Aimless Ramblings from a Blithering Lunatic . . .

Just another Microsoft MVPs site

Category: 2057

Which RMM?

Ah, the great debate in the SMB Managed Services realm:  what is the better Remote Monitoring & Management (RMM) solution?  I don’t know how many times I’ve been asked this question by SMB providers, so I decided it would be beneficial for a no-holds-barred comparison of the products I know.  Obviously, it will not be a comprehensive comparison of every available solution, since I am only going to compare the products I know and have worked with first hand:  IT Control Suite, Level Platforms’ Managed Workplace, and Kaseya.

This will be a multi-part series, with each entry focusing on one aspect of RMM functionality (monitoring, patching, scripting, remote access, etc.) and providing a comparison of how each of the three solutions approaches the functionality and how well they deliver, noting gotchas to be aware of.

For those of you who aren’t familiar with me, I have been involved with providing managed services in the SMB space since mid-2003.  In mid-2004 we were one of Level Platforms’ earliest customers.  In early 2006 we added Kaseya and started running it side-by-side with Managed Workplace.  Finally, in mid 2008 we began working with IT Control Suite as well.  I spent two years as CTO of MSPSN, and during that time MSPSN offered vendor-agnostic NOC services, allowing SMB MSPs to use whatever RMM product they wanted.  Part of my duties included administering multiple RMM installations to keep them in sync with MSPSN’s standardized monitoring and ticketing configuration, but also training NOC staff on these products as well.  As a result, I have in-depth first-hand experience with these products.  I know each one’s killer features, what they do well, what they could do better, and in some cases what they flat-out don’t do.

Before we dive in with the series, it is important to note that if you are providing Managed Services, and do not have any RMM solution in place, any one of these is a viable choice that will enhance your offering(s) and help streamline your service delivery.  There is no wrong answer – just a potentially better answer depending on your needs and priorities in an RMM solution.  Just be aware that no RMM is truly “set it and forget it” – they all require on-going administrative effort to keep doing their job well, although some do require less admin overhead than others.

Taking the Plunge

I did it.  No – hell didn’t freeze over, and no – pigs aren’t flying.  But yes, I just recently did some network reconfiguration here at the office, moving from a dual-nic SBS Premium setup with ISA 2004 to a single-nic setup with a hardware router/firewall instead.   Gasp!  The horror! . . .

I’ll admit that for a long time I thought it would be a cold day in hell before you could pull ISA from my dead hands – but I would also be lying if I didn’t tell you that I definitely had a love/hate relationship with ISA – and it usually depended on the hour as to whether I was loving it or hating it.

So what is my thinking?  You know, if someone figures that one out would you please clue me in? smile_teeth    

Like most technology decisions, this was motivated by business needs – both the business needs of our clients as well as our own business needs to profitably deliver quality services to our clients.  First – we’re seeing an increased demand in managed security with the SMB client.  Second – we are continuously looking for ways to increase productivity and gain efficiency.  Third, we’re revamping our product offerings to better line up with our core business as an MSP by adding products that allow for additional recurring revenue opportunities.

So, the big question is what did we decide on to replace ISA 2004 in our office?  CheckPoint’s Safe@Office 500W Unified Threat-Management device.  Now why did this solution win out?

1)   Affordability / Flexibility.  The CheckPoint has several base models to choose from (wired or wireless with 5/25/Unlimited clients)  And nice add-on services including gateway anti-virus, anti-spam, web content filtering, etc.  The base models make it affordable to get this device into smaller clients who wouldn’t normally consider ISA.  Additionally, the add-on services allow clients to purchase features cafeteria-style and provide us with additional recurring revenue.

2)   Efficiency in Management.  CheckPoint offers their Security Management Portal for centralized management of these devices.  Their SMP was designed and built from the ground up for target MSPs and how we work: 

      *   Everything you can configure locally via the device can also be configured centrally from the SMP.  Additionally, with the SMP we can create groups with common configurations and apply those group settings to multiple devices very quickly and easily. 

