Goodbye AnyDesk? Here’s how to set up your own free, self-managed RMM with Tactical RMM (practical guide in Spanish)

If you’re involved in support and system maintenance, you know how painful it is to juggle a “Swiss Army knife” made of 6 different tools and three subscriptions per site: remote access, inventory, patches, scripts, alerts… Tactical RMM is the open-source alternative to have all that in a single console, on your server, and without paying per endpoint. It’s no hype: in less than 2 hours you can get it up and running, deploy your agents, and start monitoring, patching, remote accessing, and automating with your own RMM.

This article isn’t a sales pitch: it’s a step-by-step playbook covering architecture, requirements, deployment, security, “gotchas,” and how to switch from AnyDesk (or similar) to integrated remote control with clean processes.

What exactly is Tactical RMM?

It’s an RMM (Remote Monitoring & Management) that combines:

• Backend/Panel: Django (API) + Vue (UI)
• Agent (Windows/Linux/Mac): written in Go
• Remote access: native integration with MeshCentral (desktop remote like TeamViewer, real-time shell, file management)
• Messaging/Queues: NATS
• Data: PostgreSQL + Redis

What it provides practically

• Monitoring (CPU, RAM, disk, services, events) and alerts (email/SMS/Webhook)
• Scripts (Batch, PowerShell, Python, NuShell, Deno) on demand or scheduled
• Centralized Windows patching (policies and maintenance windows)
• Inventory HW/SW
• Real-time remote control (desktop, shell, files)
• Chocolatey for software deployment

Supported agents

• Windows 7/8.1/10/11 and Server 2008R2 → 2025
• Linux with systemd (Debian/Ubuntu, CentOS/Alma/Rocky, Synology 7, FreePBX, etc.)
• macOS (Intel and Apple Silicon) — agent and extras available via project sponsorship

Minimal architecture (and why two DNS records)

• Ubuntu 22.04 LTS VM (recommended): 4 vCPUs, 8 GB RAM, 80–120 GB disk
• Docker + Docker Compose: deploy everything in containers (RMM, API, NATS, Redis, Postgres, MeshCentral, TLS proxy)
• Two DNS entries:
  • rmm.tudomain → panel/UI
  • api.tudomain → API/Agents (separates attack surface; easier to add WAF/CDN if desired)
• TLS: Let’s Encrypt (Caddy/Traefik/nginx) for HTTPS on both FQDNs

Typical ports: 80/443 (proxy), 4222 (NATS internal), 5432 (Postgres internal), 6379 (Redis internal), 443/4430–… (MeshCentral). Expose only 80/443.

Deployment in 90–120 minutes

Pre-deployment: create DNS A records rmm.tudomain and api.tudomain pointing to your VM’s IP. Open 80/443 and 22. Enable UFW and SSH with keys (no password).

1. Install base dependencies

sudo apt update && sudo apt -y upgrade
sudo apt -y install git curl jq ufw
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
mkdir -p $DOCKER_CONFIG/cli-plugins
curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 \
  -o $DOCKER_CONFIG/cli-plugins/docker-compose
chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose

2. Clone the repository and compose template: follow the official documentation (project link) to get the docker-compose.yml orchestrating tactical, meshcentral, postgres, redis, nats, and TLS proxy.
3. Configure variables (.env)

RMM_FQDN=rmm.tudomain
API_FQDN=api.tudomain
TZ=Europe/Madrid
DB_PASS=a-long-and-unique-password
REDIS_PASS=another-strong-password
NATS_PASS=yet-another
LETSENCRYPT_EMAIL=admin@tudomain

4. Start services

docker compose pull
docker compose up -d
docker compose logs -f --tail=100

5. Finish bootstrap

• Access https://rmm.tudomain → create admin user
• Verify https://api.tudomain/api/ responds (200/JSON)
• In the panel, configure:
  • Notifications (SMTP email, SMS if applicable, webhooks)
  • MeshCentral integration (already deployed in container: URL, key)
  • Policies by default (patching, checks, alerts)
  • Certificates (Let’s Encrypt should be active)

6. Generate agents

• In Agents → Builds, select Windows client (or Linux/Mac if sponsored)
• Define organization/site/policy, sign, and download MSI/EXE
• Bulk deployment: GPO with silent MSI or Intune/SCCM; on Linux, use .deb/systemd script

In 2 hours, you should see the first online endpoints with metrics, inventory, and remote access operational.

