gshaw Posted January 8, 2009 Report Posted January 8, 2009 We've got a few outcentres that need access to our MIS system for taking enrolments etc. At the moment we've had VPN connections in at those centres which meant... ADSL line IPCop firewall PC Small switch Domained PC for VPN Which is obviously a fair bit of kit and setup. What I was thinking of doing was setting up a virtual server with the MIS app on and making it accessible via remote desktop over the web. Could cut the config down and just require an Internet connected PC but I'm not sure about the security implications? Has anyone done this and what tips would you give? Thanks
mrforgetful Posted January 8, 2009 Report Posted January 8, 2009 We have a computer running SIMS.net that a couple of senior members of staff can access from home using a simple Remote Desktop session. They're responsible and understand the security implications completely always ensuring to log out and not give information out at all that may compromise the system.
jamesb Posted January 8, 2009 Report Posted January 8, 2009 What operating system are you using? I ask because Windows 2008 has a nice little Remote Apps over web service that sounds like it would be perfect for what you're trying. Sets up a web page with icons for programs which can be run, then acts as though they're being run natively on the client PC, depending on how you've set it up.
bossman Posted January 8, 2009 Report Posted January 8, 2009 @gshaw: Check this out SIMS Remote Access [bishop Barrington IT Wiki] We have since updated a couple of items but in principle this works great and 128 Bit encryption for security. All our Teaching Staff are using it to do certain tasks in Sims.net.
SYNACK Posted January 8, 2009 Report Posted January 8, 2009 As long as your endpoint computers are secure with propper AV + malware protection and you are using something like server 2008 SSL VPNs for the remote app traffic this should be secure enough depending on your passwords. Personally I would not trust raw RDP traffic, the encryption is better in teh newer versions but I would still be securing it with some extra form of encryption if it was me. Out of interest why the need for a domain machine at the remote site, you can still use VPN without the station being domain joined. Using RDP from your new virtual server over the existing VPN infrastructure could be your easiest solution.
gshaw Posted January 8, 2009 Author Report Posted January 8, 2009 The MIS app in question needs an ODBC connection to get to the SQL data, which relies on Windows Authentication so without logging in as domain user it probably wouldn't work. It's been set up that way for longer than I've been here so guess that was the reason. The Server 2008 remote app does sound nice but until I get my Hyper-V server running I haven't got any 2k8-compatible hardware to run it on (stupid SuperMicro servers ) Had to buy add-on cards for NIC and SCSI to get this Hyper-V box ready so fingers crossed it will do the trick. With the Remote Apps is it only "well behaved" apps that will run? We don't use SIMS, it's an app made for Adult Education, as mentioned before needs the ODBC connection and some other bits and bobs set up for it to work. If we still need the VPN to connect over it probably won't make much difference as the problem is with the cost of the extra Internet lines and need for firewall box to protect it as well. Out of interest what speeds does a VPN need to run well? We've got these Griffin Copperstream lines at the moment thta are 512kb up and down, which is mega slow... could we just use a normal ADSL line with slower upload speeds? I've disabled roaming profiles on the VPN machines via Group Policy to try and speed things up as logon times were shocking before
SYNACK Posted January 8, 2009 Report Posted January 8, 2009 Here is a MS paper on TS scaeling which should give you an idea: http://www.microsoft.com/windowsserver2003/techinfo/overview/tsscaling.mspx The bandwidth usage is minimal though around 20k per session depending on how complicated the screen is, less under 2008 server due to better compression.
gshaw Posted January 8, 2009 Author Report Posted January 8, 2009 How about VPN, particularly upload, is it quite heavy on the connection?
SYNACK Posted January 8, 2009 Report Posted January 8, 2009 VPN is just encryption on the traffic that you are sending/reciving, depending on the data it can add probably 5-10% onto the amount of data transmitted in either direction but this also depends on the type of VPN in use. If you mean RDP its upload footprint is less as there is just mouse and keyboard input to redirect usually.
gshaw Posted January 8, 2009 Author Report Posted January 8, 2009 In that case I guess the faster download the better as far as login goes. The MIS app probably is sending data both ways but I think the BT Total Broadband connection we're looking at should beat 512kb up\down in worst case scenario anyway
kylewilliamson Posted January 8, 2009 Report Posted January 8, 2009 My understanding was that up until server 2k8, TS encyrption is fairly flawed
bossman Posted January 8, 2009 Report Posted January 8, 2009 @kylewilliamson: it all depends on the client encryption, but it is better than no encryption and as i don't have the money to build a VPN server plus licenses for the staff RDP via terminal services will suffice until I get sims web parts next budget and then I will have SSL through normal browser (better still).
kylewilliamson Posted January 8, 2009 Report Posted January 8, 2009 We've got RDP port forwarding over SSH.
fiendishlyclever Posted January 9, 2009 Report Posted January 9, 2009 We've got RDP port forwarding over SSH. I've done this as well (to connect to machines at home) - easy to set up and quite secure. Worth checking out.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now