enabled via the use of Apache Guacamole, a clientless remote desktop gateway that requires no plugins or client software.

The remote session protocols available for establishing a communication stream between your account and the Collector monitoring your device are RDP, SSH, VNC, and Telnet. The protocol must be configured for the device endpoint in order to be able to establish a remote session connection. Remote sessions take place via a secure SSL connection where supported by the protocol (Telnet is not encrypted).

Initiating a Remote Session

To initiate a remote session:

  1. From the Resources tree, select the device you wish to access and, from its detail view, click the "Manage" arrow and select "Remote Session" and the desired protocol from the subsequent dropdown menus.

    Any protocol can be used if properly configured on the device, but typically RDP is used for Windows devices and SSH is for non-Windows/Linux devices.

    Initiating a Remote Session

  2. Note: Collector version EA28.600 or higher is required to use VNC and Telnet. If an earlier Collector version is in use, these protocol selections will be disabled and a message to that effect will be displayed upon mouse-over.

  3. A new browser window opens, prompting you to enter the account and password for your device.

    Note: LogicMonitor does NOT currently support SSH key authentication or Network Level Authentication on Windows.

  4. Once the remote session is initiated, select Control+Alt+Shift to open the Apache Guacamole clipboard for copy-and-paste functionality or directly input new command lines.

    Using the Apache Guacamole clipboard

    Note: Some platforms are not supported by the Apache Guacamole clipboard copy-and-paste feature, as discussed in the Apache Guacamole Frequently Asked Questions.

Remote Session Device Properties

LogicMonitor supports several Remote Session protocol properties that you can use to override default connection behavior.

Remote Session Protocol Property Name Default Value Req'd? Description
SSH remotesession.ssh.port 22 no Populate to override default SSH port value.
RDP remotesession.rdp.port 3389 no Populate to override default RDP port value.
Telnet remotesession.telnet.port 23 no Populate to override default Telnet port value.
VNC remotesession.vnc.port 5900 no Populate to override default VNC port value. (Default is 5900 or 5900 + display number. If VNC server is serving display number 1 (sometimes written as :1), your port number here would be 5901).
RDP and SSH (deprecated) remotesession.port=[portnumber] Values set for SSH or RDP ports using one of the properties listed above will override the value set for this property no This property is deprecated, but still supported. It carries the port number required to RDP/SSH into the device (typically only used if a non-standard port is required).

If you are setting up Remote Session for the first time, use the above SSH and RDP port properties.
remotesession.protocol=[RDP or SSH] n/a no Previously used to indicate the protocol (RDP or SSH) for the device (rather than allowing LogicMonitor to automatically determine protocol based on device type), but with the addition of new protocols and the ability to manually select preferred protocol upon remote session initiation, this property is fully deprecated and no longer used.

For more information on adding/updating properties for a device, see Device Properties.

Access Controls

Remote sessions do not change the underlying authentication and access control of the device operating system, but they do allow access to the device in situations where it may not otherwise be possible. For this reason, LogicMonitor has several controls in place that serve to limit access to the Remote Session feature on a global or more granular basis:

  • Account-wide control. Remote Session can be disabled on an account-wide basis from LogicMonitor's account settings. For more information, see About the Account Information Page.
  • Per-Collector control. Remote Session can be disabled on a per-Collector basis, effectively disabling the feature for all devices assigned to that Collector. This is accomplished by manually updating the remotesession.disable setting found in the Collector's configuration file to "true". For more information on editing a Collector's configurations, see Editing the Collector Config Files.
  • Role-based access control. Remote Session is defined as a separate user privilege. As discussed in Roles, a role can be given the ability to initiate remote sessions on all devices, those in a specific group, or no devices at all.

Requirements and Limitations

Please note the following requirements/limitations:

  • The protocol used to initiate a session must be enabled on the device to which you are attempting to connect.
  • The remote session connection will not work if "RDP Security Layer" is enabled for Window Server 2008's Remote Desktop.
  • If working with non-Windows or Linux devices (e.g. Cisco controllers), you will most likely use SSH to establish communication. However, you may need to manually do one of the following to ensure a proper connection:
    • Ensure default SSH configurations are in place
    • Enable username/password access for SSH on the device
  • Make sure that the IPs used by the relay server are whitelisted. See LogicMonitor Public IP Addresses and DNS Names for a complete list.
  • The VNC and Telnet protocols are recent additions to the supported protocols for Remote Session. These protocols require Collector version EA28.600 or higher in order to be available for selection.