Solved

VPN Remote Access

Posted on 2006-06-29
5
264 Views
Last Modified: 2010-04-18
Hi All,

I want to setup remote access for staff at home to login and access a program. The problem is that I have been told that by using a VPN on it's own, the network will be at the mercy of the users security updates, service packs, virus definitions and general health of their machine.

I was told that using Terminal Server and purchasing TS CALs for each staff member was the safest way to go.

Can someone please tell me how most people setup remote access to give protection from outside viruses and give best remote access speed?

Please give me some detailed information, because I am confused, and my boss wants to know why he has to pay for a TS CAL for each staff member and a Windows Server CAL for each staff member when he thinks we should just use VPN. Is VPN on its own safe?

Thankyou
0
Comment
Question by:JSCHS
  • 2
5 Comments
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 250 total points
ID: 17015616
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm

http://www.onecomputerguy.com/networking/xp_vpn.htm

ports needed are at the bottom


or you can install terminal services but it is a lot more expensive
0
 

Author Comment

by:JSCHS
ID: 17015651
Sorry, to be more clear, I have already setup a VPN client and have access into the network. The question I am proposing is should I now tell all staff how to get in. The reason I ask this question is if there computer is riddled with viruses etc then our network will surely be affected.

This is why I am asking for help. How do I protect my network from Viruses etc from users at home.

Thats why I suggested Terminal Services, because a user simply logs into the terminal server and uses its virus protection, security etc.

Please help
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17015730
if you have a decent AV on your server it should look after you

however, if you know the machine is riddled the no way would i let them in
0
 
LVL 2

Accepted Solution

by:
SkUllbloCk earned 250 total points
ID: 17016766
Jay_jay70 was right in what he said, the crux of the matter is if you want remote access, then you are already opening up a door for security issues, but you should already know that, and have weighed up both the pro's and cons's of having the VPN.

The best and cheapest solution is to setup the VPN with the highest possible security, and only probably use some sort of key distribution (pre-shared key is what we use) with some rather strict rules setup for who has access, what ports, and what media are allowed before the client is granted access to the server. L2TP over IPSec is a very good idea, and try limit the authentication challenge to one thing. (MS-CHAP v2) i reccomend.
But then we still come to the problem of virus's coming from the client machine. AS Jay_jay said, make sure you have a good corporate AV in place for both the client and home systems.
make sure the user that logs on from home has limited permissions on the server, use the deny permission rather then the "no permission" strategy for shares and resources that the client doesn't need access to.

Run AV scans and Malware scans everyday on the server (scheduled) to make sure that you are properly protected.
Make sure you have proper backup policy's in place.

Ideally the terminal idea is the safest, but it is indefinitely more expensive.

So here is what i suggest. find out the cost involved for the terminal solution, weigh it up against the chances of a virus on the client home system, determine the value of your data integrity, and what the downtime cost would be of restoring the server if it is compromised.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now