Friday, February 24, 2012

Bomgar: keeping your helpdesk staff at their desks

We had a staffing problem a while ago (who hasn't) and the perception was that we were short on helpdesk technicians. We didn't have the dollars to spend on new hires, so we looked at streamlining operations. Our helpdesk techs were running around all day trying to keep up with the demand and it just wasn't working, so we started looking at remote support solutions and ended up with Bomgar.

Just to be clear, I don't really have anything to do with the management of our helpdesk, but I do manage the Bomgar appliance and work with them to make sure that it's doing what they need it to do. I do know that we evaluated many options, ranging from things like Teamviewer to Microsoft Remote Assistance to expensive solutions from premiere vendors.

We chose Bomgar, because it allows for complete remote control of Windows, OS X, and Linux clients as well as some troubleshooting capabilities for BlackBerry OS, Android, and iOS. You don't get interactive control with BlackBerries, Droids, or iOS devices, but you can see system state and manipulate device settings.

The Representative Console, which is what the technicians use as an interface to remote clients, can be installed on Windows, OS X, Linux, iOS, and Android devices. Yes, you can do troubleshooting sessions with full screen sharing and control from an iPad to a remote client with any supported OS.

The Hardware
Bomgar sells their product in two forms, a virtual appliance and a 1U physical appliance. They both have different models with different capabilities but the overall functionality is the same. We went with a B200 and 6 concurrent rep licenses. This allows for up to 6 technicians to be logged in to the Representative Console at a time. The Rep Console is where the support staffers interface with clients.

The setup of the B200 was a breeze. I grabbed a laptop, plugged it into NIC1 and connected to the pre-configured IP through a web browser. There are two web interfaces available, /login and /appliance. /appliance is where you configure basic appliance settings like IP, management interface ACLs, SSL certificates, etc. /login is where you have the great majority of your support-specific configuration. Note that you do need a valid, trusted, third party certificate. We use a Digicert Wildcard Plus, which we use elsewhere in our organization as well. It works fine.

From the time the appliance was racked, it was about 30 minutes until I was back at my desk configuring authentication and features.

We authenticate our representatives against Active Directory groups. Bomgar does include authentication connectors for OpenLDAP, eDirectory, and generic LDAP as well. You need to make a service account to bind to AD with and then simply configure the groups that are allowed to log in by adding their distinguished name to the allowed groups list. You can import a certificate here as well to leverage LDAPS if you're concerned about the security of this type of deployment.

We have more than one group that corresponds to more than one team. You can set Group Policies (poor choice of name) so that each group of representatives can have different restrictions. For example, the Reporting Managers group are allowed to run reports about usage, but the End User Support group is not. Users can be members of more than one group, which gives them the cumulative effect of their individual group's permissions.

Setting up AD authentication is a little tricky and unintuitive at first, but once it's set, you never have to touch it again. You just add new users to the appropriate groups in AD and you're done.

Bomgar Button
One of features that we really liked was the Bomgar Button, which makes a Desktop and Start Menu shortcut that allows a user to be put into a support and live-chat queue with just a few simple clicks. This feature is Windows only at this time, unfortunately. There are plenty of other ways to get a user into a support session, including generating email links or having them navigate to the URL of the Bomgar appliance and starting a session. The Button just makes it a breeze. Whenever a Windows user has a problem, they know that they can click the button and one of our techs will be in a live chat with a screen sharing session in under a minute.

When the user click on the icon, they are presented with a window that allows them to join a predefined support queue. You can deploy different buttons that dump users into different queues if that fits your support model, but we just have everyone dumped into our End User Support queue where any helpdesk tech can grab the session. From there, those technicians are able to transfer the remote session to other areas as needed.
The user needing help launches this shortcut.

Then, the user simply clicks "Connect with Support Team" and they're placed in the support queue.

Deploying the Bomgar Button via GPO is a bit tricky, but can be done if you have basic experience with ORCA and generating a transforms file. I'll probably write a separate post on how to do this. It is offered in an MSI and EXE installer.

Bomgar handles UAC elevation as well as anyone's product can. When the support rep clicks the Elevate Privs button in the Rep Console, the user at the other end is presented with a UAC popup (the rep can't see this, because of UACs process isolation). If they click accept, then the tech is able to proceed and enter his or her credentials. At this point, the Bomgar client reinstalls itself as a service and launches with those credentials. The rep now has fully elevated access to the remote machine. Whenever any session is complete, the Bomgar client uninstalls itself.

One of the nice features for us is the integration of Live Chat at the beginning of each support session. We have the Bomgar Button deployed in our labs and classrooms, because many professors don't have a quick way to contact the helpdesk if there is a problem. Rather than wasting class time digging out their phone and looking up the number to the helpdesk, they can simply start a Bomgar session and use the Live Chat feature to communicate their problem.

Ticketing Integration
Lately, Bomgar has gone a long way to work with various ticketing system vendors to integrate their products. Thinks like system info, chat logs, support session recordings, and other miscellaneous things can be pulled into many helpdesk systems to help automate and improve the detail included in trouble tickets.

Canned Scripts
Canned Scripts are not what you think they are. Canned Messages are pre-defined snippets of text. We find them annoying and impersonal, so we don't use them. Canned Scripts, however, are pretty cool. You can pre-define commands to be run by cmd.exe or These effectively allow you to make one-click macros out of your most commonly run commands, like ipconfig /all, or gpupdate /force.

Overall, we're very happy with our B200. The initial cost isn't low, but we've seen a noticeable decrease in ticket response time and a decrease in the number of open tickets in general.

The configuration menus leave something to be desired and the Bomgar Button's MSI installer seems like it was cobbled together by two monkeys sitting on a keyboard fighting over a banana while ORCA was open.

That said, we're all very happy with it, here at $JOB.


  1. There is one very easy solution to all this - free Ammyy Admin

    It doesn't require installation or specific config. It works behind gateways NAT without port mapping as well as within one LAN.

    Good alternative though!

    1. It sounds like ammyy brokers connections through their central servers. When you purchase a Bomgar appliance, the connection is make at your own datacenter. A dedicated Bomgar appliance probably isn't a good choice for a lone independent technician or small shop, but the ability to not outsource the connectivity to a third party is a big selling point to people that want to avoid third parties due to things like the recent PC Anywhere snafu.

  2. Yeah, Bomgar is good. However, I use RHUB web conferencing servers for all my online collaboration needs. It provides both web conferencing + remote support in one box; just like one stop shop.