Managing desktop clients and supporting end users can be an expensive proposition in PC-based networks. Microsoft apparently heeded the cry of corporate America and has attempted to relieve this financial burden through improved features in Windows XP. In addition to delivering many features designed to benefit Help desk personnel and systems administrators as well as end users, XP removes the necessity of purchasing some expensive add-on solutions that previous Windows products have required. Let's take a look at how XP's new Help and support features—particularly the new Remote Assistance feature—can benefit you in your network environment.
The Help and Support Center
XP's most prominent Help and support feature, accessible from the Start menu, is the Help and Support Center, which Figure 1, page 36, shows. Microsoft designed the Help and Support Center to hold in one centralized location all the Help and support tools (e.g., how-to guides, a searchable Help database, system-maintenance and diagnostic tasks, remote control features) that a user might need to access. The window groups tools and topics under five headings.
- Search. This keyword search lets you type in a topic that you want to learn about.
- Pick a Help topic. This section provides a list of general Help topics. For example, you can learn about what's new in XP, basic system use, networking, remote system operation, printing, and security. This topic also incorporates access to Microsoft's Knowledge Base.
- Ask for assistance. This option gives you a link from which to launch XP's Remote Assistance feature. You can also access the Microsoft Product Support Services (PSS) Web site and XP-related newsgroups.
- Pick a task. This option provides links from which you can launch important support-related tasks. For example, you can access the Windows Update feature (with which you can update the OS with patches, updates, and up-to-date versions of accessories, drivers, and other software), searchable hardware-compatibility and software-compatibility databases, XP's System Restore feature, and diagnostic tools. The Tools option provides a comprehensive menu of links to various system-maintenance, diagnostic, and information tools, including utilities related to disk administration, network diagnostics, remote assistance, system backup, Group Policy, services, and event logs. You can even access optional tools, such as the XP CD-ROM's Support Tools and the Microsoft Windows XP Resource Kit's utilities.
- Did you know? This dynamic menu contains links to common support topics and XP-related FAQs. On Internet-connected computers, XP automatically updates this section with data from the PSS Web site.
The Help and Support Center isn't the only home to these important information resources, support utilities, and links. You can, for example, execute many of the Help and Support Center tools as standalone programs, wizards, and Microsoft Management Console (MMC) snap-ins. But the ability to access all the tools and resources from a central location is extremely convenient. Administrators and Help desk staffers can now easily instruct users where to find essential system information and how to run various system utilities.
Introducing Remote Assistance
The lack of built-in remote support tools in previous Windows OSs has been a source of frustration for many systems administrators. Because Windows is a GUI-based system, the ability to properly support remote desktops and servers often requires direct access to—and control of—a remote system's desktop. To fill the gap, many IT departments implement third-party remote control solutions, such as Symantec's pcAnywhere32, Computer Associates' (CA's) ControlIT, and AT&T Laboratories Cambridge's freeware Virtual Network Computing (VNC) utility. Depending on the chosen tool and the number of involved systems, these solutions can be extremely pricey. In XP, Microsoft has incorporated remote control features—including a support-oriented interface replete with invitation-and-acceptance mechanisms and a handy chat feature—directly into the OS.
If you've ever used Windows 2000 Server Terminal Services or Windows NT Server 4.0, Terminal Server Edition, you understand the convenience of built-in remote control features. Think of Remote Assistance as terminal services for XP desktops, with additional support-oriented features. For example, you can configure Remote Assistance so that XP notifies the assisted user about the incoming connection and prompts the user for authorization. You can also choose between view-only and view-and-control capabilities on the host system.
Microsoft has implemented a "Help desk request system" paradigm for the Remote Assistance feature. Users generate a Help desk request in the form of a request ticket, which the system delivers through email or Windows Messenger to support personnel. A support person opens the ticket, which contains the authentication information necessary to connect to the requesting user's system, then connects to the remote system and launches a Remote Assistance session. In Remote Assistance parlance, the user requesting help is called a Novice—a potentially demeaning term to advanced users who might need assistance. The user who provides the help is called an Expert.
