Small Business IT Consultant using Spiceworks

computerguyjeff · 2017-05-26T16:37:16.000Z

Hi,

I’m a small business IT consultant. I have a dozen client that are less than 10 computers, 3 larger clients that have more than 10 computers, and a couple dozen home user/SOHO customers. Two of the three larger clients, I setup local spiceworks servers and and will be looking into the helpdesk product for them as well. For the smaller clients who call me several times a year, I’ve started creating an installation as follows:

An Amazon EC2 server (t2.micro) with SpiceWorks running, port 443 open
On my home network, I loaded the Spiceworks agents on my personal server & main workstation and pointed them to the EC2 server on the Amazon cloud. The inventory populated nicely for my two machines.
I turned off most of the local discovery options as there are no other local servers on my EC2 network.
I turned down the Spiceworks agent scan interval down to 1 day and connectivity check down to daily.
In the location tab, I plan to put the client’s business name and create groups separating them out.
When onsite and after getting the customer’s permission, I intend to load the Spiceworks agents on their computers so I can have an inventory reference for them and eventually to provide them with the helpdesk functionality of Spiceworks.

I’d like to get people’s thoughts and ideas on this type of Spiceworks setup. I have a couple specific issues I’d like to hear from people about, but I’d like to hear anything helpful you have to say or any cautions you may have.

I’d love to take it down from the t2.micro to the t2.nano instance to save some money, but it was unuseably slow and the processor utilization was spiking all the time on the t2.nano config. Any thought on optimizing it to work with the smaller instance type?
When I start setting up the helpdesk and people have to actually open the web from this site, the self-issued certificate from my web server will be a nuisance.
1. What is the best way to fix this?
2. What is the cheapest way to fix this?
3. Does Amazon have a solution since I’m using their cloud computing center?
Security… Security… Security… With this having two ports including 3389 to the Internet, what is my best bet to keep it secure and the data within safe? Since my small clients are on dynamic IP addresses, I can’t limit by IP address.
This method will get the PCs where I put the agent, but won’t allow for inventory of other devices such as printers, routers, switches, etc. I was contemplating messing around with the RRAS service on the EC2 instance and seeing if I can get a local scan when onsite of the other items on the network. Any ideas on this?

Ok, I’m off to start playing with the helpdesk portion of the Spiceworks product, so I may add more to this discussion later.

Thanks inadvance,

Jeff

owenmpk · 2017-05-27T13:47:30.000Z

I love Spiceworks but have found that it does not scale well down to small offices in that it is more trouble then it is worth and small clients do not want to fill out a help desk ticket, they want to speak with you.

computerguyjeff · 2017-05-28T04:06:52.000Z

True, but they also like to send e-mails and the helpdesk supports e-mail based ticket. I’m not sure how helpful it’s going to be or if it will be useable in this type environment, but if I get nothing else but the inventory working, the next time a client calls, a quick look at the Inventory information may give me some insight into their situation. Still, I’d like to use this product for whatever it can provide for me.

As a side-note, I think I’ve worked out how to minimize the requirements for the CPU & Memory on the EC2 instance. I was running Chrome on the RDP session of the t2.micro instance to access and make changes through the Spiceworks Console interface. After watching the processes, I found it was the Chrome browser instance that had the Spiceworks Console Interface running that was bashing the CPU & memory. I started running the Spiceworks Console interface from my PC and everything is working much better. I haven’t switched it down to a t2.nano instance type yet, but my memory is 25% available and the CPU doesn’t spike any more.

Jeff

davehaertel · 2017-05-30T17:24:55.000Z

If the inventory is your biggest concern, the agent → central installation is probably your best bet, if you’re not quite as concerned about the inventory but want to centrally manage your ticketing system, I’d suggest the cloud installation of Spiceworks that they host that way you aren’t managing a server instance, they are. One central email from any of your clients will generate a ticket and gives you one point of management.

