How to develop customer remote access?

[lanwireman]

Hi everybody,

I'm in need of some help regarding customer remote access (i.e. extranet) connections. The goal is to provide selected business partners with user-specific services located in the company intranet. The remote access should be available from anywhere, anytime.

Now, the problem is how to do this. Most of the services offered are based on MS environment (Access, Outlook) or are php/mysql-based. Currently, these services are used remotely by own employees through a Cisco firewall. Now, I've been thinking that for external partner access, two-factor authentication should be needed, as well as a DMZ segment.

But I'm having problems coming up with different API and other interface solutions. The question is, how to offer specific Access/Outlook/php services to specific users and what is needed for this? I was thinking of Citrix Metaframe/NFuse based solution in DMZ with two-factor authentication (SecurID?), is this feasible? What other options could there be?

 

[lanwireman]

Anybody?

Would you use, for example, some kind of SSL-VPN solution or try to build on the Citrix architecture? Are there any other feasible options? I'd be glad if someone could point me in the right direction..

 

[randal]

Iunno, you could setup a VPN based on RADIUS auth, and depending on what realm they login to they get assigned to a particular group of IPs, which are then firewalled/QoS'd/whatever to match whatever service level / access they have. We do something similar with PPPoA+RADIUS to provide differentiated services for DSL customers.

Second teir authentication -- at the application level -- will be critical as well. Just having them login to restricted IP space won't always stop them from getting to apps/dbs/etc, so having security on those is a must as well.

As for using Citrix and such, that's not my bag. I also think your explanation is a little thin on what you're after. "User specific services located in the company intranet" can mean everything from email & calendaring to websurfing to direct Oracle/MSSQL/MySQL database access, who knows ... each level of services will require it's own plan & design; there is no single silver bullet to make it all just work.

sorry, stream of consciousness at 12:41am --
randal

 

[lanwireman]

Thanks for the info! The reason for the thin explanation, if you will, is that all of the offered applications are not running yet...But basically, I would assume the offered services would all be either MS-based (Outlook calendars/e-mails and Access databases with possible web front-end) or web apps based on php/mysql (reporting, ERP etc.). The problem is what APIs can be used so that the result is:

-secure.
-accessible from anywhere.
-integrating Outlook/Access/php services to be used through one portal.

Any help?

 

[randal]

mmm, if you're going to be doing something like that -- without *really* knowing what's going on -- then a standard VPN with different types of users, or even multiple VPN servers for that matter would be prudent, alongside a very tightly integrated intranet. I mean, VPNs and networks are great at securing & limiting IP access, but `making it accessible` and integrating outlook/access/php/ERP/other all into a sexy little portal ... mmmm, hope you have some hella good programmers.

That kind of unified backoffice scenario is the dream of management worldwide, and in the past 4-5 years as an IT guy, I've seen it done well maybe 2-3 times.

 

[spidey07]

Agreed. Portals are all the rage.

And so far from what I've seen they all suck.

 

[lanwireman]

Thanks again. The thing is, this is related to my schoolwork, so basically I can't wait 'til all the applications are in place to finish it...So I'll just have to assume the rest will be based on outlook/access/php as the present are.

I hear with SSL-VPN, you could actually manage access to specific apps efficiently, what would you think of this? Or with Citrix architecture (Secure Access Gateway / ICA etc.), provide straight connection to intranet servers where the apps are located?

Is there any situation where outsourcing the services (RAS, the whole portal and authentication) to ISP would be feasible?

 

[lanwireman]

Ok, sorry for replying to my own posts, but I'll give it one more shot.

In a nutshell: what alternatives exist for incorporating MS Office and php products into one, remotely usable portal? It needs to be secure, usable from anywhere and users' rights should be defined individually. 1-20 users/day, at most a few concurrent connections, no need to worry about the scalability at this point. Security is important in the way that no user can bypass authentication or access any other applications but those defined to him/her. Connections should be encrypted.

I'm not necessarily looking for one "best" solution, but different alternatives. I'd value anybody's opinion on the matter. Thanks.