Remote access astro PC from work

[westernwolf]

Hi all,

I have been trawling through the forum and haven't found the help I need, apologies if my question has already been answered in a corner of the forums I have yet to check out.

Background: My primary rig is permanently connected to an Eagle 5 computer, from home I have no problem connecting to and monitoring the progress of N.I.N.A. using the Microsoft RDP app on my MacBook over the LAN at home. The scripts I use (Patriot Astros) work really well, after a quick polar alignment check I am very happy to leave the rig to do its own things, open the flap, slew, guide etc, closing the flap at the end of the run before capturing the required calibration files. This week at work has reminded me that I seem to loose so many clear nights when I am not at home, for some reason they seem to be mainly cloudy at the moment. I have a network attached camera that I already use to monitor the rig, but I would like to take it one step further using port forwarding to monitor the N.I.N.A. sequence when I am at work, and if there was a problem to have the ability to return everything to a safe parked position. The power is already remotely controlled through a smart socket using the Apple Home service.

The question: Could someone point me in the right direction to securely access my Astro PC remotely through my Sky Max Hub router, and would I still be able to make the connection using the remote desktop application on my MacBook?

Any advice would be gratefully appreciated,

Thanks in advance,

Matt

[John_D]

Two caveats before we start. Firstly it's a long time since I've done any of this so things may have changed. Secondly the usual warnings about opening router ports to the internet apply. You'd probably be better off with a VPN in there somewhere as well.

Some suggestions:

1. You should be able to use RDP from outside your network. You'll probably need to check the Microsoft documentation as to how to do this

2. A similar alternative is something like VNC. From a quick Google there seem to be paid and free versions these days.

3. Some sort of diagnostic tool which is mainly designed to allow remote access for troubleshooting but which would do the job. Again there are lots of these around, some free, some paid for.

[GrumpiusMaximus]

There are a lot of services that would let you do this.  TeamViewer, ConnectWise, etc.  I would advise against VNC and RDP as there are a lot of threat actors scanning for open VNC and RDP connections and there may be vulnerabilities depending on how up-to-date everything is.  TeamViewer and other remote application applications aren't exactly perfect either but do work.  I work at an IT managed services provider and we use a commercial service like the above to maintain persistent connections to our customer endpoints.

If you're doing it from work then I would discuss this with your IT team.  Finding an unknown remote connection software suite on a work endpoint is a cyber security manager's nightmare (ask me how I know) and will likely result in trouble.

[Bivanus]

6 minutes ago, GrumpiusMaximus said:

Finding an unknown remote connection software suite on a work endpoint is a cyber security manager's nightmare (ask me how I know) and will likely result in trouble.

Depending on where you work you might be in a LOT of trouble up to and including not just getting fired but also getting prosecuted to the full extent of the law , and please note that I am not talking from US where 'getting sued' is the norm but from EU where that is the exception. 

My personal opinion , as somebody who worked from really remote places where the work net was the only net so personal stuff had to go thru that regardless, is to do what @GrumpiusMaximusadvices and have a talk with the IT folks. In this day and age , with WfH still a thing and VPN's usage somewhat of a main relligion following, I would be surprised if they don't have a controllable mean already in their tool-box.

[John]

41 minutes ago, GrumpiusMaximus said:

....If you're doing it from work then I would discuss this with your IT team.  Finding an unknown remote connection software suite on a work endpoint is a cyber security manager's nightmare (ask me how I know) and will likely result in trouble.

As a former Head of IT in a medium sized organisation, I would heartily agree with this suggestion and also I would suggest discussing the proposition with your line management.

 

 

[omo]

I doubt line management will approve - your supposed to be working.  IT as others have rightly said for security reasons. First check the Acceptable Use Policy you signed regarding company computer use.

My former employers (BT) would never allow this.

Your mobile phone or a tablet with a sim may be the way to go.

[GrumpiusMaximus]

In some organisations doing this without the consent of IT could result in serious disciplinary action.  There should be controls on work endpoints to prevent users from installing their own software but sometimes something slips through the net.  Remote connections are one of the most vulnerable services to compromise (behind email usually - I've got a rant about email) so finding that it's been set up can very often result in the CSIRT function trawling through hours of logs to work out exactly what's happened and why.  Not all businesses are set up like this but many companies are (or use a managed services provider for these services) and this can lead to serious disruption, effort and in some cases cost to the organisation - even if nothing nefarious is occurring.

[Paul M]

I use RealVNC extensively to monitor 3 permanently running mini PC's and 2 imaging PC's when they are in use. They are mostly on Ubuntu but one of them is on Windows. RealVNC is cross platform and doesn't require any port forwarding or fixed IP's.

I do log in at work but not on any corporate machine. I use either my phone, or an old iPad I reserve for that single purpose. The corporate machines at work would not allow me to install VNC Viewer even if I was so inclined. 

So that my recommendation would be to install VNC server on the Eagle and use a tablet at work with either wifi if available (my work wifi is corporate only) or as I do, mobile data. Mobile data is really cheap now.  

