As a managed service provider, quick, reliable, and secure remote desktop access to endpoints is essential to support your clients effectively. It’s hard to beat hands-on when it comes to troubleshooting and solving problems you haven’t automated away (yet!).
But you can’t be everywhere at once, so hands-on often means some sort of network-based remote desktop access.
There are plenty of ways MSPs can enable remote desktop access, but it can be hard to determine which ones you should use.
The remote desktop protocol (RDP) is great for Windows machines on a LAN but isn’t always supported and gets tricky to scale. Virtual Network Computing (VNC) is a viable alternative but comes with its tradeoffs.
To help you make the right remote desktop decision, we’ll explore RDP and other options for remote access with an MSP perspective in mind.
Popular remote desktop options
There’s no one-size-fits-all remote desktop answer. Sometimes, a hardware solution like an IP-based KVM switch makes sense. In others, simply sharing your screen during a Microsoft Teams call is enough. However, dedicated hardware is tough to justify outside of the server room, and collaboration tools lack key features like unattended access.
RDP and VNC are two of the most common solutions to these problems. Let’s take a closer look at each one to understand why.
Remote Desktop Protocol (RDP)
RDP is a no-brainer for simple remote desktop access to Windows machines. It’s supported on most Windows operating systems you’ll find in big and small companies, enables unattended access to systems, and works as though you’re logged directly into the machine.
The RDP protocol uses a client-server model. A “client” application lets users create sessions on remote “servers” that support RDP.
Here are few other key aspects of RDP:
- RDP is a proprietary protocol developed by Microsoft.
- The default RDP port is TCP 3389.
- RDP uses UDP to improve performance (default UDP port also 3889).
- RDP data-in-transit is encrypted.
For IT support, RDP does have a few tradeoffs. First, while there are options like xrdp and FreeRDP, RDP is very Windows-centric. This can limit RDP’s usefulness if you support macOS or different *nix flavors.
Additionally, because RDP creates a new user session when you log in, you’re not using it as an interactive screen-sharing tool. That lack of interactivity can hamstring troubleshooting sessions when you need to work with an end-user.
How to use RDP
Getting RDP access right from a security and scalability perspective is hard, but the basic use of RDP is simple enough. If you’re unfamiliar with RDP, here’s how to use remote desktop to connect to a Windows PC or server with RDP access enabled.
- From your PC, launch the Remote Desktop Connection App.
- In the Computer field, input the address of the endpoint and click Connect.
- In the Windows Security window, input the username (in domain\user format) and password for your server.
If you haven’t configured certificates, you’ll see a confirmation window like this that you’ll have to accept to proceed:
That’s it! You should now have remote access to the endpoint through RDP.
Virtual Network Computing (VNC)
VNC is based on the Remote Framebuffer (RFB) protocol defined in RFC 6143 and provides a platform-independent alternative to RDP. If you need to support many macOS or *nix systems, that might make VNC attractive.
Like RDP, VNC uses a client-server model and enables remote desktop access. Unlike RDP, VNC does not create new user sessions and instead effectively streams the actual state of the desktop over the network to the client. This makes VNC useful when you need to share screens for IT support.
Here are some other key aspects of VNC:
- The default VNC port is TCP 5900.
- VNC connections generally occur on port 5900+
( e.g., 5901 for display 1).
- Some VNC servers also use TCP port 5800 for a web interface.
- By default, VNC data-in-transit is not encrypted.
- RFC 6143 describes VNC authentication as “known to be cryptographically weak”.
Administrators often use SSH or IPsec tunnels to encrypt VNC traffic to compensate for some of the security features VNC lacks by default. Additionally, many VNC tools add features to simplify security for users.
How to use VNC
To provide an example of how VNC works in the real world, here’s how I set up remote desktop access to a Linux (Ubuntu-based) machine from a Windows PC using TigerVNC.
⚠️ Note: this configuration isn’t secure! Do not use it outside of a test environment!
- Access a terminal on the Linux machine and install the VNC server with this command:
sudo apt install tigervnc-standalone-server
- Configure a password by running the vncpasswd command.
