Question for Systems Admins...

[Schwagoo]

I own/operate a computer networking support/sales business. As I continue to increase my customer base, I am carefully considering the best ways to start remotely accessing customers systems.

Currently 95% of the systems I run are 98,XP,2000,2003 server, etc...

I use OpenSSH + Putty to run encrypted VNC and Rdesktop sessions for some clents and that seems to work alright.

Is setting up individual VPNs the way to go? This seems to work OK ( but not super great) with the Linksys BEF routers...

push is coming to shove, as I will hopefully be signing on a new customer tomorrow with 19 clients and 3 servers located an hour from my home office. I will want to install a comprehensive Raccess solution immediatly for them.

Any suggestions?

Thanks!

 

[randal]

One of our customers is in your shoes, and they have used remote desktop with great success for individual customers. He said that he configures a VPN or uses a ssh tunnel to an existing *nix box do most businesses where there are multiple internal computers that are not directly internet accessible.

Personally, I'd do just that for the new client - setup a vpn server or a *nix box on their network and use them to tunnel your rdp & vnc sessions. $.02

 

[Schwagoo]

Yes...that is the simplest way to go. I dunno, VPNs just seem hairy to me.

And with VNC or RD, I haven't totally figured out the "repeating" features of VNC. I know that I can tunnel different ports to shoot through the *nix server and go straight to the workstations (5901:1, 5902:2, etc) but it is still simpler to VNC into the server THEN vnc into the local computer workstation. Not as elegant or quick, but it works every time.

 

[netsysadmin]

Talk the client into a VPN setup for there business. This way you can remote destop in from there and also make some money from the VPN setup.

John

 

[kevnich2]

I use VPN connections also, this way I don't have to do any port forwarding, only one port open for the VPN and after that I can access any computer behind the firewall.

 

[SaigonK]

RDP is encrypted traffic so it has great advantages over VNC, especially in the refresh department...of course the requirements are win2k server or higher.
I use RDP/VNC for all of my customers, and I have no issues. I though of setting up a VPN conneciton between my major customers and me but really whats the point. They are small 5-10 user offices and the issues I deal with are small....it offers nothing for me that i cant already do via VNC/RDP.


I setup a small firewall (FVS318 v3 is a nice little unit) and then i setup port forwarding for each PC behind the firewall. The good part is you can define what port you want for RDP on the clients and then forward accordingly.

 

[Boscoh]

If you're only going to do port forwarding with no secure tunnel, then at the very least you'll want to restrict the public IP addresses that can access that port to the IP's in the network you'll be doing the managing from. You dont want anyone to be able to hit remote desktop on those machines once they figure out what the port number is.

At the company I work for, we use an SSL "VPN" appliance and just tunnel RDP through that for remote management. It works great. Of course, the cost is prohibitive for smaller businesses.

For the smaller companies that I consult for I just create a VPN connection into their network and use that to tunnel RDP, VNC, or whatever I'm using for remote management. That way I dont have to mess with opening up any external ports and forwarding them.

 

[Schwagoo]

Yes, but the as I understand it, with RD, the passwords are sent uncncrypted.
With SSH/Putty, the tunnel/shell is first established, then the password is sent and traffic begins to flow.

 

[stash]

Yes, but the as I understand it, with RD, the passwords are sent uncncrypted

You're understanding is incorrect. The one thing that Remote Desktop doesn't provide by default is server authentication. The potential for a man-in-the-middle attack exists with default RD. You can enable SSL/TLS on 2003 SP1 so that server auth will be performed.

http://www.microsoft.com/technet/prodte...d8eb9-f53d-4e86-ac9b-29fd6146977b.mspx