In-Depth

Unshackled: Wireless Administration

Admin tasks don’t end the moment IT pros step out of the office. These devices and software solutions can keep servers shining, no matter where you are.

Some think administrators have all the luck. They’re kings of their castle with god-like rights over the corporate network. Right. Many fail to realize all the heartache and headaches that come with these rights. Phone calls or pagers going off in the middle of the night; users that want things done yesterday, and budgets that don’t even come close to covering what management wants out of their systems. Worse is the lack of freedom. Sure, you’re king in the network, but you’re also a prisoner, because most of the time you just can’t leave.

If this is your life and you want to get away from it, then wireless systems administration might just be the ticket out. You probably already own at least one wireless device, whether it be a RIM Blackberry, Palm Pilot, Pocket PC, a new-fangled Smartphone or even a Tablet PC. With the right remote administration tools and your wireless device, you could leave the office and manage your systems as if you were there. Users and managers wouldn’t even know you’ve left. How’s that for a deal?

Wireless Administration Coverage
We know what you’re thinking: How could I leave the office and administer my systems remotely if wireless administration software doesn’t cover everything I need to do? And you’re right. Wireless administration tools just won’t cut it if they don’t cover the basics and more in terms of systems administration. To be truly useful, wireless administration tools should cover the following areas:

Generic Administration

 User and Group administration

 Server administration

 PC/Mobile Device administration

 Security Management

Server Role Administration

 File & Print Servers (shared folder and printer administration)

 Web Servers (IIS administration)

 Collaboration Servers (Exchange administration)

 Identity Servers (Active Directory administration)

 Terminal Servers (Terminal Services administration)

 Application Servers (SQL Server administration)

 Infrastructure Servers (DNS, DHCP, WINS administration)

Ideally, remote administration tools would allow in-depth access to the tools required for most problematic situations. A tool that manages all the above activities would grant administrators the most freedom in their everyday tasks, but in some situations, a tool that manages at least each of the generic areas of activity can still offer a lot of value. Imagine: resetting user passwords while sitting in a meeting; creating new users while taking a technical course offsite; or even stopping and starting system services while on your way home. All you need is a) The right wireless device, b) A functional wireless carrier and c) The right remote administration tools.

For the first part, several wireless devices now support remote administration (see “Wireless Devices Used”). For the second, you’ll need to choose the right carrier. For the third, three tools are examined here: MobileControl Administrator for Windows by ASG, sonicadmin by Sonic Mobility and PocketAdmin for Windows by Expand Beyond.

Product Information

MobileControl Administrator for Windows, version 3.11
Pricing is based on server configuration starting with 20 servers.
Allen Systems Group (ASG) Inc. http://mobilecontrol.asg.com

Sonicadmin, version 3.1

Pricing ranges from $149 to $249 depending onnumber of servers. Sonic Mobility http://sonicmobility.com

Mobile Suite for Microsoft based on XBAnywhere
version 2.3

The Mobile Suite (includes PocketAdmin for Windows and PocketDBA for SQL Server) starts at $250 per server/minimum 10 servers.
Expand Beyond
http://xb.com

ASG MobileControl Administrator for Windows
The Allen Systems Group (ASG) tries to cover end-to-end software solutions. Many of these solutions have been added to the ASG roster through acquisitions. Such is the case for ASG’s MobileControl Administrator (MCA) for Windows. This tool focuses on remote systems administration for both generic activities as well as specific server role administration.

MCA is easy to install. Simply double-click on the setup file, answer a few questions and you’re up and running. Its best feature is the zero-footprint client interface. Client access to the MCA console is through straight HTTP, Secure HTTP (HTTPS) or Wireless Markup Language (WML). This means that all the client devices need to do is know how to access and display a Web page. This is a real boon. Simply make sure your client has Internet access either through the General Packet Radio Service (GPRS) or an 802.11x network, type in the address of the MobileControl Web page and off you go. For access outside your private network, install a third-party Virtual Private Network (VPN) client for added security, and you can use any public wireless network. There is, however, a specific client for Pocket PCs you can install. But since the Pocket PC can also access MCA through the Web page, it seems pointless to bother.

Remote administration is simple and straightforward (see Figure 1): Simply go to the administration Web page and point-and-click. Logon is performed through an actual log onto the Windows server followed by the request of your PIN. Once you’re in, you’ll see that administration activities cover users, computers, servers and services, print and file servers, SQL Servers, servers running IIS and even devices running the Simple Network Management Protocol (SNMP). Most activities are point-and-click; very little typing is required. Computer, user and server administration screens include the ability to enumerate all devices so you don’t have to remember the exact spelling of an object name to access it. Administration works very well with all of the supported devices.

