School Remote Access - How do you do it?

[FN-GM]

Sonicwall SSL VPNs work by providing a secure tunnel between the connecting computer and the network at school. So, it is as if the computer is locally connected to the network. It doesn't provide any virtual sessions etc... It can be set to run a script on login though, to map drives etc... should you want it to.

It can also be done through a web interface without any client to be installed. This is what we do for all staff and students. We dont use the VPN client at all.

[chazzy2501]

I'm currently looking at Microsoft DirectAccess... looks like it might be user-proof!

Using Windows 7 Direct Access to connect teachers to your school network securely - Microsoft UK Schools blog - Site Home - MSDN Blogs

I'm also looking into this but I'm waiting for swgfl / updata to let me know if this is possible as you need to not be behind a NAT. So you also have to put your windows 2008 server directly onto the internet!

[gshaw]

Doesn't DirectAccess require everything to be ipv6?

We want to do Remote Access as well but the RDS Web Access component in Server 2008 R2 is awful from an end-user perspective especially on XP SP3 clients... needs 2-3 updates \ patches and MS still expect people to log in with DOMAIN\username format... user friendly much?

[pantscat]

No... it needs ipv6 to function, but it doesn't require you to go purely ipv6 on your internal network.

[tj2419]

Has anyone implemented a citrix solution? How much did it roughly cost? Thanks

[zag]

We want to do Remote Access as well but the RDS Web Access component in Server 2008 R2 is awful from an end-user perspective especially on XP SP3 clients... needs 2-3 updates \ patches and MS still expect people to log in with DOMAIN\username format... user friendly much?

I've got this installed on 2003 server R2 and its brilliant.

User just logs in to a web page and its exactly like a remote desktop session.

Staff love it. Nothing different than logging on in school.

Takes a couple of minutes to setup on Windows server and costs nothing.

[MYK-IT]

Takes a couple of minutes to setup on Windows server and costs nothing.

RDS CALS for Staff and Students are required though..

[gshaw]

No... it needs ipv6 to function, but it doesn't require you to go purely ipv6 on your internal network.

Just had a look for the requirements...

one or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet.
on the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet.
DirectAccess clients running Windows 7 (Ultimate and Enterprise editions only).
at least one domain controller and Domain Name System (DNS) server running Windows Server 2008 SP2 or Windows Server 2008 R2.
public key infrastructure (PKI) to issue computer certificates.

Bit pointless as a Remote Access solution for non-domain computers then... how many staff are using Enterprise or Ultimate... although I guess MS would argue that's not the usage scenario they've designed it for but even so...

[vikpaw]

We had VPN, then couldn't get it to work through the new CISCO setup, so have been using Logmein, now with the free iphone app as per LogMeIn provides a FREE App for iPhone and iPad

I'm also looking into this but I'm waiting for swgfl / updata to let me know if this is possible as you need to not be behind a NAT. So you also have to put your windows 2008 server directly onto the internet!

@chazzy2501 - Regarding the NAT limitation, I've just seen this posted on Capita's Supportnet forum, i've asked for more info, so can report back if i hear anything:

Here at xxxyyy School we are the only school in the world to have Sims at home via DirectAccess and we would like to share our knowledge with you.
The reason this is so spectacular is that we are behind a NAT. According to Microsoft and everyone else on the internet it is impossible to have DirectAccess working behind a NAT but we have figured it out.
We have also integrated offline files with the laptops so users work is instantly backed up here at work when they are working from home.
We can also filter the internet when the user is at home as well.
And all this happens without the user having to press a button. As soon as the laptop is on they are automatically connected to our school and will receive all new GPO’s snd all network programs. It really is a work computer at home.
If you would like to find out more please don’t hesitate to contact us.

It does read quite like spam, but removed school name in case they don't want to be identified.

[gshaw]

I've got this installed on 2003 server R2 and its brilliant.

User just logs in to a web page and its exactly like a remote desktop session.

Staff love it. Nothing different than logging on in school.

Takes a couple of minutes to setup on Windows server and costs nothing.

What clients are your staff running? Does your login process go something like this...