Just curious, with such a relatively small number of computers, is the inventory part of Spiceworks that essential to you?

computerguyjeff · 2017-06-02T00:34:13.000Z

It’s not essential, rather I see a use for it in my business. I don’t know how many people here are running HOME/SOHO MSPs, but for that side of my business, I might get a call once or twice a year from some clients. Unless I recorded detailed information about their equipment, I’m discussing the situation with them blind. I imagine getting a call, filtering down to that users devices, and then that call which was blind now has some light behind it. Are they running a machine with 2GB of RAM? Are they running an Old dual-core? Were they low on disk space? What version of Windows are they running? My HOME/SOHO clients are usually looking for a quick in and out without extra non-essential work. This has the benefit of collecting a lot of information quickly that I can reference later. It would also give me the opportunity to be more proactive with these clients. Anti-virus out of date for over a week? Critical event registered? I call them and maybe get some billable time from warning them about a possible problem. OTOH, I’m hoping that my current larger clients find the helpdesk useful. If they do, maybe more billable time comes my way. Right now it’s all in the “playing around with it” stage, so it may bottom out with no results, but so far, I’m happy with what I can do. There are definite areas that could be improved for MSPs, but if that’s not a focus for Spiceworks, I can see where they wouldn’t want to put a lot of development into it. I do think it’s a marketable area though if the system realized it was a SOHO, the advertisements might give me more focused advertisements for my needs.

Jeff

davehaertel · 2017-06-02T01:11:25.000Z

There’s definitely no question that the data the inventory part provides is amazing and it sounds like you would definitely get solid usage out of it.

I’d love to take it down from the t2.micro to the t2.nano instance to save some money, but it was unuseably slow and the processor utilization was spiking all the time on the t2.nano config. Any thought on optimizing it to work with the smaller instance type?
- Not sure on this, Spiceworks is really pretty tight running right out of the box, so not sure what you could do to optimize there, sounds like you’ve already cut off most of the non essential stuff like the network scan.
When I start setting up the helpdesk and people have to actually open the web from this site, the self-issued certificate from my web server will be a nuisance.
- Two thoughts on this, one is you could use the email only portion. The other is, if you do want to use the portal, there are plenty of places out there for fairly inexpensive certs and Amazon I believe has a service to help install them for their servers. Take a look here for some recommendations on finding a cheap cert: Cheap SSL Certificates
- What is the best way to fix this?
  - Honestly, I use 100 percent email at work, none of our faculty and staff use the portal, even though it could be integrated with Active Directory, it’s just easier with email and the tickets anywhere utilization.
- What is the cheapest way to fix this?
  - Check above link for inexpensive certificates
- Does Amazon have a solution since I’m using their cloud computing center?
  - I believe they offer a service to help install, not sure if it’s free or charged.
Security… Security… Security… With this having two ports including 3389 to the Internet, what is my best bet to keep it secure and the data within safe?
- I assume you mean 3389 inbound? To RDP to your server? You could use a non standard RDP port if Amazon allows you to configure NAT on your side or you could use something web based that will negotiate UDP going out Like GoToMyPC or Logmein and shut off 3389.
Since my small clients are on dynamic IP addresses, I can’t limit by IP address.
- Actually you could use a DUC service here running on the client machines, like DynDNS and whitelist their domain names
This method will get the PCs where I put the agent, but won’t allow for inventory of other devices such as printers, routers, switches, etc. I was contemplating messing around with the RRAS service on the EC2 instance and seeing if I can get a local scan when onsite of the other items on the network. Any ideas on this?
- Not sure on this one, maybe use another scanner service running on one of the client machines? Like https://www.advanced-ip-scanner.com/ it’s free and fairly robust for a free device scanner would certainly pick up all the printers, switches and the router. It doesn’t have a WMI part so you won’t get supply levels and things like that out of the printers, but at least you could get to them quickly if you needed to and it would give you Mac address, IP address, web access, things like that.

computerguyjeff · 2017-06-02T01:50:37.000Z

Great Info. Thanks.

I’ve never done a certificate in a production environment before. Not much need for that in small IT support and for web development and such, the web developer usually handles all of that. I played around with one once, but never did anything production with one, so I guess I’m gonna have to dig around a bit and figure it out.

