Overview
Remote Access allows an authorized user to securely view or control the desktop of a managed computer.
The system is designed around four core principles:
Strong identity verification
Short-lived, least-privilege credentials
Automatic connectivity selection
No inbound firewall requirements
All remote sessions are explicitly initiated by an authenticated user and are fully attributable.
🧩 Components Involved
A Remote Access session involves three coordinated components:
IT Agent Platform (Web)
Authenticates users
Authorizes remote sessions
Issues short-lived credentials
Coordinates relay connections when required
Receiver (Admin-side Desktop App)
Runs on the administrator’s machine
Authenticates using platform-issued credentials
Establishes the remote desktop connection
Agent / Sender (Target Computer)
Runs persistently on the managed computer
Maintains a secure outbound connection to the platform
Streams desktop data only when authorized
▶️ Starting a Remote Access Session
Navigate to the Devices page in the IT Agent portal
Select a computer that is currently online
Click Start Remote Access
What happens next:
Your browser launches the Receiver app automatically
The Receiver authenticates using a short-lived token
Connection details are fetched from the platform
The remote desktop session is established
If the Receiver is not installed, IT Agent will prompt you to download the correct version for your operating system.
🔑 Authentication & Identity Model
IT Agent Remote Access uses layered authentication to ensure both users and devices are strongly verified.
User authentication
Users must be logged into the IT Agent platform
A short-lived authentication token is securely passed to the Receiver
Receiver identity
The Receiver does not store long-term credentials
It requests a short-lived client certificate from the platform
Certificates are generated and rotated automatically
Agent identity
Each managed computer has its own cryptographic identity
The agent presents its certificate during session setup
Mutual verification
Before a session is allowed:
Both the Receiver and the Agent are verified
Both must belong to the same organization
Certificates must be valid and unexpired
This prevents unauthorized tools or machines from participating in a session.
🧾 Certificate Design (Security Details)
Remote Access uses ephemeral client certificates rather than static or long-lived keys.
Key characteristics:
Issued on demand
Valid for a short duration (hours, not days)
Automatically regenerated when required
Bound to both user identity and organization
This design minimizes risk and aligns with modern zero-trust security practices.
🌐 Connection Establishment Flow
Once authenticated, the Receiver requests connection details from the platform.
The platform responds with:
One or more direct connection candidates
Optionally, a relay endpoint (when enabled)
The Receiver then attempts to connect using the best available option.
⚡ Direct Connections (Preferred)
Whenever possible, the Receiver connects directly to the agent.
Benefits:
Lowest latency
Best performance
No intermediary systems involved
Direct connections are always attempted first.
🔁 Relay Connections (Automatic Fallback)
If a direct connection is not possible (for example, due to NAT or firewall restrictions), IT Agent can automatically use a secure relay connection.
Relay behavior:
Relay sessions are started on demand
The agent connects outbound-only to the relay
The Receiver connects to the same relay endpoint
Important properties:
No inbound ports required
No firewall rule changes needed
Relay sessions are temporary and scoped to a single session
If a relay cannot be established, the system safely falls back without exposing the agent.
👀 Session Visibility & Control
While a Remote Access session is active:
The computer is marked as actively accessed
Administrators can see who is connected
Connection duration is visible
This ensures transparency and accountability within the organization.
🧑💼 Ad-hoc Remote Support Sessions
IT Agent supports ad-hoc remote sessions for temporary or user-initiated support.
With ad-hoc sessions, you can:
Create a scheduled or one-time session
Share a secure access link or code
Provide support without permanent agent installation
Ad-hoc sessions:
Are time-limited
Use the same authentication and security model
Do not require persistent access
🌍 Network & Firewall Requirements
IT Agent Remote Access is designed for restrictive environments.
Requirements:
Outbound HTTPS access from the agent
No inbound firewall rules
No port forwarding
All coordination occurs over secure outbound connections.
🛠️ Troubleshooting
Receiver does not launch
Ensure the Receiver is installed
Download the latest Receiver if needed
Restart your browser and try again
Connection fails
Verify the computer is online
Confirm the agent service is running
Retry the session (credentials refresh automatically)
Intermittent issues
Logging out and back in refreshes authentication
Restarting the Receiver regenerates certificates
If problems persist, contact support with the computer name and approximate time of the issue.
🧠 Why This Architecture Matters
IT Agent Remote Access is intentionally designed to:
Avoid static credentials
Minimize long-lived trust
Reduce network exposure
Provide clear session attribution
Scale securely across organizations
This approach delivers powerful remote access without compromising security posture.
✅ Summary
Remote Access in IT Agent provides:
Certificate-based authentication
Automatic connection selection (direct or relay)
Strong identity verification on both ends
Transparent session visibility
Support for permanent and ad-hoc access