Remote Box Office

Depending on the remote access solution you use (Citrix, Terminal Services, Teamviewer, logmein), you may need to open the appropriate ports on your router(s) and server for this feature:
  • On the firewall built into this machine
  • On the main firewall protecting the office with forwarding to the appropriate ports on this machine.

Access to the terminal server from outside the main network should include VPN or packet encryption. Windows 2008 Server and later use secure access by default.

If the remote box office solution permits the feature, you should also set it up so that only specific applications can be launched and the user cannot get to the desktop. For example, Citrix provides a web interface under ISA services that allows you to only permit Theatre Manager to run. With Terminal Server, you can also force it to start Theatre Manager automatically. With 2012 Terminal server, you can limit to only Theatre Manager application to run.

Always disable outgoing web access within the Citrix or Terminal Server so that people cannot browse the internet on the Terminal Server Machine (this will prevent all viruses). You can enable web access on the local machine.

Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and file servers) PCI requirement 5.1

Remote Ticket Selling

In most cases, the best way to do remote box office is to set up a Terminal Services server inside your network and provide a VPN solution from the remote site to the router.

An inexpensive Linksys VPN router will provide adequate router to router VPN services at a good price - or will provide remote VPN software for computer-to-router VPN. More expensive routers like Cisco have VPN software that accompanies the router as well.

In all cases, remote box office or work at home should be set up using a VPN connection.

If you are using remote box office and ticket scanning for access control at the same venue, you just need to connect the ticket scanner to your ticketing web site. It can use the VPN, but does not have to. so connecting to any wifi point with external access is fine.

Remote Ticket Scanners

If your venue uses wireless ticket scanners for remote venues, you will need to set up a wireless access point at the remote venue to connect to the internet. These devices only confirm a ticket was used or a person exits the venue, through a very controlled API on the scanner.

The setup of the wireless access point should be:

  1. turn off all SSID broadcasting
  2. Enter the MAC addresses (00:00:xx:xx:xx:xx) of the scanners into the acceptable list of devices at the remote site
  3. use WPA2 passwords

The setup and functioning of the Linea Pro wireless device is described in a separate web page.

When you need to enter in the IP address, use [tickets.yourvenue.org]/TheatreManager/1 where [tickets.yourvenue.org] is your ticket website URL.

All data traffic is done over HTTPS using secure sockets and TLS 1.2 or better transport layer encryption.

Even if you are scanning tickets at your local venue, it is often a simple matter of setting up a small hub in front of your main router so that the access points are connected to it - and they would be outside the firewall for security.

Remote Access

Remote access for Theatre Manager usually means situations for remote box office or work at home. There are a number of tools that can be used, such as Remote Desktop Connection (RDP), LogMeIn, Go To My PC, and more.

In all cases of remote access for box office, you should implement either a VPN tunnel and/or SSH access - where the communication and session has strong encryption or is a private connection per PCI DSS 4.1.

There may be additional setup consideration as described in the following sections based on the software you use. Your IT person should ensure that whichever software is used, that it employs VPN or SSH.

PCI compliance requires that remote access have a user ID and password, and an additional authentication factor that includes, but is not limited to, items such as a smart card, token, PIN, biometrics, VPN, etc.
For people with remote access, you must establish passwords according to PCI DSS requirements 8.1, 8.2, 8.4 and any requirements of all sections of 8.5. In other words, the requirements for remote access passwords and authentication are exactly the same as for access to your office LAN.

 

Common remote access mechanisms that we use

While there are many vendors of remote access software, the ones that we see used most often are:

  • Using a VPN and local copy of TM for full and secure network access - best used when internet connections are fast
  • Using Microsoft Remote Access (RDP) and Terminal Server for full managed access to TM - best used when internet is marginal/poor or you need to control internal network access
  • Using a remote access tool like TeamViewer, LogMeIn, or similar to simply access your own machine from a remote location. Best when no remote ticket printing is required.

Using a VPN

The best way to access your own network from a remote location is to set up a VPN between your work location and the office router.
Your office router must be able to support VPN connections. It is generally a feature of a more expensive router, and some low cost routers may have the capability. Check with your IT support if this is an option for you.

 

Your routers and using TM over a VPN service

If your venue's routers support a VPN service to your network:

Initial, first time only setup steps

  • Ask to have the VPN Client software set up on your home computer.
  • Find the IP address of your database server It is on the lower part of the login screen while using TM in the office. In the example to the right, the address is circled in red (the sample shows 127.0.0.1)
  • Download and run the latest 64 bit version of Theatre Manager for:

 

Each Time you Connect to the Office

  • Establish your VPN connection from your laptop to your office first
  • Start Theatre Manager and wait for the login screen. Note: the first time you will be asked to find the database. Use the IP address located as outlined in the Initial Setup steps above.
If you are using IP based ticket printers at your remote location, you will need to set up a ticket printer device that has an IP address on the remote network.
If you are in a different local time zones from your office, you will need to provide the LocalTimeZone parameter in the Theatre Manager preferences file. This is only needed if your time zone does not match the time zone setting in the company preferences->Report/Misc tab

Microsoft Remote Access

If you are using remote access, you need to set up a terminal server to use high-security access for Remote Desktop and it should be set to disconnect or lock the terminal after a period of inactivity. (PCI requirement 12.3)
This typically needs a copy of Windows STANDARD Server version or better (not the windows OFFICE server version). If you bought a standard server under the Techsoup donated software program, you will likely have two CAL licences for the terminal server and may need to add some additional licences.

 

Windows 2012/2016/2019/2022 Terminal Server

Terminal Server is a great way to allow access from any location to your office. It has the benefits of:

  • allowing restricted access to your internal LAN by only allowing access to specific services or programs for a user.
  • working in conditions where internet connection bandwidth is poor since it is a screen-scraper technology and optimizes only transmission of screen changes
  • allows report printing to ticket printers on LPT ports

When connecting from any workstation to the current versions of Terminal Server, the server defaults to high encryption. It is good practice to verify that the setting has not been lowered.

Step Purpose Installation instructions or link
1. Verify Terminal Server settings The following links detail the security settings in Windows Server 2003. Server 2003 defaults to High encryption, but it is a good practice to make sure it hasn't been lowered accidentally.

support.microsoft.com/kb/814590

Terminal Server 2008/2012/2016/2019 and 2022 should default to high encryption.

2. Verify RDP settings RDP should be set to always prompt for a password.

TeamViewer Remote Support

Artsman uses TeamViewer for remote support. This is designed to only run if the user launches the application, contacts Artsman and permits the support team to have access to their machine for the purpose of diagnosing a problem on a one time basis.

Remote access is to be