Security first (your RMM is a valuable target)

• TLS is mandatory (Let’s Encrypt auto-renews).
• Users: 2FA for admins; roles with minimal privileges.
• API: exposes only api.tudomain and apply rate limit at proxy.
• MeshCentral: enforce 2FA, certificates, session purge; don’t leave strange ports open.
• Backups:
  • Postgres: pg_dump daily (retention 7–14 days) → S3/Backblaze
  • Redis: persistence (RDB/Snapshot) included; copy the .rdb
  • Configs/Agents: save state folders and docker-compose.yml in a private repo
• Updates: monthly window → docker compose pull && docker compose up -d; do first in staging
• Audit: enable logging of access and policy changes; send to Syslog/ELK/Graylog

Onboarding: from zero to “useful RMM” in a single afternoon

1. Structure: create Organizations and Sites (clients/offices).
2. Base policies:
   • Monitoring (CPU >85% over 5 min, RAM >85%, disk <15%, SMART, critical services, EventIDs)
   • Patching (patch Tuesdays + nighttime window; stagger reboots)
   • Antivirus (Defender status or corporate AV)
   • Backups (agent/status if using external solutions)
3. Scripts: library with:
   • Cleanup of %TEMP%, WinSxS cache, rotated event logs
   • Reset Windows Update queue, DISM /RestoreHealth, sfc /scannow
   • Install software with Chocolatey (7-Zip, VLC, Office runtime…)
4. Alerts: define channels (Email, Slack/Teams, Webhook) by severity and schedule
5. Remote access: test desktop, shell, and files with 2–3 pilot devices
6. Inventory: tag devices (Role, Location, Critical) to segment policies
7. Automation: scheduled tasks (e.g., “monthly soft reboot” outside business hours)

And AnyDesk? Draper-free migration

• Phase 1 (coexistence): keep AnyDesk/TV as “backup” during pilot.
• Phase 2: validate MeshCentral (latency, GPU/video compatibility, UAC) and shell on real devices.
• Phase 3: remove AnyDesk from templates; leave a script for uninstallation of legacy remotely.
• Benefits: a single agent, zero per-endpoint fee, audited sessions, and access under your domain.

Costs and limits (honestly)

• Infrastructure: a decent VPS (4 vCPUs/8 GB) costs around 10–25 €/month; on-premises ≈ zero if recycling hardware.
• Licenses: 0 € per endpoint.
• Sponsorship (optional but recommended): enables Mac/Linux agents, SSO, advanced reports, code signing signatures, and supports project sustainability.
• Limits: single-node setup; true HA requires replicas (Postgres/Redis) and some magic. For mid-sized MSPs, enough; for hundreds or thousands of endpoints, plan for vertical scaling and tuning (NATS, workers, Postgres).

Maintenance and DR in 10 points

1. Snapshots weekly of VM + daily off-site backups of PG/Redis.
2. Restoration practiced: spin a clean VM, run docker compose, import PG, restore RDB, reissue certificates.
3. Updates: tag versions (compose.override) and internal changelog.
4. Monitor the VM itself (Prometheus/Netdata) and the certificate (expiry).
5. Deactivate technician accounts who no longer need access.
6. Passwords stored securely in Vault.
7. Optional WAF/CDN in front of API (Cloudflare proxied + basic rules).
8. Rate limiting and Fail2ban on nginx.
9. Log/archive retention policies to comply with GDPR.
10. Quarterly remote access test from external “hostile” network.

“Gotchas” that save you time

• Mail: set up SPF/DKIM/DMARC or alerts go to spam.
• GPO: sign MSI if required by your environment; use MSI with /qn flag and TRANSFORMS if needed for token/tenant.
• Corporate proxies: open outbound to your api.tudomain:443.
• UAC: configure MeshCentral for proper elevation (prompt for consent).
• Let’s Encrypt: avoid hitting LE limits by reusing certificates; use wildcard with DNS-01 if advantageous.
• Windows 7/2008R2: require .NET and modern TLS; test before mass deployment.

Would you use it? A real case in 1 day

• Morning: deploy on VM + TLS + base policies + 5 pilot agents.
• Afternoon: set up checks/alerts, inventory script, validated MeshCentral, scheduled auto-patching.
• Day 2: mass GPO deployment, gradual decommission of AnyDesk, support playbook: “1) remote, 2) script, 3) patch/reboot, 4) escalate.”

Result: a domain-controlled RMM, no fees, and full control over data and processes.

Frequently Asked Questions

Can I start without my own domain?
Yes, but not recommended. Buy a cheap domain and use rmm. / api. for TLS and agents. You’ll gain security and order.

How many endpoints can a 4 vCPU/8 GB VM support?
It depends on intervals and checks, but hundreds with reasonable tuning. If you exceed ~1,000, consider more CPU/RAM and fine-tune Postgres and NATS.

What if my VM fails?
Without HA, it’s downtime. That’s why snapshots + backups + a tested restoration procedure exist. You can migrate the stack to another VM in less than 1 hour if prepared.

Does it fully replace AnyDesk/TeamViewer?
For most scenarios, yes—using MeshCentral integrated (desktop, shell, files). Keep your old tool as plan B during the transition.

Is it safe to expose the API to the internet?
Yes, if you enforce TLS, 2FA, rate limiting, minimal roles, optional WAF, and keep agents and panel updated. Don’t expose internal ports (Redis, Postgres, NATS).

In summary: Tactical RMM lets you build your own RMM in one afternoon, with monitoring, scripts, patching, and remote access, without per-site charges and with data under your control. If AnyDesk/TeamViewer was your safety net, here you get the whole leg. The best part? When you’re ready to switch, the server is yours and so is the code.