I work for a small business and we use a combination of VPN + RDG. I used to just have the RD Gateway exposed directly to the Interwebz, but we recently increased our security posture to require 2 factor auth. for remote access. The simplest (and least expensive) thing for me to do was set up 2FA on the existing SonicWall SSL VPN and force RDG access through the VPN. Works great.
One thing I haven't seen mentioned is that with VPN solutions you can, and should, restrict where and how clients can reach into the network. If you only allow protocols and destinations that are absolutely required, it does help to minimize the attack surface for malware, etc. On Sun, Jan 12, 2014 at 11:57 PM, Susan Bradley <[email protected]>wrote: > Yes, you use the itap RDP app (or now called the microsoft rdp app as they > bought iTap) and you remote into a Terminal Services Remote Desktop > services server. From a laptop, tablet, heck even a phone [only use when > you are really desperate but it does work], you get into a RDS session and > you have the same desktop no matter what you connect in from. So if there > are applications that are not iPad friendly (there's no app for that) it > doesn't matter as you can get to the desktop and get into the program you > need there. We have a guy at the office that remotes in from an ipad and > does his time sheet because there's no way with vpn he could do it. > > One 2012 R2 license as a hyperV parent. Installed one with a RDgateway > role, the other as a RDP server. > > Adding a single RDP server really allows you to not only host 'desktops' > for people remote to the office but really enables the bring your own > device because you aren't dealing with offline files (which I have had hit > and miss with at times) and moving data it's all in your office. > > You can do RDgateway as well on the 2012 but you have to google the steps > and there's not as easy as a wizard is all. He may be insane and have SA > for all we know :-) > > In my experience in the SMB space with VPN whatever malware and junk gets > on the laptop is brought into the office. Setting up a remote desktop > server you are by default forced to set up a scenerio that the users are > more restricted, by defintion locks down and limits the bringing in of > malware. Not to say that you can't nail a TS box too, just that it forces > you to be less loosey goosey with permissions. As I'll bet the laptops > have admin rights. > > Then there's the advantage of if someone needs to remote in from home or > another remote office, you aren't scrambling to set up another workstation. > They take any device, you walk them through the rdgateway settings and > they are able to get to their same desktop again. > > Now here's where RDS in a small office sucks. Small desktop scanners. I > had to purchase a Dell remote scanner solution to get a desktop scanner to > transfer it's files over to the RDS server. You also have to watch some of > the cheaper (cough HP) printers that don't handle printer redirection well. > > I also know of many smb software that really doesn't like being connected > over VPN (Quickbooks hates a vpn connection but will work well with RDS). > > The question was "what do you recommend for best performance and > connectivity".... > > And I'm answering with my personal experience with both. Hands down for > me and my small firm, RDS gives me the best performance over VPN. > Everyone's mileage can and will vary. > > > On 1/12/2014 6:29 PM, Ken Schaefer wrote: > >> -----Original Message----- >> From: [email protected] [mailto:listsadmin@lists. >> myitforum.com] On Behalf Of Susan Bradley >> Sent: Monday, 13 January 2014 1:07 PM >> To: [email protected] >> Subject: Re: [NTSysADM] Small Remote Office Remote File Server Access >> >> Server 2012 R2 >>> Enable the Essentials role. >>> You now have Rdgateway server deployed via a wizard. Open up RDP >>> settings, >>> put in the rdgateway url and you are off and running. >>> >> So, OP is already up for a new OS license, since they don't have 2012 R2. >> Possibly new hardware to run this OS instance on, and what are they RD-ing >> into? If they've taken their laptop out of the office, the presumably you >> need a RD host as well (which means RDP CAL licensing)? Or am I >> misunderstanding how this works? >> >> I'm not talking Citrix, it's merely RDgateway/TS. >>> >> Why not deploy a Citrix solution? I mean, it has even more features and >> benefits than basic Microsoft RDP based solution. The only downside is even >> more cost - but cost seems to be irrelevant here for some reason :-| >> >> VPN truly does bring in way more risk than a RDS solution. >>> >> "Way more risk" - what risk specifically? >> >> VPN would allow people to work offline/disconnected on documents. It >> could also be implemented for $0 in CAPEX, and if it doesn't work out, you >> could always buy what's necessary for an RDP solution. If it does work out, >> then a whole bunch of spending's been avoided. Surely that's a relevant >> consideration as well? >> >> Added to that I can now offer up the same desktop experience. >>> >> I don't understand this. The users are taking their laptops or iPads with >> them. They don't get "the same desktop" experience by utilising the same >> device in-office and out-of-office? >> >> I'm not saying "don't go RDP", but I'm just not seeing any real >> requirement that justifies the extra expense that will be involved. >> >> Cheers >> Ken >> >> -----Original Message----- >> From: [email protected] [mailto:listsadmin@lists. >> myitforum.com] On Behalf Of Susan Bradley >> Sent: Monday, 13 January 2014 1:07 PM >> To: [email protected] >> Subject: Re: [NTSysADM] Small Remote Office Remote File Server Access >> >> Server 2012 R2 >> Enable the Essentials role. >> You now have Rdgateway server deployed via a wizard. Open