ASG MobilControl Administrator Interface
Figure 1. The ASG MobileControl Administrator Interface consists of a simple Web page. It automatically adjusts to the capability of your device’s Web browser to give you full access to its complete feature set. (Click image to view larger version.)

MCA does have some drawbacks. In fact, it really seems more like a Windows NT tool than a post-Windows 2000 one because it doesn’t come with a Windows Installer-based setup. It also relies heavily on IIS. Additionally, its user and group management tools don’t really address AD management activities. Finally, though it works with either SQL Server 7.0 or 2000 in either the full or desktop editions, it doesn’t support Windows integrated authentication. This means assigning user rights through the SQL Server Enterprise Manager. You can, of course, choose to install the included Microsoft Desktop Engine (MSDE) version of SQL, but doing so will leave you with a blank system administrator password, something any admin worth his salt would find abhorrent. Lastly, authorization is performed on a user-by-user basis instead of through groups.

Overall, MCA is a good product that’s probably due for an upgrade—something that ASG promises early next year—to integrate capabilities such as Group Policy and AD management, as well as Exchange server administration. The current version of MCA also supports the Telnet and secure shell (SSH) access methods to servers, but since the Web connection supports the command line, these may not be required. It relies on IIS, but this is a small price to pay for zero footprint client installations.

Our Test Devices

We ran all three packages on a Palm Tungsten C, an HP iPaq HP4150, an Intermec CT60 WalkAbout Rugged Tablet PC and a new Motorola MPx200 Smartphone that accessed the MobileControl Web site through the AT&T wireless network. Administering a server through a phone takes a little getting used to, as typing and menu selection isn’t all that easy, but it works fine once you get the hang of it.

The advantage of the phone is that its network access works anywhere a cellular phone does, making it more practical in some ways than a Pocket PC or Palm Pilot, unless of course, those devices include a GPRS card.

Sonic Mobility Sonicadmin
Sonic Mobility is completely focused on mobile software. The company’s goal is to build mobile tools that respond to everyday situations. Sonicadmin, its flagship remote administration tool, was even selected by DELL and Microsoft to be part of a special remote administration offer for Windows Server 2003 during its launch period. Unlike ASG’s MCA, sonicadmin requires both a client and a server component. This means installing specific software on the handheld device. On the other hand, Sonic Mobility produces clients for most platforms including Palm (OS 5 and later), Pocket PC, RIM and Blackberry devices—though not all of the latter are supported. Installation is also straightforward since it requires the execution of a single file on both servers and clients. The server installation file seems up to date since it is in Windows Installer format. The same goes for the Windows client.

Because it provides a special client, sonicadmin doesn’t rely on IIS. Instead, the client communicates over TCP port 8168. This means you must open this port on your firewall if you want to perform remote administration from outside your private network. The port number can be configured at installation to further reduce the risk of a security breach. Sonicadmin integrates with third-party software such as the Blackberry Enterprise Server—though this integration isn’t required to work with RIM or Blackberry devices—as well as software tools such as Opalis Robot and NetIQ AppManager.

Sonicadmin configuration is performed through a Microsoft Management Console (MMC) including a taskpad (see Figure 2).

Sonicadmin Console Interface
Figure 2. The sonicadmin Console Interface sports a full Microsoft Management Console with integrated taskpad for systems administration. (Click image to view larger version.)

Sonicadmin’s MMC-based interface lets you add authorized devices and users. Of note is the ability to configure authorizations through administrative roles and assign them to groups of users. This way you can allow help desk personnel to reset passwords, but not reboot servers. It also means support engineers to have proper remote administration rights. This role-based approach is akin to role-based server management, making it easier to assign appropriate rights to groups of administrators. The console also lets you designate managed systems, including systems that support command-line based management.

Once the system is properly configured, the next step is to install client software. Each client device must be cradled to support the software installation. The client device must have proper wireless access to the network to be able to support remote administration. To remotely manage a server, the client needs to first launch sonicadmin, authenticate the device to the sonicadmin server, then authenticate the user. Device authentication is required only the first time you log on. Once you’re in, you select the server to manage. Sonicadmin includes the ability to get all user, group and system objects, and has filters to make it easier to find specific objects in large networks. Of note is the ability to distinguish between local and domain users and groups. Unfortunately, since user creation is limited to new users only—like the two other tools—no template accounts can be used.

Sonicadmin offers complete access to services, processes, and event logs. Administration through the client is simple and straight forward, and works through any Internet connection to your server. The client interface is lightweight and well designed for each device we looked at; unfortunately, we weren’t able to test the RIM or Blackberry interfaces.

