If performance is an issue, Terminal Services or Citrix is the way to go. You will NEVER be able to make an app working over a share mapped over the Internet run as fast as it would through some sort of remote connection.
In response to making this app "harder to support", if the remote sys admin is not willing to put the necessary security safe guards in place, then I would never open up my network to access by his system - period. There has to be some sort of encryption (even if between the firewalls to avoid application support problems) if you're using Windows shares over the Internet. And as far as "poorly configured VPNs": Isn't half-assing it the way that most MS "admins" work? ;-P If you can't setup a proper VPN policy, go back to school! Does this application vendor have a web-based portal to the data? That would eliminate all of these problems. Could you work with the vendor to develop one? Bryan Ponnwitz -----Original Message----- From: James (njan) Eaton-Lee [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 4:30 PM To: Bryan Ponnwitz Cc: [EMAIL PROTECTED]; [email protected] Subject: Re: Shared drives through a firewall Bryan Ponnwitz wrote: > If you're worried about connection security, just use a VPN. Or better > yet, if the servers are both Win2K or better, use IPSec. IPSec is > Microsoft's recommended solution for extending domain communications to > another LAN across the Internet. I've read the KB article on it, but > don't have time to look for it right now. IPSec/VPN mitigates some of the security issues pertaining to this scenario, but it doesn't solve all of the issues, and it raises some of its own. The OP mentioned performance issues - VPNs certainly don't resolve this issue, and would almost certainly make it worse, especially on a bad/latent connection. Depending upon who the users of this infrastructure are and how it's implemented, there are the obvious VPN NAT/reliability concerns too. A badly implemented VPN, or one implemented with equipment not capable of packet filtering on VPN traffic (as is common in environments in which people consider such nasty things as opening SMB traffic up to the internet) would allow clients - albeit authenticated clients - access to the entire internal network. Again, depending upon the identity of the users of this infrastructure are, this might be highly undesirable. A VPN or IPSec solution is also going to be harder to support, and potentially make you very unpopular with whoever supports third party clients when users don't have the rights necessary to configure a VPN, install certificates, or setup IPSec (SMB/HTTP/FTP all work as a limited user). They're also very likely to be affected by outbound firewalling on third party LANs, too... In short: I'm not saying that VPNs can't help, you just need to use them carefully; they're not a panacea, and they're far from ideal for a range of scenarios! - James -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org "The universe is run by the complex interweaving of three elements: Energy, matter, and enlightened self-interest." - G'Kar https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 --