- Run the VNC server manually, and have it listen for connections on all available interfaces with this command:
sudo vncserver -localhost no
You should see output similar to:
- Launch the TigerVNC client on the Windows machine and input the Linux machine’s address followed by the port number displayed in the output of step 3 in [address]:[port] format (e.g., 192.168.0.11:5901). Then click Connect.
- Input the password from step 2 and click OK.
That’s it! Now I have remote access to the Linux machine from my Windows PC.
Common challenges with remote access
RDP or VNC might be all you need for simple use cases and small LANs. But for an MSP that has to manage multiple assets across multiple customer sites, VNC and RDP create several challenges.
We’ve already discussed the tradeoffs between VNC and RDP, like platform support and new sessions vs. screen sharing. Now let’s look at some challenges common to both approaches to remote desktop access.
The most glaring challenge with RDP and VNC is security. While RDP traffic is encrypted and VNC is often routed through secure IPsec or SSH tunnels, exposing those services over the Internet is bad practice.
Just how severe is the risk? According to FBI Special Agent Joel DeCapua’s 2020 RSA Conference presentation, RDP is 70-80% of the initial foothold attackers use for ransomware. Similarly, the BlueKeep RDP vulnerability (CVE-2019-0708) allows remote code execution (RCE) on unpatched servers.
VNC has made its share of headlines for security issues too. CVE-2022-27502 is a recent example of a VNC-related vulnerability that could lead to privilege escalation. Additionally, 2019 saw a variety of high-profile VNC vulnerabilities, including privilege escalations.
Of course, RDP and VNC can be used securely. Strong passwords, certificates, SSH tunnels, firewalls, multi-factor authentication (MFA), and tight security policies go a long way.
The problem is that defining, implementing, enforcing, and maintaining secure remote access for end-user devices is complex. And that complexity is hard to scale across multiple endpoints at multiple customer sites.
The additional overhead can leave MSPs with the unfortunate tradeoff of not using RDP or VNC, using them with sub-optimal security configurations, or investing significant time and effort to implement them securely. Fortunately, other options can address the security and complexity challenges of remote desktop access.
Splashtop for remote desktop access
Spending too much time configuring, maintaining, and troubleshooting RDP or VNC is costly. But you can’t sacrifice security either.
Several commercial tools are available that aim to solve this problem and simplify remote access, with varying levels of success. Among those commercial tools, Splashtop has built a reputation in the MSP space as a reliable, effective, and secure solution.
Splashtop’s effectiveness for the MSP world is a big part of why we integrated it into Syncro’s RMM feature set. The integration further streamlines your MSP workflows and gives you remote desktop access directly from the same system you use for ticketing, asset management, monitoring, and automation.
Specifically, here are some of the key benefits of Splashtop + Syncro for remote desktop access:
- Security: The agent on the endpoint securely connects to Splashtop and enables remote desktop access without VPN access to the network or exposing services to the entire internet.
- Interactive sessions: One of RDP’s tradeoffs is that it doesn’t allow you to view the same session as your clients. With Splashtop, you can work with your clients in real-time to resolve problems.
- Simplicity: Splashtop support is built into the Syncro agent. After the initial setup, one-click remote access is possible.
- Speed: When all your tools—like ticketing, billing, RMM, PSA, and remote desktop access—are in one place, workflows get faster. And when workflows get faster, clients are happier, and costs are lower.
- Cost: Splashtop is included with Syncro without any additional licensing costs.
How to use Splashtop and Syncro for one-click remote desktop access
Let’s walk through what it takes to achieve secure remote desktop access with Splashtop and Syncro.
- Install the Syncro agent on the target endpoints./li>
- Make sure your Syncro policy settings allow remote access.
- In Syncro, access the endpoint and click Remote Access.
If the Splashtop remote access viewer isn’t installed on your machine, you’ll be prompted to install it.
- If prompted, allow Splashtop to open the link. Optional: Check the box to Always Allow to enable true one-click access.
That’s it! You now have secure remote access to the endpoint without complexity or exposing a remote access protocol to the entire internet.
And you get a variety of helpful support features like remote file transfer, system browser, and event viewer.
Check out our Splashtop Remote Access knowledge base article for a deeper dive into the Splashtop integration.
To take Splashtop and Syncro for a spin yourself, sign up for a free full-featured trial.