      *   The SMP also streamlines setting up site-to-site VPNs between devices.  Simply build your VPN community in the SMP and pick the devices you want to belong to that community, then the SMP will generate the necessary configuration and push out to each of the devices.  This also allows you to have IPSec VPNs between devices that can only get dynamic public IPs.  When one device’s IP changes, it notifies the SMP which automatically updates the configuration on the other devices in the VPN community. 

      *   The SMP allows you to customize both administrative and customer-facing reports, so you can change the layout, the content, and even the look and feel to match your branding.  Customer-facing reports offer a lot of nice, colorful graphs which make sense to CXO level individuals at your clients. 

      *    The SMP is available either in a hosted solution, or in a purchase and run on your own server setup.

From a technical standpoint, there are pros and cons to both ISA and the CheckPoint (or other hardware firewalls).  There are a lot of things that ISA does better than many hardware devices – primarily web publishing, with its ability to inspect http traffic and route requests based on HTTP host headers, as well as providing egress filtering that integrates with Active Directory.  Where ISA falls short is when you have a service provider who needs to efficiently manage multiple installations at different customer sites with different needs.  Sure, I could probably build a repository of management scripts, and use Level Platforms’ Managed Workplace to push those scripts out to our managed client base, but why recreate the wheel – and run the risk of having to recreate those scripts as subsequent generations of ISA are released? 

Also, I will admit that I am beginning to question the feasibility of ISA on SBS.  I still don’t fully buy in to some people’s arguments that ISA on SBS is inherently insecure.  I’m beginning to question the feasibility of ISA on SBS not because of the security implications, but of the added complexity in setup and administration.  If you look at the SMB space and the SBS customer – their needs are changing.  Two years ago we could sell an SBS Premium to a customer who relied on Exchange and file shares.  In that scenario, adding ISA to the mix wasn’t that complicated or that big of a deal.  The customers we’re encountering today are looking for much more diverse and mature solutions.  Our typical SBS-based deployment is now a multiple-server environment.  SBSers are doing more with Exchange – particularly in terms of mobility, depending on SharepPoint for workflow management, version controls and increased collaboration, instead of simply document storage.  Our SBS clients are also much more likely to be running at least one Line-Of-Business app – in our experience most likely Dynamics GP and/or Dynamics CRM.

When you start putting all of this on to one box, change management becomes a bit of a challenge to say the least.  And even us long-time ISA fans have to admit that ISA is usually the first thing to come up when we start thinking about moving services off our SBS.  But investing in another box, plus another Windows Server license, plus ISA is often hard to swallow – especially when you look at it from a customer perspective and include services to install and configure that box.  From a business standpoint, when you compare that option to a solution like the CheckPoint that offers a significantly lower entry point, provides the MSP with a mechanism to recurring revenue, and provides a pre-build solution to efficiently manage a large number of devices from one central location, and it becomes a bit of a no-brainer.

Now the question is just how well this is going to work.  We’re now at 4 days since CheckPoint has replaced ISA in our office, and so far so good.  I’ll be sure to report back on my post-ISA experiences  smile_regular

The depth of Managed Services

So, the long-lost SBS Show episode #15 has finally been found and posted . . .


I will admit that I’m pleased with this podcast (albeit I despise hearing my own voice, ugh) . . .  the one thing I notice is that for how large this podcast is (35MB) and how long it is (a solid 90+ minutes) – all I can think about are all the things we didn’t get a chance to talk about – about how the pillars relate to each other, the technical targets with monitoring systems, how to build your contracts, how to evaluate your performance, how to qualify leads (and more importantly, disqualify leads), etc.


So, hopefully this SBS Show will be enough to whet your appetite . . .   because we’re going to have a lot of material we’re going to cram into our Mobilize SMB Tour workshops . . .


And FYI – several venues are well over half-full already . . .   so if you haven’t signed up yet, I’d encourage you to do so before space runs out!