Sonicadmin seems more modern than MobileControl Administrator. It provides its own level of security, and because of its integration with SecureID, gives more secure access to servers. Its basic requirement for both device and user authentication makes it more secure by default. It doesn’t support SQL Server or IIS except through the command line, though it does provide a very useful and powerful Exchange administration component. Of note is the ability to integrate with X-10-enabled power management devices through its powerrover feature. If your hardware supports the standard, you can even use sonicadmin to remotely control electrical devices, setting back or raising the heating and air conditioning controls in the server room, for instance.

Expand Beyond PocketAdmin for Windows
Like Sonic Mobility, Expand Beyond is completely dedicated to mobile technologies. It provides two mobile administration products: PocketAdmin for Windows and PocketDBA. As its name implies, the latter focuses on SQL Server, Oracle or Teradata database administration. Both products are bundled through the Mobility Suite for Microsoft, though only PocketAdmin for Windows is evaluated here. Installation of the server component is very straightforward, and is based on ZeroG’s InstallAnywhere. The two other products used Wise Solutions’ Installer. This is probably because Expand Beyond products work with both Java runtimes and the .NET Framework.

Obtaining the software isn’t easy. First you need a serial number to access the download area. Next, you need a hardware-specific license file based on the destination server’s Media Access Control (MAC) address for installation. This does limit possibilities since you have to contact Expand Beyond technical support if you need to move the product from one server to another. And you must have the serial number to access updates and documentation on the Web site. In addition, you’ll need a whole slew of components to get the software to work. It’s highly recommended to fully read the documentation before installing. It’s true that this should be a best practice in any situation, but honestly, who really does this in a test environment? Once you figure out how it works, installation is actually fairly straightforward.

PocketAdmin requires a few components to work. The first is the XBAnywhere server. This is the administrative component that allows pocket devices to access remote administration. XBAnywhere is based on the Apache Tomcat Web server, automatically installed during the installation of the server component. In addition, you’ll need the Windows Gateway application, which connects to an AD domain. Expand Beyond components require a Java runtime—also automatically added—but rely on the .NET Framework to access Windows Management Instrumentation (WMI). This complex architecture is probably because it also supports remote administration of UNIX and Linux environments.

PocketAdmin for Windows includes client components which can be installed on either Pocket PC or Palm devices, but these aren’t absolutely required, since either device can use a Web connection to access the management site (see Figure 3).

PocketAdmin for Windows Interface
Figure 3. The PocketAdmin for Windows Interface is very clean and easy to use. The toolbar on the left gives fast access to each of the administration tools. (Click image to view larger version.)

RIM and Blackberry device support should be available in early 2004. To ensure secure access, you can use either a Secure Sockets Layer (SSL) certificate or a VPN connection, though the Microsoft VPN included in Pocket PCs doesn’t work with PocketAdmin. As with sonicadmin, you can also integrate PocketAdmin with RSA Security Inc.’s SecurID for two-factor authentication.

Once you’re connected, you’ll find a simple and straightforward administration interface. PocketAdmin lets you control both domain and local accounts. Once again, domain account creation is ad-hoc and can’t be based on templates. Though PocketAdmin works with AD, it lets you input very little information about users when creating their accounts. Of note is the easy-to-use interface. Simply point and click on one of the icons in the left hand toolbar and you’ll change management category. Though PocketAdmin works with Windows 2003, it sometimes gives error messages when performing administrative tasks. Despite this, the operations actually work. This is something Expand Beyond promises to fix in a future release.

The PocketAdmin toolbar covers most common administrative tasks such as print, file, folder and user and group management. For additional tasks, you can use the secure shell interface to access a command line and launch additional applications or scripts. Overall PocketAdmin is simple to use, if not to install, and provides as complete a set of functionalities as the other two products reviewed.

Wireless Devices Used
Testing wireless administration requires a lab that covers the gamut of wireless devices, or at the very least each wireless device your organization uses. And it must have a wireless access point. Since the industry is working to establish more stringent wireless security protocols, you should aim to use these to secure your wireless communications. This is why we used Wi-Fi Protected Access (WPA) for 802.11x communications.

WPA has two basic functions. First, it protects data during transition in a more secure fashion than the Wired Equivalent Privacy (WEP). Second, it provides secure access control and authenticates users. The latter is provided by an authentication mechanism based on the Extensible Authentication Protocol (EAP) that runs on Remote Authentication Dial-In User Service (RADIUS) servers. For Windows networks, this means using the built-in Internet Authentication Service (IAS), possibly along with the Windows Server Public Key Infrastructure, to support authentication.

