Remote Control
A key feature of N-able N-central is the ability to remotely control any managed device, regardless of the user's location on the Internet. Remote control in N-able N-central leverages the location of the N-able N-central server on the Internet and the outbound communications model provided by Agents and Probes.
Remote Control is available on N-able N-central servers with a Professional license.
N-able N-central uses the following methods to establish encrypted connections from the N-able N-central server to the remote control target device:
-
MSP Connect and MSP Anywhere, new remote management tool that replaces Direct Connect for devices upgraded with N-able N-central 2022.1 Agents.
-
Other remote control types use connections established through one of SSH (Secure Shell) or HTTPS (Hypertext Transfer Protocol, Secure).
In some circumstances, security scans performed on N-able N-central servers may report vulnerabilities related to SSH that are based on the reported SSH version string (as the SSH version string is a truncated, high-level value). It is strongly recommended that you confirm that any reported vulnerabilities are fixed in that build of OpenSSH before further investigating the issue.
No matter which of the three protocols is used, you will need a user name and password in order to access the remote device.
Take Control
Take Control sessions are sheltered by a proprietary communication protocol with guaranteed global security by AES using a 256-bit cipher when establishing, or for the duration, of the session. The key exchange is protected by an SSL based in AES-CBC with TLS 1.2. All commands, including keyboard and mouse strokes, file transfers and clipboard information are digitally signed.
Take Control does not have access to session content. All encryption is based on an end-to-end negotiation that does not intercept transferred information or decode the information in the gateway. Encryption keys are randomly generated for each session.
As an additional security measure, the client can configure an authentication method using a Master-Password or Windows Account and configure pre-authorization by the machine owner to launch the session.
Finally, all major features, including remote control, file transfer and chat conversations are logged in the Session details and can be video recorded.
The ports identified in the tables below must be accessible for Take Control (MSP Anywhere) remote control connections.
macOS uses TCP Mode only.
TCP Mode (Required)
If the agent has a direct TCP port configured, the same port must be open at the agent's firewall and be accessible by the viewer.
| Port Number | Port Location | |||
|---|---|---|---|---|
| Take Control Viewer | Target Device | |||
| Inbound | Outbound | Inbound | Outbound | |
|
Port 80 |
Ö | Ö | ||
|
Port 443 |
Ö | Ö | ||
|
Port 3377 Take Control fails over to this port as an alternative connection method. |
Ö | Ö | ||
TCP Port usage in N-central is optional and used to directly connect a Technician's device to remote devices on the same local network instead of using the application's gateways (outside the local network) to broker the connection.
Note: When any associated Firewall rules are disabled or removed, direct connection becomes unavailable and all connections are routed externally, even when both devices are in the same local network.
The Attempt peer-to-peer connection first option is meant only for peer-to-peer connections with devices outside the local network. The option attempts to make a P2P UDP connection to the device. It has no impact on peer-to-peer connections with local network devices, when traffic is allowed over TCP Port 5948. The option is not needed for remote control but the port will always be used unless it is disabled in the agent configuration file. In the rarest cases where the device is accessible on the internet it can also be used for P2P even not within the same LAN.
When using Take Control, the N-able N-central server, remote endpoints, and devices running the Viewer (those devices that are used to establish the remote session) must be able to resolve and reach hosts with the following domain names:
-
*.n-able.com -
sis.n-able.com
The following domain also needs to be resolved for update downloads:
-
swi-rc.cdn-sw.net
IP addresses in the range 38.71.16.x are used to download product updates.
When using MSP Anywhere, the N-able N-central server must be able to resolve the following domain names:
-
*.beanywhere.com -
mspa.n-able.com -
*.pubnub.com
UDP Mode (Optional)
Take Control can use the UDP transmission model to connect to devices in addition to TCP.
Initially, the Take Control viewer requires access to port 1234. After the system administrator modifies the firewall to enable the identified IP addresses to communicate with the server, the ports can be random.
| Port Number | Port Location | |||
|---|---|---|---|---|
| Take Control Viewer | Target Device | |||
| Inbound | Outbound | Inbound | Outbound | |
|
Port 1234 |
Ö | Ö | ||
|
Port 1235 |
Ö | Ö | ||
-
BASupApp.exe
-
BASupTSHelper.exe
-
agent.exe
-
AgentMaint.exe
-
NCentralRDViewer.exe
-
BASEClient.exe
Remote Desktop
With N-able N-central 2020.1, Remote Desktop uses a Custom Protocol Handler (CPH) to facilitate the connection to an RDP session. When launching a RDP session, N-able N-central will verify if the CPH application is installed on the host device. If CPH is not present on the system then you are prompted to download and install the application.
The handler will attempt to use a tunnel over SSH for the connection before failing over to HTTPS (443) to establish the connection. The CPH launcher opens a listening port randomly selected by N-central to start the RDP client.
No CPH for Mac and Linux
Mac and Linux devices still use the Java implementation for Remote Desktop. SSH and Webpage require Java to run.
Other Remote Control Connections
For remote control types other than Take Control, the first protocol attempted will be an SSH tunnel (TCP on port 22 to N-central). Should the SSH connection attempt fail, the requesting user and the target system will again attempt to connect to each other through the N-able N-central server using HTTPS on port 443.
| Port Number | Port Location | |||
|---|---|---|---|---|
| N-able N-central Server | Target Device | |||
| Inbound | Outbound | Inbound | Outbound | |
|
Port 22 |
Ö | Ö | Ö | |
|
Port 443 |
Ö | Ö | Ö | |
After the requesting user and the target system are connected, the remote control tools can then communicate over this encrypted connection as if they were located on the same network subnet. Since the remote control sessions originate outbound from the user’s system, as well as from the device to be remotely controlled, there is no requirement for a public IP address, or inbound port forward for this remote control tool to work.
In the diagrams below, the "SSH Tunnel*" notation indicates the first protocol attempted will be an SSH tunnel (TCP on port 22).
Remote control in N-able N-central uses several layers of security. The outbound request model ensures that there are no inbound reports required.
Data passed through SSH connections is encrypted using 128-bit AES-based encryption keys.
Data passed through HTTPS connections uses the HTTP (Hypertext Transfer Protocol) in combination with SSL (Secure Socket Layer) and TLS (Transport Layer Security). SSL and TLS are cryptographic protocols that provide secure communications on the Internet. HTTPS is designed for secure encrypted communication between different devices as well as secure identification and authentication of the remote device.