For the DynDNS, my experience has been that most routers require IP addresses for whitelists rather than a domain name. Some of them will do a lookup and put the IP address in for you as a moment in time, but due to the overhead, won’t do continuous tracking on a domain name. Windows Server firewall might have the ability as I believe it caches resolution information locally when running the DNS service, so there wouldn’t be much overhead. I’ll have to look into that as my DynDNS account has 20 slots that I’m not using. If I remember correctly, you get 30 dynamic entries and I’m sure I’m only using 10 or less. I’ll let you know if I figure anything out with that. Also, a VPN service like Hamachi might work, but I’ll have to look into that, when LogMeIn bought them up, they started scaling back the free services and I’m guessing will eventually go all pay at caviar pricing like they did with LogMeIn remote… then they went and bought lastpass and I’m just waiting for the other shoe to drop. sigh

I will definitely look at the e-mail option, but it just looks slick if the client can click on a taskbar item, jump to a form and input their own ticket. I need to update the frontpage to have a “Or click here to e-mail a ticket” link.

On the utilization, I think I may be able to take it down to the small instance. I was running the browser from within the instance to do the initial setup, configure and work with the SpiceWorks setup. Once I got port 443 opened, I was able to take my working environment to a less restricted environment. I’ll have to see what I get billed this month. I think it was like $20 a month for a very small instance like that. My nano instance was around $10/month when I left it running, but I normally shut it down when I was done working and started it up when I started it again and my bill was $3 plus or minus for the disk space. Once it’s production for users and has a static IP assigned, shutting it down will not be feasible or cost effective since Amazon doesn’t charge for the static IP as long as the instance is running, but if you turn it off, a minimal hourly charge starts accruing that adds up.

As far as changing the RDP port number, I tried that in the past, and obfuscation didn’t not seem to provide any added security and caused the end-users no end of problems. A smallish client (5 users or so) had a hacker trying to break in with some type of bot that was trying common credentials. When I changed the port, the attacks continued as they found the new port w/o a problem, but I had problems with the users. I switched it back, upgraded to a sonic wall router and blocked the IP address of the culprit. Unfortunately, the IP address changed quite a bit. The customer ended up shutting down the server and moving to a Synology NAS for offsite file access. AFAIK, it’s worked well for them, but I just got a monthly report today indicating multiple bad sectors on one of the disks, so I sent off a note telling them a repair was in order. I’ll have to see if there is a way for Spiceworks to monitor a Synology NAS through remote access. That would be another good use for the product.

Thanks Again, you’ve given me some good ideas to chomp on here.

Jeff

davehaertel · 2017-06-02T02:51:28.000Z

Yea, Logmein really kinda ticked me off when they pulled the rug out from everyone. I was even fine when they dropped it to 10 for their free account but I wasn’t at all surprised when they pulled it out completely. Yea the hack and slash mentality out there now is pretty crazy, I run a web server as a side gig and I actually had to go to a hardening service and pass that cost on to my hosting customers because of the absolute non stop attacks going on it. It’s such a waste of time, energy and money.

For me, the DUC client running on the user’s machine has always worked for me, if you can white list the host name that would probably be a good option, have a look at DynDNS’s new client, it’s dead simple and as long as the ISP isn’t blocking the update port on the outbound, which they shouldn’t be, it should get a solid update every time. I’ve had to use it for my home server because my ISP won’t provide a static to anyone in a residential home, even though it’s a commercial account. Makes no sense but this is a good work around for me.

I’m not sure if Spiceworks can monitor the Synology, but Synology does have a web service that you can remotely connect to your Synology and operate as if you were local, it’s actually really solid. I have friends and family all with Synology boxes that I setup for them, I just login remotely and run parity and consistency checks once a month and they are good to go. Here’s a link to their Quick Connect product page: Synology NAS External Access Quick Start Guide - Synology Knowledge Center

I’ve installed certificates before, it’s a bit daunting but if you take your time and find the right tutorial it won’t be that bad. Also check, I think Amazon can help you install the certificate.