Remote Desktop vs VPN

I am running a system with a server, several desktops and a few laptops for when employees are on the road. My questions is, do i need to enable a vpn for the traveling employees to be able to access the server on the road or can i just use remote desktop? I also need to make sure nobody else can get into my network and i am secure.  The server is running server 2003 standard and the workstations are using xp.
MCSComputersServicesAsked:
Who is Participating?
 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
Check you DNS settings on the clients and server (if your not familiar with DNS requirements in windows, I suggest you review SEVERAL of the links here:

http://www.lwcomputing.com/tips/static/dns.asp

In short, the clients must only know about the server for DNS - they cannot use other DNS servers, even as secondaries - and the server should point to itself as well.  You can setup DNS forwarders in the DNS server software component of the server to use other DNS servers, but the TCP/IP configs on the server and workstations can ONLY know about the windows server.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
You should absolutely use VPN regardless of how you actually access your data.  VPN will make things more secure.  Do you have a domain setup?  Assuming you do, I would not recommend running terminal services on the server as allowing users direct access to the server could lead to major security issues (accidental changes or malicious intentional ones).  Instead, let users connect to their office desktops with remote desktop.  If some employees don't have a desktop then buy a second server to be a terminal server.  Using VPN only and opening files leaves things open to a greater chance of corruption if the connection drops.  If connecting with VPN and then using remote desktop or terminal services, if the connection drops, no data corruption is likely - just re-establish the VPN and reconnect, resuming where you left off.
0
 
Beachdude67Commented:
You can indeed use remote desktop, and it is reasonable secure. At the server, go to start > control panel >   system > remote

Here you can turn on remote desktop access by checking the box and then select what users you want to allow access. By default I believe it is just admin, but RDP will only allow access to the users you specify.

I am assuming you have a router set up for your network that gives your PCs internet access. In the router you will need to create a passthrough for port 3389 from the outside of your network to the server. This is the port that remote desktop uses to connect. How this is set up will depend greatly on what kind of router it is.

Also, you will need to make sure that any firewall software you have set up also allows port 3389 through to your server. I've seen Norton Internet Security block this.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
bkellyboulderitCommented:
I disagree highly!!! Never open port 3389 through your firewall. Open port 1723 for RRAS to your server. Run Routing and Remote Access on server.

Once you VPN in, then you initiate a RDP session. The server will route those packets.

Only the PC software firewalls need to allow 3389, which is usually enabled.
0
 
bkellyboulderitCommented:
Please see leew's comment again. PS> 1723 is PPTP port. RRAS is routing and remote access.
0
 
MCSComputersServicesAuthor Commented:
I am going to use vpn to go in and then do a rdp. But, I have the server up and running. Its setup as a domain controller. I am having an issue with getting other computers to be able to join the domain. IT says it cant find a domain controller for the domain. The signal comes in through a modem, then to a sonic firewall/vpn, then through a quest router (why i dont know) then to a patchpanel and switch goin out to the various wall ports. I put the pc's on the same subnet as the domain controller but it will not see it. I cant even ping it. I am sure either the sonic firewall/vpn or the quest router is blocking it but if i try to bypass either one of those i lose all internet connectvity.  Just an FYI, this is someone elses mess that set this all up a while ago and then abrubtly left. My company aggred to help out and get things running again. Any ideas would be much appreciated since I am on a extremely small time crunch here!!!!  
0
 
Zenith63Commented:
I'm not sure it's just as simple as a VPN is more secure then RDP.  If we're talking about RRAS here, as we seem to be, and you're not using client certificates or anything fancy like that, then your main security risk is likely to be your passwords.  Anyone who gets the password can get access to the VPN just as easily as they can get access to RDP, the users will be using the exact same Active Directory username/password combos.  RDP sessions are encrypted by default and this encryption can be increased to something like 128bit.

So both a RRAS VPN and RDP are encrypted, both are protected by the exact same passwords, one is not necessarily more secure then the other, depending on your screnario.  If you are allowing users RDP to a server that is configured as a Terminal Server (and preferably isn't a DC as leew said) at least you can control what they have access to and how they can access to it, with an out of the box RRAS VPN you are opening your entire LAN to that laptop.  Opening a RRAS VPN then RDPing through this doesn't make a whole lot of sense to me, you're adding an overhead of doubly encrypting data and you're opening up your entire LAN (unless you know how to configure the VPN otherwise, which most people won't) to the laptop and any potential threats on it.

As leew said VPNs for remote file access is pretty poor most of the time, files take ages to open etc.  They're good if you want to open an IP based application directly on the laptop, but if your applications can be configured on a terminal server I'd argue that a straight RDP connection will be at least equally as secure as opening a VPN first, if not more so as your LAN isn't open to the laptop.


Now of course if you believe the NSA will be listening in on your communications you can argue that doubly encrypting your data offers extra security, but for most of us one layer is sufficient.  Also if we were talking hardware VPNs between static IP sites then yes it's more secure as you are helping to ensure the identity of both ends.

Just my 2 cents, interested to hear what others think.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
VPN requires only one port open.  You would need to open multiple ports to use Remote Desktops on your workstations.  For one terminal server, you only need one port, but then you need a terminal server.  In addition, you're not locked into using RRAS VPN.

I just see a lot of what-ifs and VPN just makes that safer.
0
 
Zenith63Commented:
Could you draw out a connection diagram for us please?  It should be something like


ADSL Line in
   |
Modem
   |
SonicWall Firewall
   |
Network Switch
  |
------------------------------------------------...........
|               |                       |
Server      PC1                  PC2              ..........



The PCs need to be connected to the same switch as the server, then give the PCs IPs in the same subnet as the server (or even better setup DHCP on the server and let it give them out).  Most importantly the PCs need to have the IP of the server entered as their primary DNS server, otherwise they won't be able to locate the DC and join the domain.  Post all the details you can.
0
 
bkellyboulderitCommented:
Setup DHCP on the server. You pretty much are using it anyway when you enable RRAS.

PS> If you have a sonicwall, then you can also buy sonicwall vpn licenses. It would do the VPN and be more secure then microsofts implementation. This is also the most costly option.
Then you would RDP to PC's....
0
 
Zenith63Commented:
Yes the Sonicwall would actually add some security, though I'd still question if it is really necessary.  Decent passwords should be enough in most instances.  With the Sonicwall VPN you have a different set of credentials for logging in and can easily setup rules to only allow VPN traffic to certain locations on the LAN.
0
 
MCSComputersServicesAuthor Commented:
What about using log me in. Either the free version or the pro one. We use that to get access to some of our clients computers but not sure if it will work in this situation. More than one user will be on the server at one time so that is my main concern.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.