Terms and Conditions
To achieve a successful Remote Assistance connection, you must meet several criteria. First, the two participating machines must run XP or Windows .NET Server. This requirement poses a potential problem for users of previous Windows OS products (e.g., Win2K, Windows Me, Windows 9x) who are attempting to provide or receive Remote Assistance support. Note, however, that administrators might be able to use Remote Desktop—another terminal services—based XP remote control feature—to connect to the user's system. (For information about Remote Desktop, see the sidebar "What's Remote Desktop?")
Second, the two machines must be physically connected over a network, such as a corporate LAN or the Internet. If an Internet-based connection is involved, the Novice must ensure that local firewalls are configured to pass RDP traffic (TCP port 3389) to his or her system. (If the Novice is using XP's built-in Internet Connection Firewall—ICF—no configuration is necessary because ICF automatically opens a hole for Remote Assistance requests.) In addition, if the Novice is running XP Home Edition, he or she must be logged on as an Owner account.
Configuring Remote Assistance
Before a Remote Assistance session can take place, you or the Novice must configure the Novice's system so that it can solicit Remote Assistance. To enable Remote Assistance, go to the Control Panel System applet's Remote tab, which Figure 2 shows, and select the Allow Remote Assistance invitations to be sent from this computer check box. Alternatively, you can use the registry or Group Policy to enable the Novice's system for Remote Assistance operation.
Both the Novice (by soliciting) and the Expert (by offering) have the power to establish a Remote Assistance connection. A Novice who solicits assistance from an Expert must go through the following steps.
- Using the Help and Support Center's Invite a friend to connect to your computer with Remote Assistance option, the Novice initiates a Remote Assistance request.
- The Novice chooses how to request remote assistance from the Expert—through Windows Messenger, through a Messaging API (MAPI)—compliant email program (e.g., Microsoft Outlook or Outlook Express), or by saving the request as a file and sending it to the Expert through other means. In the case of Windows Messenger, both parties must be signed in, in which case the Novice will be able to select the Expert's name in the display window as the intended target of the Remote Assistance support request. (One common misconception is that users must sign in to Microsoft's MSN Network to use Windows Messenger. In fact, you can just as easily configure your users' copies of Windows Messenger to sign in to an internal corporate Internet Locator Service—ILS—or Microsoft Exchange 2000 Server.) The Novice also sets other options for the request, such as the maximum length of time for which the Remote Assistance request will be valid (in minutes, hours, or days) and the password that's required to establish the connection.
- The Expert receives the Novice's request and establishes the connection. (Figure 3 shows a sample Remote Assistance Invitation.)
An Expert can also offer remote assistance to a Novice. This scenario has an additional requirement: The two participating systems must be members of the same domain or members of domains that trust each other. Thus, this scenario will probably be appropriate only in situations that involve corporate LANs—not for most home users.
If the Novice user is on a corporate LAN and Active Directory (AD) is present, Group Policy is the best way to configure Remote Assistance settings. Using Group Policy lets you easily create default configurations for various groups of users and assign them through AD. You can use Group Policy to configure settings such as whether Remote Assistance is enabled or disabled, whether users can solicit or offer Remote Assistance, and which Experts (e.g., users, groups) can connect to which systems. If you use Group Policy, be sure to thoroughly test the policies before you make them live—particularly the settings that control which Experts are permitted to provide assistance. (Mistyping this information is an easy mistake to make, and granting Remote Assistance capabilities to the wrong users has obvious security implications.) For detailed information about Remote Assistance—related Group Policy settings, see the Microsoft articles "HOW TO: Configure a Computer to Receive Remote Assistance Offers in Windows XP" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q301527) and "HOW TO: Configure or Disable Solicited Remote Assistance in Windows XP" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q306496).