up RDP >> settings, put in the rdgateway url and you are off and running. >> >> I'm not talking Citrix, it's merely RDgateway/TS. >> >> I don't spend a billion dollars in IT, however I am a small business and >> thus there are different pros and cons based on the space each of us work >> in. >> >> VPN truly does bring in way more risk than a RDS solution. Added to that >> I can now offer up the same desktop experience. >> >> >> On 1/12/2014 4:15 PM, Ken Schaefer wrote: >> >>> I work in a "large organisation" - we spend well over a billion dollars >>> a year on IT&T. We have both huge Citrix farms, and we have VPNs as well. >>> I'm quite familiar with the pros/cons of the options. >>> >>> No one is saying that the RD solution doesn't have benefits. But there >>> is a CAPEX and an ongoing OPEX cost to building and supporting a RD gateway >>> solution, and it will probably be significantly more than a VPN, when the >>> sole purpose is to access an existing file share. >>> >>> -- >>> http://au.linkedin.com/in/kschaefer >>> Typed on a Lenovo Helix - apologies for brevity >>> >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:listsadmin@lists. >>> myitforum.com] On Behalf Of James Hill >>> Sent: Monday, 13 January 2014 10:54 AM >>> To: [email protected] >>> Subject: RE: [NTSysADM] Small Remote Office Remote File Server Access >>> >>> VPN greatly amplifies the risk. It creates a direct link between the >>> client and the server for all sorts of traffic. With RD Gateway it's only >>> RDP traffic over https. >>> >>> Even for large firms, a thin solution often makes a lot more sense. >>> The data is kept on the server so there are all the benefits of >>> centralilsed data. Performance is great as there is no perceivable >>> difference between opening a 2MB file vs a 20MB file. No special client is >>> needed for Windows devices, they can even go to a RDWEB page on ANY windows >>> device and login. Whether that is a home computer, hotel kiosk etc. That >>> means virtually zero effort required by helpdesk/desktop support as they >>> don't have to install and configure vpn clients, manage OS and application >>> patches or security software. >>> The user experience is greatly improved as the user is accessing the >>> same desktop each time. All their shortcuts and settings are the same. >>> They don't have to copy files from device to device. The list of benefits >>> far outweighs a VPN solution. >>> >>> As Robert has a 400Mbps internet link I don't think the small cost of 6 >>> RD licenses is going to break the bank. >>> >>> James. >>> >>> -----Original Message----- >>> From: [email protected] [mailto:listsadmin@lists. >>> myitforum.com] On Behalf Of Ken Schaefer >>> Sent: Sunday, 12 January 2014 2:33 PM >>> To: [email protected] >>> Subject: RE: [NTSysADM] Small Remote Office Remote File Server Access >>> >>> VPN means the data /may/ be copied to the mobile device - but if I open >>> a file from a file server, make my edits, and then save the file, it'd be >>> saved back to the file server, and not reside on my device. >>> >>> Given that these people are in the office normally, they can simply copy >>> the files onto their device when they're in the office. Having a VPN >>> doesn't really amplify the risk. >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:listsadmin@lists. >>> myitforum.com] On Behalf Of Susan Bradley >>> Sent: Sunday, 12 January 2014 3:30 PM >>> To: [email protected] >>> Subject: Re: [NTSysADM] Small Remote Office Remote File Server Access >>> >>> VPN means the data will be on the laptops and on ipads. >>> >>> Remote desktop services means that the files stay in the network where >>> you can protect them better. >>> On 1/11/2014 10:17 AM, Chyka, Robert wrote: >>> >>>> That is where my mind is at. Still I see simple VPN into the >>>> Watchguard then direct access to the server shares. I just haven't been in >>>> the loop with smaller office technologies so I wanted to see if I was >>>> missing anything that is newer, quicker, better without compromising >>>> security. >>>> >>>> -Bob C. >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Ken Schaefer >>>> Sent: Saturday, January 11, 2014 5:05 AM >>>> To: [email protected] >>>> Subject: RE: [NTSysADM] Small Remote Office Remote File Server Access >>>> >>>> What's wrong with a simple VPN? >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Susan Bradley >>>> Sent: Saturday, 11 January 2014 5:43 PM >>>> To: [email protected] >>>> Subject: Re: [NTSysADM] Small Remote Office Remote File Server Access >>>> >>>> A remote desktop server that they can hit via rdgateway. Especially >>>> those ipads. >>>> That would also entail a VL version of Office to be installed on that >>>> RDS server. >>>> >>>> Small businesses don't buy the VL licenses in order to support direct >>>> access. >>>> >>>> On 1/10/2014 8:42 PM, Chyka, Robert wrote: >>>> >>>>> We have a small remote office (6 users) with a Windows 2008R2 DC and >>>>> a Windows 2012 DC/File server. The only activity this office performs >>>>> on the network is web research and a lot of legal case document >>>>> creation and editing - mostly in Word. >>>>> >>>>> At our main office we use VON to access our file server and home >>>>> directories remotely (Cisco ASA 5520s for VPN) and have 400 megs of >>>>> bandwidth. At our small remote site we have the following gear: >>>>> >>>>> -Time Warner Business Class 25/10 >>>>> >>>>> -WatchGuard XTM 25 Firewall (inherited, not spec'd) >>>>> >>>>> For remote access to our 2012 file server using either Windows >>>>> laptops or Ipads what do you recommend for best performance and >>>>> connectivity? >>>>> >>>>> I was looking at Windows 2012 Anywhere Access but wanted to get >>>>> expert opinions in the small business sector. >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> >> >> >> > > >