For small businesses that must do without these complex infrastructures, WPA supports a special Pre-Shared Key mode that works with manually-entered keys or passwords. These keys are entered in each device. Once this is done, the WPA dynamic encryption key exchange process begins. WPA uses dynamic encryption keys through the Temporal Key Integrity Protocol (TKIP), another specification that has yet to be approved (expected in 2004). Finally, WPA uses “Michael,” a special message integrity check-sum that will help limit interception and decoding of TKIP keys. We used the pre-shared key mode for simplicity.

There were four servers to be administered, all running various editions of Windows Server 2003. The core server running the remote administration tools was installed with Windows Server 2003 Enterprise Edition. Client devices included one Windows XP workstation, one Palm Tungsten C device supporting 802.11b, one HP iPaq HP4150 device running the Pocket PC operating system with 802.11b and Bluetooth connectivity, one Intermec CT60 Rugged Tablet PC with 802.11b and one Motorola MPx200 Smartphone from AT&T.

Palm Tungsten C
If you’re used to a Palm Pilot, you will probably find yourself constantly looking for the Grafitti input area when working with the Tungsten C. That’s because this device is one of the first Palm devices to come with an integrated keyboard, which takes a little getting used to. But with its integrated 802.11b wireless networking, the Tungsten C quickly makes you forget all about Graffiti. The keyboard is actually one aspect that gives the Tungsten C a “thumbs up” for remote administration. In fact, it’s a lot easier to use it to type in user names and other values when testing the remote administration tools than either the Smartphone or the Pocket PC.

Palm Tungsten C
Palm Tungsten C

If Palm is your thing, this is a great model. No need to learn how to write Graffiti, access to Word and Excel documents, along with links to the Internet and e-mail wherever there is Wi-Fi access, make this a keeper.

HP iPaq HP4150
This iPaq is one of the thinnest and lightest devices on the market. It’s hard to believe it also integrates both Bluetooth and Wi-Fi connectivity. It sports a very nice design and includes a comprehensive series of applications. One of its nicest features is the removable battery, making it very easy to carry spares for extended operation. It worked very well with the remote administration tools we tested.

HP iPaq HP4150
HP iPaq HP4150

The iPaq comes packed with applications that make it very useful on the road. It takes a little time to get used to the Pocket PC software interface, but those familiar with Windows will pick it up in a jiffy. This is a great wireless device that provides a powerful package in a very small form factor.

Intermec CT60 WalkAbout Rugged 
                              Tablet PC
Intermec CT60 WalkAbout Rugged Tablet PC

Intermec CT60 WalkAbout Rugged Tablet PC
Remember the days of yore when everyone thought we’d soon get the “paperless” office? Well, they’re not far off now with the coming of Tablet PCs. The Intermec WalkAbout may be one of the devices that heralds its coming. This rugged tablet sports integrated Wi-Fi access in a small and useful format.

The WalkAbout includes two batteries for extended operation. And it supports docking and undocking without turning off the system. The nicest part of this product is its rugged aspect. Who hasn’t dreaded dropping a portable system whenever they need to move it in a hurry? Well, you can drop this one without too many worries—it’s passed MIL850 testing (for military standards), making it ready for just about anything. The Tablet PC operates very much like any Windows XP machine, so very little training is required.

Alt text here
Motorola MPx200 Smartphone

One thing you won’t do with this device is carry it in the palm of your hand, since it does weigh in at 5.5 pounds with its two batteries. It includes a hand harness so you can hold it in one hand while using it with the other, but not for long periods of time. But if you need a Tablet PC, consider a rugged edition; it will no doubt last much longer.

Motorola MPx200 Smartphone
The neatest device we tested was the Motorola Smartphone. We’ve used a lot of wireless phones, but never one this practical. It’s really easy to save and store numbers, view calls both outgoing and incoming, and access all of the standard Pocket PC features. This flip phone sports two displays: An interior high-resolution color display very much like any other Pocket PC device, and an exterior LED that announces callers, gives date and time and other system information when the phone’s closed.

The phone works like any other Pocket PC device. The carrier, AT&T, includes special features for the support of e-mail, games and other wireless essentials. Navigating and operating a Pocket PC with only phone controls does take a little getting used to, but once you’ve started you won’t want to go back. This is one device that integrates a personal digital assistant with a mobile phone very well.