Underpinnings, NAT, and UPnP
Although Remote Assistance's GUI experience is simple and straightforward, several behind-the-scenes activities are worth mentioning. When the Novice creates a request ticket, Remote Assistance enables a special user account called HelpAssistant. (This account is disabled by default.) The creation of the request ticket also causes Remote Assistance to create a table entry that contains all the request's pertinent details. Next, Remote Assistance collects information about the Novice's computer for the request ticket file. This XML file, which has an .msrcincident extension, contains information that permits the Expert to connect to the Novice's system. This information includes time to expiration, logon credentials, and the system's IP address.
These behind-the-scenes activities occur smoothly if the client has a routable (nonprivate) IP address and if no firewalls block TCP port 3389, which Remote Assistance RDP traffic requires. However, if the Novice, the Expert, or both parties reside behind a Network Address Translation (NAT)—enabled router or firewall, things get interesting and potentially ugly. In such a scenario, the involved machines' IP addresses are private, Internet-inaccessible addresses hidden behind the firewall. Whether this inaccessibility is problematic depends on several factors, including the specific NAT product involved. In the Microsoft article "Supported Connection Scenarios for Remote Assistance" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q301529), which describes supported and unsupported scenarios that involve various NAT products, the company seems to claim that most NAT scenarios will work. However, in my experience, most NAT scenarios don't work.
A possible workaround exists: You might be able to avoid NAT problems by having the Expert edit the received .msrcincident file. This file's RCTICKETENCRYPTED= line contains a list of all IP addresses present on the Novice computer when the Remote Assistance invitation was created, in the format IP address:port (e.g., 22.214.171.124:3389). By replacing private addresses with the NAT firewall's or NAT router's externally accessible address, you might be able to get Remote Assistance to work.
During the development of Remote Assistance, Microsoft considered the problems that NAT posed, and the company's response was to provide support for Universal Plug and Play (UPnP). To facilitate dynamic connections between NAT-protected hosts, UPnP permits the automatic discovery of network devices and IP address assignments on the LAN. (For more information about the UPnP standard, go to the UPnP Forum at http://www.upnp.org.) In Remote Assistance's case, UPnP permits the passage of necessary information about the future Remote Assistance connection (e.g., the required incoming TCP port number, the Novice system's IP address, the duration of the request's validity) to the UPnP-enabled router.
Although UPnP theoretically solves the problem of NAT firewalls and routers, the standard isn't in widespread use. As of this writing, only a handful of router and firewall manufacturers are shipping NAT-enabled products that offer UPnP support. (XP's built-in Internet Connection Sharing feature and D-Link Systems' DI-714 and DI-804 routers are a few exceptions that do provide UPnP support.) Although more vendors will probably offer such support in the coming months, the usefulness of Remote Assistance currently is limited. And that's unfortunate: Today, NAT-enabled LANs are the norm.
System Restore is another important tool—from the perspective of both the user and the Help desk—that you'll find in XP's Help and Support Center. System Restore provides a feature that many of us have longed for—a tool that can automatically or manually take a snapshot (aka Restore Point) of the system configuration at a particular point in time and later restore that snapshot in the event of problems. Although third-party tools offering similar functionality have been available for a while (e.g., imagine LAN's ConfigSafe and RegSafe, Roxio's GoBack), purchasing and installing a third-party solution on all your desktops can mean significant licensing and support costs.
A little-known but handy support tool that can help you diagnose System Restore problems is System Restore Diagnostics (srdiag.exe). This tool collects all information (e.g., log files) related to a system's System Restore operations and assembles them into one .cab file, from which you can extract and view pertinent data or pass information to an IT or Microsoft support technician. For more information about srdiag.exe, see the Microsoft article "System Restore: Description and Functionality of Srdiag.exe" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q302343).
Streamline Your Help Desk
Microsoft has made great strides toward a comprehensive set of Help desk support tools and a better support experience for end users in XP. However, because of some feature limitations, performance problems, and outright bugs that hinder the usefulness of several of these support features, many organizations might still need to purchase additional tools to effectively manage their XP desktops. Taken as a whole, however, these new tools offer compelling reasons to migrate your network workstations to XP. Incorporating these features into your IT management scheme is a task that's well worth your while.