- IE only browser support (quelle surprise)
- login to https://yourdomain/rdweb
- have to enter DOMAIN\username format credentials, completely different to OWA where they only need to enter their standard network username (I've edited the login page to add the DOMAIN part)
- on XP SP3 the ActiveX control is often disabled by the OS so you need a Microsoft FixIt tool to enable it via registry
- user then sees a list of RemoteApps displayed along with the Remote Desktop icon for a direct session - great
- but when loading a RemoteApp you get a warning box about the publisher (even with SSL all sorted out) that you have to dismiss
- if loading the Remote Desktop session you get prompted for credentials a second time (at least in 7 it remembers the username but not with XP). Hotfix is available for 7 but again it's another patch to install.

If using XP SP3 clients you have to make sure they have RDC 7.0 installed or WebSSO doesn't work and RemoteApp asks for credentials a 2nd time. I also found unless CredSSP is enabled it can be a bit flaky (patch + reboot required)

If yours works more smoothly I'd love to know how as MS haven't made any suggestions to fix any of the above on Technet

Just noticed you mentioned Server 2003, think it's a different setup on there from what I remember...

[DrCheese]

We use SSL explorer. All you need is a web browser & Java. It then creates a tunnel to our RDC server.
All users have access to this with their school username & password. Staff have an extra PIN code that they need to enter first.
It's a fantastic system as the user needs to do virtually no configuration at their end, no agents to install, no setting up VPN tunnels etc.

We didn't see the point in limiting it to just Staff, All users have valid use cases for it. Students without Office or other software packages can do school work from home without spending £££.

The annoying thing tho, is that SSL explorer is no more. It was bought out by Barracuda Networks who turned it into a piece of hardware kit that costs a fair whack to buy It's something we'll have to get at some point as SSL explorer starts not working with newer OS's

[zag]

What clients are your staff running? Does your login process go something like this...

- IE only browser support (quelle surprise)
- login to https://yourdomain/rdweb
- have to enter DOMAIN\username format credentials, completely different to OWA where they only need to enter their standard network username (I've edited the login page to add the DOMAIN part)
- on XP SP3 the ActiveX control is often disabled by the OS so you need a Microsoft FixIt tool to enable it via registry
- user then sees a list of RemoteApps displayed along with the Remote Desktop icon for a direct session - great
- but when loading a RemoteApp you get a warning box about the publisher (even with SSL all sorted out) that you have to dismiss
- if loading the Remote Desktop session you get prompted for credentials a second time (at least in 7 it remembers the username but not with XP). Hotfix is available for 7 but again it's another patch to install.

If using XP SP3 clients you have to make sure they have RDC 7.0 installed or WebSSO doesn't work and RemoteApp asks for credentials a 2nd time. I also found unless CredSSP is enabled it can be a bit flaky (patch + reboot required)

If yours works more smoothly I'd love to know how as MS haven't made any suggestions to fix any of the above on Technet

Just noticed you mentioned Server 2003, think it's a different setup on there from what I remember...

The only thing I have noticed is that they need XP or win 7 professional and yes they need to enter the domain/user.

Other than that we don't have any of the problems you describe. I tried it with 2008 R2 as well at first but 2003 Web RDS just seemed to work better.

[gshaw]

Yup the Server 2003 one looks to work a lot better, not sure what the design team were smoking with the 2008 setup... login in order to login again?

Not sure if the 2003 version is as secure though (is there SSL etc?)

[ScottLogan]

Yes i have made DirectAccess work behind a NAT at Gillingham school. I am the only person to have achived this and took over 8 months of work. You will need to contact me direct with your email address if you want to know how to do it.

[m25man]

I'm currently looking at Microsoft DirectAccess... looks like it might be user-proof!

Using Windows 7 Direct Access to connect teachers to your school network securely - Microsoft UK Schools blog - Site Home - MSDN Blogs

Every time a user comes into our site with this as a remote access solution our firewal kills it dead! Thet always end up having to find a different way to get logged on normally a direct RDP!
Im not convinced that Direct Access is as seamless or as simple as M$ would have us belive and the backend setup is hardly Plug and Pray is it...