Setting up Cloud Remote Access

Cloud Remote Access is available in the Device Management application.

Prerequisites

Requirements

To use Cloud Remote Access, you need

a Cloud Remote Access compatible gateway connected to your Cumulocity account.
“Remote access” permission granted to the tenant user.
the Cloud Remote Access microservice included into your subscription plan.

Set up your device

To configure your device for compatibility with the Cloud Remote Access functionality, you must install thin-edge.io. Thin-edge.io is fully integrated with Cloud Remote Access and can be easily deployed on any Linux-based device, eliminating the need for any custom integration.

Furthermore, devices can report their supported protocols using SmartREST template 150 which offers two significant advantages:

It prevents the display of unsupported protocols in the selection modal, streamlining the user experience and reducing potential confusion.
It enables administrators to restrict the use of potentially vulnerable protocols, such as Telnet, thereby enhancing the overall security of your deployment.

User Authorization

The Cloud Remote Access feature is a powerful tool that requires careful management. Due to its potential for significant system impact, access should be restricted to experienced administrators who fully understand its capabilities and risks.

To grant access to qualified users:

Navigate to Accounts > Roles in the Administration application.
Click Add global role at the top right.
Create a new role with the following details:
- Name: “Cloud Remote Access Role”
- Permissions: Enable “Admin” permission for “Remote Access”

Accessing Cloud Remote Access

In the Device Management application in the Cumulocity platform, click All devices in the Devices menu and select the desired gateway from the device list.

When you open the gateway you will find the Remote access tab in its tab list.

Remote access tab

In the Remote Access tab, you can configure devices for remote control, so-called “endpoints”, and connect to remote devices.

Connections can be established to the gateway itself (localhost) or to any device in the local area network reachable by the device.

Managing endpoints

The “endpoint” is the IP address and port of the VNC, SSH or Telnet server running on the remote device. The IP address and port must be reachable from the gateway.

To configure a new remote device

Click Add endpoint at the right of the top menu bar.
Enter a name for the new endpoint and select the protocol to be used.
Follow the descriptions below for the protocol-specific settings.

Info

To be able to configure an endpoint, you need ADMIN permission for “Remote access” and “Device control”. To read data, a READ permission is sufficient. For more information on permissions, refer to Managing permissions.

To add a remote access endpoint via VNC

Enter the host (IP address or hostname) and the port of the server.
Select a sign-in method. If you select “Password only”, provide the password for the VNC server.
Click Save to add the endpoint.

Remote access endpoint

Once the connection is established, a new browser tab will open displaying the front screen or operating panel of the remote device you are connected to. The top bar of the screen will show “starting VNC handshake” when the process is starting.

Info

The following versions of the VNC protocol are currently supported:

RFB 003.003
RFB 003.007
RFB 003.008

The functionality has been tested on the following VNC servers:

Real VNC 5.3.2
Tiger VNC 1.6.0/1.7.0
TightVNC 1.3.9
EfonVNC 4.2
Vino

To add a remote access endpoint via SSH

Enter the host (IP address or hostname) and the port of the server.
Select a sign-in method.

Username and password: If this method is selected, it is mandatory to enter a username and password.

Public/private keys: Automatically generate public and private keys or simply paste pre-generated keys. The keys can also be uploaded from a file.

Info

The public key must be installed on the remote device as authorized key.

Optionally, you can also add a host key to ensure connection to the correct device. This key can also be uploaded from a file.
Click Save to add the endpoint.

The following formats are supported when adding new keys:

OpenSSHv1
OpenSSHv2
PEM
SSH2

The following algorithms are supported when adding new keys:

RSA
DSA
ECDSA
ED25519

Info

Limitations:

Character support: International characters are not supported. Only a limited set of control characters is functional.
Input restrictions: Mouse movements are not supported.
Protocol compatibility: SSH version 1 is not supported; only SSH version 2 is available.
Display behavior: Text reflow does not occur when the window width changes.

To add a remote access endpoint via Telnet

Enter the host (IP address or hostname) and the port of the server.
Click Save to add the endpoint.

Important

Telnet is considered to be an insecure protocol lacking built-in security measures. For network communication in a production environment we highly recommend you to use the SSH protocol instead.

To add a remote access endpoint via Passthrough

Enter the host (IP address or hostname) and the port of the server.
Click Save to add the endpoint.

Visit the Cumulocity CLI documentation to learn more about how to set up the passthrough connection from the device to your local machine using the local proxy that is embedded in the CLI.

To edit an endpoint

To edit an endpoint, click the menu icon at the right of the respective entry and select Edit from the context menu.

To delete an endpoint

To delete an endpoint, click the menu icon at the right of the respective entry and select Remove from the context menu.

Info

An active connection will not be terminated automatically after the endpoint was deleted.

To connect to an endpoint

To connect to configured endpoints, select an endpoint in the Remote access tab and click Connect. The connection to the configured remote device is established and the screen is shared in the client area.

Telnet connection

To terminate the connection, click Disconnect.

Auto-saving host key functionality

A host key is a public key of the server which is generated when an SSH server is installed. It is used to verify the identity of the server.

By enabling the auto-saving host key functionality you will no longer need to enter the host key after each connection. Instead, the host key can be automatically saved after the first successfully established connection to a remote access endpoint.

In order to enable the auto-save host key functionality, navigate to the Remote access page under the Settings menu in the Administration application. Activate the checkbox and then click Save.

Audit logs

For each gateway device, audit logs are available.

The audit logs can be found in the Control tab of the gateway device.

Display Audit logs

For each connection, the Cloud Remote Access microservice creates an operation in scope of the current user. Then the operation will be updated by the device to reflect the current status. Finally, the operation will have a status of SUCCESSFUL or FAILED.

Troubleshooting

Endpoints cannot be set up

If you cannot set up new endpoints, check if you have sufficient permissions.

To set up new endpoints, you need ADMIN permission for “Device control” to be able to register a device and ADMIN permission for “Remote access” to be able to add an endpoint.

For more information on permissions, refer to Managing permissions.

Connection fails

The connection via a gateway to a remote VNC, SSH or Telnet server can fail because of network problems. In this case you must contact your network administrator.

Unsupported protocol version

In case of Real VNC, if you get an error message stating that you are using an unsupported protocol version (for example 005.00x), try the following workaround:

Open VNC.
Navigate to Options.
Select the Export tab.
Search for Protocol version.
Enter “3.8” as protocol version.