—Danielle Ruest and Nelson Ruest

Sizing Them Up
Choosing between the three remote administration tools won’t be easy. Overall, each product has strong, but similar feature sets. MobileControl Administrator is interesting since it seems to offer all features in one single package, is simple to install and configure, and doesn’t require a client installation. On the other hand, you’ll require a separate solution to secure external communications. Sonicadmin requires a client install, but provides a more secure interaction on its own. Like MobileControl Administrator, sonicadmin also supports some RIM and Blackberry devices which extends its wireless reach. PocketAdmin for Windows doesn’t necessarily require a client install, but like MobileControl Administrator, requires a third-party solution for secure operation. On the other hand, XBAnywhere supports the administration of Windows, Linux and UNIX servers, so if you manage a heterogeneous environment, this might be the ideal tool.

If you need to acquire a mobile Windows administration solution immediately, and don’t mind waiting for the update, you can select MobileControl Administrator for Windows now and upgrade later to gain more functionality. If you want a more secure solution out of the box, then choose sonicadmin. If you need heterogeneous systems management, PocketAdmin for Windows is your best bet.

Online Resources

See more about role-based server administration in “Windows Server 2003 Pocket Administrator” by Ruest and Ruest from Osborne
www.Reso-Net.com/PocketAdmin.

Microsoft Security Operations Guide
www.microsoft.com/downloads/details.aspx?FamilyID=
f0b7b4ee-201a-4b40-a0d2-cdd9775aeff8&DisplayLang=en

Using the Remote Desktop with a Pocket PC
www.microsoft.com/windowsxp/expertzone/columns/bridgman/
02june10.asp

Remote Desktop for Pocket PC by Software Agency LLC
www.pdautilities.com/product.phtml?id=100

Microsoft Mobile Home
www.microsoft.com/windowsmobile/products/smartphone/
default.mspx

WPA Wireless Security Update for Windows XP
http://support.microsoft.com/?kbid=815485

Palm Tungsten C
http://store.palmone.com/product/index.jsp?productId=
1283239&cp=1157580&clickid=mainnav_handhelds_txt
&parentPage=family#featBen

HP iPaq T4150
http://h10010.www1.hp.com/wwpc/us/en/sm/WF05a/
215348-64929-215381-314903-f43-349042.html

Intermec CT60 Rugged Tablet PC
www.intermec.com/eprise/main/Intermec/Content/Products/
Products_ShowDetail?section=Products&Product=CMPTRCT60&
Category=CMPTR&Family=CMPTR2

Motorola MPx200 Smartphone
www.microsoft.com/windowsmobile/devices/devicesdisplay.aspx?
module=deviceDisplay;Smartphone;americas;70
or
www.attwireless.com/personal/products/phonedetails.jhtml;
dsessionid=MPNMXKCVDTGTTB4R0EHCFEY?id=1200009

 

Table 1. Wireless Administration Tasks—Use this information to identify which tool offers the administrative coverage you need. A missing feature may not have an impact if you don't require management of that particular server role.
Administrative Activity ASG-MobileControl Administrator for Windows Sonic Mobility sonicadmin Expand Beyond PocketAdmin and PocketDBA
Generic Administration
User and Group Administration X X X
Server Administration X X X
PC/Mobile Device Administration X X X
Security Management Y Y Y
Administration of Server Roles
File & Print Servers (Shared Folder and Printer Administration) X Y Y
Web Servers (IIS Administration) X X X
Collaboration Servers (Exchange Administration) X Y Y
Identity Servers (Active Directory Administration) X X X
Infrastructure Servers (DNS, DHCP, WINS Administration) Y Y Y
Terminal Servers (Terminal Services Administration) 0 0 0
Application Servers (SQL Server Administration) X Y X
Legend: X Provides full functionality; Y Provides partial functionality; 0 Does not provide any functionality

 

Table 2. Wireless Administration Tool Criteria—With the coming of Windows Server 2003, tools that make use of the .NET Framework will be more popular because it's integrated into the OS. Tools that have a zero footprint on wireless devices may also be more popular since no installation is required. But the tool you choose must also support all the administration tasks you have to handle. Use this table with Table 1 to identify the tool that best suits your environment.
Criteria ASG-MobileControl Administrator for Windows Sonic Mobility sonicadmin Expand Beyond PocketAdmin and PocketDBA
Requires IIS Yes No No
Required Database MSDE
SQL Server
MSDE Pointbase
MMC TaskPad No Yes, with full TaskPad No
.NET Framework 1.1 Support No No Yes, but also Java runtimes
Windows Installer MSI No Yes Partial
Require Client Software No Yes Yes and No
Device Support
Web Interface Yes No Yes
Smartphone Yes No Yes
Rim & Blackberry devices Yes Yes Yes (expected in January, 2004)
Pocket PC Yes Yes Yes
Palm (OS 5 and newer) Yes Yes Yes
Tablet PC Yes Yes Yes
Windows Desktop Yes Yes Yes

Featured