The Remote Web Admin tool in Peplink’s InControl 2 is without a doubt one of the most useful tools you will ever use as a network admin. It gives you single click access to the admin web interfaces of your remote Peplink devices wherever they may be, however the power and versatility of this feature is often overlooked so I just want to take a moment to highlight it here.
Web Administration Interfaces are everywhere
Web administration is not new – just about every networked device from switches, access points and IP CCTV cameras to internet connected homebrew beer appliances have web interfaces that enable you to configure and monitor their functions, and when you are connected to the same LAN as those devices managing them is as easy as opening your favourite browser navigating to the interface and logging in.
However when those devices are remote (perhaps on a customer site) things get a little more complicated. Historically the only real way to connect to them was to punch holes in your firewall to access these devices using your firewalls public IP, or to set-up a secure VPN connection to the remote site and then access them as if you were locally connected.
Security is key
Any time anyone wants me to open inbound firewall ports on their network I tend to screw my nose up in distaste, since anything that increases the opportunity for remote hackers to get access to internal systems is only ever bad. Yes risks can be mitigated with two factor authentication and other similar intelligent network perimeter security appliances, but even then I would always prefer a secure VPN connection.
Creating VPN connections is better from a security stand point, but at the same time, managing local user accounts on firewalls for VPN access has its own risks, and from a support process perspective, creating the VPN connection is an additional required step to connect and then access the end device which is far from efficient. In either case, as a support engineer I need to be sent multiple usernames and passwords both to access the connection method but also the device itself.
Most Remote Web Access Requires Public, Static IPs
Both Port forwarding and VPN access work best when the WAN IP of the target network is public and static, however more and more businesses now are taking advantage of cheaper broadband connections with dynamically assigned IPs and some are using cellular connections as their main internet link – many of which are actually private NAT subnets provided by the mobile service providers. You can use dynamic DNS services to maintain easy access when your public DHCP IP changes on renewal, but this doesn’t help if your main WAN connection is in a private subnet.
In short then – remote device administration can be a real pain to get right and can slow down support engineer efforts dramatically.
How Remote Web Admin is different
Here is how you connect to a remote Peplink Web Admin Interface using InControl 2:
- Login to InControl
- Click on the Device You want to manage
- Click on Remote Web Admin
Easy as pie wasn’t it?
What makes this demo even more extraordinary is that not only is the web admin interface of this MAX HD2 not available on the public internet, but the device itself is running BEHIND two more routers that are providing NAT. There are no inbound ports forwarded to allow InControl to proxy the devices web interface, and no additional firewall rules.
So lets take a moment and look at what’s happened here.
- Since the MAX HD2 has is being actively managed by InControl 2 for firmware updates, bandwidth reporting and the such, it already has an active secure communication channel session in place with the cloud service.
- When we click remote web admin on the device page in InControl, a message is sent over that secure channel requesting the HD2 initiate a temporary secure VPN session.
- The HD2 creates the temporary VPN connection to the cloud and InControl 2 acts as a web proxy, presenting the MAX HD2′s web interface.
There are a couple of things worth highlighting here. Firstly, because all communication with InControl is initiated by the HD2, there is no need for inbound route configuration on any other device on its WAN, and the HD2 (and its internet/WAN links) can also have dynamic addressing – and this can even be a private IP (as shown in this example – the HD2 has a WAN IP of 192.168.20.10) so long as the device can route traffic to the internet.
Remote Web Admin To Any Device Anywhere
This means that the Remote Web Admin service can tunnel out over other private networks in its path to the internet, and that it can also work on all cellular networks too. So you can have a MAX HD2 installed in a car, tearing up the motorway connected via 3G/4G, or you could have a Balance device plugged into the LAN of a customers home network and you can still remotely connect to the device to manage it – without the need to configure any other device or network connected to its WAN.
Keep Your Device Admin Accounts Secret
You might also notice from the video that we didn’t need to log in to the HD2′s Web UI after clicking Remote Web Admin. Since my InControl account is the registered administrator for this group of devices, InControl takes care of the device authentication for me and logs me in as part of the connection creation process. If I want, I can add an additional administrator user to this group of devices and give them full access to this HD2 as well, and they would be able to use Remote Web Admin too. At no point have I had to send login details for the router itself insecurely via email or chat, and if I want to revoke their access I just remove them from the list.
This feature becomes invaluable when you are managing hundreds and thousands of devices in your estate as a managed service provider for example, since you don’t need to give your support staff a list of usernames and passwords for the customer devices AND you can even give the end user administrator level access to a device without ever sharing your local device admin password with them. Then if the end customer were to change their admin password and forget it, they can login to incontrol and reset it themselves or as their MSP you can reset it for them.
The Remote Web Admin feature in InControl 2 is clever, versatile and incredibly useful. It enables quick and easy device administration of thousands of devices with a couple of clicks and also provides remote web administration of devices in normally hard to reach places that would be prohibitively complicated to access using alternative methods. Use it as much as you can – it will make your life easier I promise.