NAV

Enterprise Overview

This overview covers common questions and requirements when using SimpleHelp in Enterprise scale environments.

User Authentication and Permissions

In Enterprise environments it is important to keep management of users centralised and simplified as far as possible. For this reason, SimpleHelp supports:

  • LDAP / ActiveDirectory authentication, both of specific Technician Accounts and of users without a corresponding SimpleHelp technician account, defined only within LDAP / AD
  • RADIUS authentication
  • Two Tier email based authentication
  • TOTP support
  • Restriction of user permissions and rights based on membership in LDAP / ActiveDirectory

All the above are covered in the Administrator Guide under Technician Groups

Technician Groups

To allow group logins without a corresponding SimpleHelp Technician account you should check the option Allow group authenticated logins when configuring your Technician Group. You can also restrict the group to a particular OU or other LDAP/ActiveDirectory section by configuring the LDAP authentication search filter. This will allow LDAP/AD users to log in without a SimpleHelp technician account, and they will be assigned whatever permissions you set for that Technician Group.

Security

SimpleHelp strongly encrypts all communications using industry standard tried-and-tested algorithms and techniques, regardless of which transport protocol is used for encapsulation. Our Security Guide has a more in depth explanation.

Regional SimpleHelp servers

If your organisation wishes to run multiple SimpleHelp servers by region, and have technicians access multiple servers, this can be achieved very easily.

The technician can simply download the online executable from each server they have access to, and rename it or create a shortcut to it. When they run each respective executable or shortcut, the technician app will launch the appropriate version for the target server and will connect to the server it was downloaded from.

This allows technicians to access any number of SimpleHelp servers with just one base Technician client installation.

License Servers

SimpleHelp supports the use of multiple redundant license servers. In this case your master license is installed on one SimpleHelp server (potentially a dedicated server) and peer connections are created to your other SimpleHelp servers. Your license server can then allocate licenses to your other servers as necessary.

For more detailed information on license servers please see our Enterprise User Guide.

Redundancy and High Availability Failover

Remote access services can comfortably share with more than one SimpleHelp server. This allows you to run a backup SimpleHelp server and have all your Remote Access Services accessible from both at all times.

High availability failover for other SimpleHelp applications (technician client, customer client) is available where a separate web server is used to direct apps towards a live SimpleHelp server. This allows the specification of any number of redundant SimpleHelp servers and allows you to switch live to any secondary or tertiary redundant SimpleHelp server.

Technicians in sessions or in the technician app are notified within a matter of seconds that the switch is required and may allow it immediately or delay the switch to finish important work uninterrupted subject to restrictions set in the centralised failover configuration.

For more detailed information on redundancy and high availability failover please see our Enterprise User Guide.

Condensers and Network Segmentation (IEC 62443)

A single SimpleHelp server is capable of supporting thousands of sessions and many hundreds of thousands Remote Access Services.

Remote access services shared are largely limited by the I/O scalability of the server.

Sharing Remote Access Services over UDP provides a simple and efficient way to add a large number of connected machines to your SimpleHelp server, however some customers require the use of HTTP or HTTPS for sharing (note, SimpleHelp does secure all communications including over UDP and HTTP, however network and customer policies may dictate the use of HTTPS).

Where HTTP(S) is used to share remote services with the SimpleHelp server the scalability will typically be limited by the number of TCP or SSL connections your server can maintain. Often this may be in the low thousands, and we typically wouldn't recommend sharing more than 1000 machines in this way.

Our Enterprise license includes as standard the SimpleHelp Condenser feature. This allows for one or more Remote Access Service to be designated Condensers, and then have many other Remote Access Services connect via them to the SimpleHelp server.

Scalability, Deduplication and Bandwidth Reduction

This aids greatly with scalability since each Condenser can itself support a large number of Remote Access Services, and then communications are handled via a small number of connections to the SimpleHelp server.

The Condenser service will also cache update files and perform deduplication where possible on communications between the services and the SimpleHelp server, reducing bandwidth.

 Unidirectional connections, Firewall and NAT support

All Remote Access Services within SimpleHelp connect only out to the SimpleHelp server. The SimpleHelp server does not connect in to the Remote Access Service. This allows for strict firewall policies on networks or individual machines and for multiple levels of NAT without any degradation of service or reduction in features available through SimpleHelp.

Condensers honour this same design and all Remote Access Services connect only in to the Condenser, which then connects out to the SimpleHelp server. This again allows for NAT or firewalls between the Remote Access Services and Condenser, and between the Condenser and the SimpleHelp server, allowing for additional protection and segregation of network assets from the outside internet.

Network Segmentation and IEC 62443 compliance

Network Segmentation is a concept which is key to IEC 62443 compliance but also offers benefits to all customers using Condensers. Fundamentally, Network Segmentation creates zones within a networked system. Remote access services sharing via a single condenser don't need to be given access to the outside internet and can have stricter network policies in place. This reduces attack surface and helps ensure that no compromise of an individual Remote Access Service leads to compromise of other network zones.

Enhanced Visibility and Control

A further benefit of Condensers, also related to network segmentation, is a single point of monitoring and control for the customer.

As a customer or department sharing services via a Condenser, all monitoring and management of the network traffic for SimpleHelp can be focused on a single point. This allows both ease of monitoring and also a single point of control to restrict or shut down communications between the entire network zone and the SimpleHelp server, giving the customer peace of mind that they have full control of their assets.

For more detailed information on condensers please see our Enterprise User Guide.