Skip to main content
Skip table of contents

Remote Access Requirements

Overview

For self-hosted customers, to build, migrate, and support your TASS environment, TASS requires low-latency remote access to the servers that run the TASS web and database services, and access to the application itself.

Staff are provided with extensive training on accessing customer instances, which is backed by strict policies regarding the purpose, methodology, and scope of the remote access. These have been audited as part of our ISO 27001 compliance process. The TASS customer database is encrypted at rest and in transit, and contains internal logging to record which staff members retrieve and use credentials to access customer sites.

If there are any changes to the access methodology or credentials, the TASS Technical Services team should be advised immediately.

Server Access

Remote access is to be provided using the Microsoft Remote Desktop protocol in a manner that is compatible with the official Microsoft Remote Desktop clients for Windows and macOS. Third-party clients or other services that embed components of the Remote Desktop protocol are not acceptable. Authentication is via username and password with an account for exclusive use by TASS. For additional security, consider the following strategies:

  • Whitelisting connections to the IP addresses used by TASS (highly recommended):
            52.62.181.211
            54.206.13.200
            123.100.144.58

  • Using a Microsoft Remote Desktop Gateway.

  • Using a non-standard port (other than 3389).

  • Regularly changing the password.

  • Regularly installing the latest Windows security updates.

  • Configuring account lockout policies to mitigate brute-force attacks.

For best performance, it is recommended to allow both TCP and UDP connections.

Full administrator access to the servers that run TASS is required. This includes complete read/write access to the file system where TASS is installed, and the account will require membership of the “sysadmin” Server Role on the Microsoft SQL Server instance.

Application Access

The TASS System Administrator (“root” user) is reserved for use by TASS representatives or in emergencies.

Should LDAP or SAML be enabled, a user account must be created for TASS use which is mapped to the “root” user, and the credentials supplied to TASS.

VPNs

The following requirements apply if a VPN is required for connection to a customer’s server or TASS application:

  • The VPN must be compatible with the latest supported versions of Windows and macOS.

  • Straightforward connection instructions must be provided.

If a VPN client is required (eg it does not use the built-in VPN platform in the OS):

  • A download link and installation guidance must be provided.

  • It must be up to date.

The following configurations are not supported:

  • VPNs using the PPTP protocol.

  • VPNs that require root certificates to be installed.

Multi-Factor Authentication (MFA)

The only supported method for multi-factor authentication (sometimes known as two-factor authentication or 2FA) is TOTP codes (the same technology used by generic multi-factor authentication apps such as Google Authenticator). To enable this, contact the TASS helpdesk, and arrange to provide the secret key (sometimes provided in the form of a QR code). Some identity providers (eg Microsoft Azure) can be configured to allow multi-factor authentication to be setup upon next user sign in, which is a secure way to provide the secret key. 

Multi-factor authentication methods that require the use of a specific app, SMS messages, phone calls, or hardware tokens, are not supported.

Named Accounts

The most efficient way to provide TASS with access to self-hosted systems is to use a shared account that any authorised TASS staff member can use.

TASS understands the need to balance service delivery with security, so if it is preferred to use named accounts, the following requirements apply:

  • TASS is not able to advise customers as staff come and go. As such, the customer is required to provision access to staff members that require it upon request. These requests can come in response to support tickets logged by the customer. Customers may wish to enforce expiry dates on these accounts to prevent extended usage.

  • Customers can interact with TASS representatives via the Customer Hub, email, or phone call. Mobile phone numbers will not be provided by TASS Customer Care or Professional Services teams, so SMS exchange of details or multi-factor authentication credentials is not possible.

  • The customer will need to arrange for named accounts to be mapped to the TASS.web “root” account to allow the TASS staff member to log in to the TASS.web instance. This can be performed in TASS.web > System Admin > Users > LDAP/SAML Maintenance. 

Access Requests

Response time goals are defined on the basis that remote access to systems is readily available upon receipt of the support request or authorisation to proceed with a project or service. If remote access needs to be further arranged (for example, to provision or enable accounts), this will increase the time to respond to and resolve support requests or undertake the requested project or service. TASS is not responsible for any delays caused by the inability to access customer systems.

Supply of Credentials

When credentials are supplied to TASS representatives (eg usernames and passwords), they should be sent through separate communication methods. For example, the username might be supplied in an email, and the password may be read over the phone.

Further Information

Refer to the:

  • Helpdesk Service Level Agreement

  • Software Licence Agreement

Both can be found under the user menu at the top-right of the TASS.web interface (look for the person icon).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close