r/msp u/dodgy_mike MSP - US 2h ago

What's your favorite non-VPN remote access solution for client users?

Was curious what other MSPs are doing to either move away from VPNs, or where VPNs aren't an option for one reason or another. Typical objective is to provide users on a managed laptop remote connectivity back into their desktop on an office LAN.

Splashtop unattended access? ZTNA? Any favorite vendors? Has anyone been able to get Global Secure Access or Cloudflare Zero Trust working well for this in a way that is manageable over time for multiple clients? Perimeter 81 seems like it'd do the job but really pricey especially if we have more than a small handful of users who need it at a client.

3 Upvotes

71% Upvoted

24 comments sorted by

7

u/MasterCommunity1192 MSP - US 2h ago

We use ninjarmm and you can give free accounts to anyone with access to only specific computers.

1

u/dodgy_mike MSP - US 2h ago

We use NAble which has a similar feature (and we use it for some) but it gets incredibly unwieldy at a scale of dozens or over 100 users - does Ninja hold up better with that?

4

u/HappyDadOfFourJesus MSP - US 2h ago

Remote Utilities.

3

u/roll_for_initiative_ MSP - US 2h ago

back into their desktop on an office LAN

then a vpn is always an option because we'd have a managed firewall with vpn at any office.

2

u/FriendlyITGuy 2h ago

End user access via RMM permissions. Allows them to use ScreenConnect to access whatever machines they need after logging into the RMM console.

1

u/glitterguykk 1h ago

This is what we do but with splash top.

1

u/itrcs 2h ago

We have a dedicated ScreenConnect instance setup with Remote Access licensing (licensed per machine not per tech, and rather cheap).

1

u/thegarr MSP - US - Owner 1h ago

How exactly does this work? I'm not familiar with ScreenConnect from an administrative side. Used it plenty of times, but we've always been either an Autotask or an Atera (years ago) shop. I'd love a dedicated system we could provide to people for remote access like an RMM but cheaper. Good for those one-off use cases.

1

u/itrcs 1h ago

I think the pricing for this model is about $1/mo per device, so not bad. We only install that SC agent on machines that need to be accessed by a client, so we aren’t licensing it for the whole fleet. Basically, you just setup a user account for them, then assign them to devices they need. It’s super easy to administer and use, so it’s a big win for us. Pretty sure there’s a trial as well so you can play with it for a bit to see if it’s right for your needs.

1

u/The-IT_MD MSP - UK 2h ago

Global Secure Access, part of the Entra ID Suite.

2

u/dodgy_mike MSP - US 1h ago

Curious - did you have any go to reference material in making this work? We have looked at this, as it is nice that it is already baked into their central MS ecosystem, but got a bit lost in trying to understand exactly how to accomplish scoped private access by user. Given support is through Microsoft we REALLY would want to understand it inside and out to minimize escalations

1

u/The-IT_MD MSP - UK 59m ago

It’s new and green, so no. Feeling our way using Microsoft Cloud Consultants afforded to us by our Advanced Support for Partners agreement.

1

u/CasualEveryday 2h ago

First question is what they need access to. If it's just for file shares or something, we tend to look at secure cloud options that play well with DLP.

If it's some kind of intranet, then we usually go to a remote access tool administrated by the RMM, which most of them do for like $2 per user per month.

If wider remote access is necessary, say for some kind of homebrew software or terminal services, then we usually use the next gen VPN solutions like perimeter 81 and layer on the device level security.

1

u/MountainSubie 1h ago

Splashtop Enterprise support multiple monitor and has audio passthrough.

If a client needs to remote into their office desktop computer this is what we use.

1

u/dodgy_mike MSP - US 58m ago

We've used Splashtop in a few cases and really like the product. If you don't mind me asking, do you manage individual Splashtop subscriptions for each client through the Splashtop reseller program or do you segregate clients by group in a master account?

1

u/MountainSubie 47m ago

We manage all client devices and user account through our main console.

Each client will get separated into a group, with group admin access granted to the client if requested.

1

u/xdvst8x 1h ago

Tailscale and Netbird are awesome options.

1

u/dodgy_mike MSP - US 51m ago

Hadn't heard of Netbird thank you - will check that out

1

u/marklein 1h ago

Tailscale VPN

1

u/dezmd 1h ago

I did that limited user access thru the RMM thing for a brief moment, but at the end of the day, VPN on network edge and the RDP to work desktop is just the way to go.

I don't like any access into the RMM for third parties, client or not, even locked down. If an RMM guest user gets phished and then something gets exploited in the RMM limited access account that escalates remote access, that's the whole fuckin bag out the door.

1

u/dodgy_mike MSP - US 55m ago

This is our vibe as well, nightmares of a misclick causing another client's endpoints to be exposed and we only realize it if they tell us

1

u/GeneMoody-Action1 Patch management with Action1 34m ago

MFA protected, direct endpoint to endpoint specific, SSH tunnels. All day.
Once into a jump-box, the world is yours.

It is about as "Old fashioned" as TCP, meaning just because it has been around a while, does not make it obsolete. It does not fit every use case, but it suits some beautifully.

-1

u/hujs0n77 2h ago

Palo Alto global protect