[Bivanus]

1 hour ago, omo said:

I doubt line management will approve

Pre-covid that would've been the 100% , nowdays is more like 50/50, a better understanding of what it takes to have people minds focused on work has also shifted a bit. For example , remote camera's connections to see one's home are rather usual now , especially for young parrents and/or pet owners. You'll say that many of those go via phone apps but...tadaaam...quite a lot of companies also make you use a company issues smartphone today 😅 

It's true that , if possible, having a sparate set-up for personall things is preffered, the OP has now received inputs regarding both alternatives.

EDIT: It's also a rather important point that needs to be explained to management/IT that the actual 'astro-activity' is preprogramed and the user will mainly input a Start/Stop validation based on weather conditions.Reading the initial post it looks like the OP runs a tight ship and has an automated work flow.

Edited September 14 by Bivanus

[Paul M]

2 minutes ago, Bivanus said:

Pre-covid that would've been the 100% , nowdays is more like 50/50, a better understanding of what it takes to have people minds focused on work has also shifted a bit. For example , remote camera's connections to see one's home are rather usual now , especially for young parrents and/or pet owners. You'll say that many of those go via phone apps but...tadaaam...quite a lot of companies also make you use a company issues smartphone today 😅 

It's true that , if possible, having a sparate set-up for personall things is preffered, the OP has now received inputs regarding both alternatives.

Indeed, my employer is very happy for employees to login to their social media etc, particularly on 12hour night shifts. The company has a big drive on well-being and mental health right now, with a particular focus on shift workers. HQ now even has a bunk room where the IT types can get their head down when it's quiet.

My team and i usually have a quiet period from 2 am to 4 am unless the poop is literally hitting the rotary impeller. I never sleep on shift but have some "me time" frequently through the shift; check my cameras, remotely play with the other computers. Read SGL...

[Ratlet]

I'd use TeamViewer.  If you are lucky your work will have it already installed, you might be able to install it or you can run a webclient.  If all that fails just install it on your own computer and use your phone as a wireless hotspot

 

[malc-c]

The company I worked for when I was an IT Tech wouldn't permit such use.  The companies computer and IT kit policy simply stated that only work related activities were permitted on the equipment provided.  This came after people abused the privilege by hooking up their personal phones to the PC and uploading all their photos taken over the weekend to their facebook or other social media on a Monday morning.  So the policy was tightened and the employee handbook updated.   All social media websites were added to the black list of sites through group policy as some management at director level still needed access for company business.

From a security point of view I doubt the IT manager would agree to this.  It doesn't have to be about opened ports etc, the PC wouldn't be running the companies licenced AV software, and may have other software required which is not running on a licenced PC owned by the company, so could in effect be breaching licencing agreements etc.

[westernwolf]

Sorry I should have said the plan would be to use my personal MacBook tethered to my phone to allow me to keep an eye on now the sequence is progressing and for potential problems every so often during my night shifts. There would be no connection to the companies network infrastructure. That would be impossible, it’s often hard enough to get our IT department to get the software we need installed on our computers.

Kind regards

 

.

[malc-c]

If that's the case, and your phone is using mobile data and not any company wifi then I can't see why not, provided your line manager doesn't see it as a distraction and affects your ability to do the job you were employed to do.  Problem comes when you notice something has gone tits up and you are trying to sort it out when you should be working...

Edited September 15 by malc-c

[Bivanus]

11 hours ago, westernwolf said:

[...]use my personal MacBook tethered to my phone [...] every so often during my night shifts.

Unless you are a flight controller or foundry line operator you are golden.

[westernwolf]

For additional clarification as to why I started this thread with the sincere hope that I could be pointed in the right direction for access my telescope through my ISPs router.

On those lucky nights when I am at home, I set my rig running and just let it be, occasionally glancing at the MacBook and the last image that N.I.N.A. has displayed, more often than not, I just leave the rig running, churning through the sequence, waking in the morning to find it correctly parked and powered down. I can then have look back through the logs and identify whether there have been any issues such as guiding and after breakfast have a quick initial skim through the data.

On those clear nights when I am working, it would be nice to have a quick look at the progress though the sequence whilst having a cup of tea, or my lunch. There are also natural times during my shift where, like now, I am waiting for a set to come into the shed to be worked. It is these times where I would have a 'quick look' at the last image displayed by N.I.N.A., if all is good than that would be that. If however there was say a focus or guiding issue that isn't weather related, rather than leave the rig running gathering data that I would have to delete later, I would by nice to just stop the sequence, warm the camera and park the rig. The other reason I am exploring this is my commute by train is >70 minutes and therefore on those rare mornings where I am not napping on the train I could have a quick look through the data in the same way I would do after breakfast on those mornings where I am not working.

My job is a technical fault finder, part of the role is to assist and advise my colleagues on how to progress a fault or issue they are working on, I hope that whilst carrying out my duties that the advice I give is helpful and to the point without any overtones of not working etc.