[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Remote Desktop vs VPN

Posted on 2007-10-11
12
Medium Priority
?
512 Views
Last Modified: 2011-09-20
I am running a system with a server, several desktops and a few laptops for when employees are on the road. My questions is, do i need to enable a vpn for the traveling employees to be able to access the server on the road or can i just use remote desktop? I also need to make sure nobody else can get into my network and i am secure.  The server is running server 2003 standard and the workstations are using xp.
0
Comment
Question by:MCSComputersServices
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 20060278
You should absolutely use VPN regardless of how you actually access your data.  VPN will make things more secure.  Do you have a domain setup?  Assuming you do, I would not recommend running terminal services on the server as allowing users direct access to the server could lead to major security issues (accidental changes or malicious intentional ones).  Instead, let users connect to their office desktops with remote desktop.  If some employees don't have a desktop then buy a second server to be a terminal server.  Using VPN only and opening files leaves things open to a greater chance of corruption if the connection drops.  If connecting with VPN and then using remote desktop or terminal services, if the connection drops, no data corruption is likely - just re-establish the VPN and reconnect, resuming where you left off.
0
 
LVL 4

Expert Comment

by:Beachdude67
ID: 20060280
You can indeed use remote desktop, and it is reasonable secure. At the server, go to start > control panel >   system > remote

Here you can turn on remote desktop access by checking the box and then select what users you want to allow access. By default I believe it is just admin, but RDP will only allow access to the users you specify.

I am assuming you have a router set up for your network that gives your PCs internet access. In the router you will need to create a passthrough for port 3389 from the outside of your network to the server. This is the port that remote desktop uses to connect. How this is set up will depend greatly on what kind of router it is.

Also, you will need to make sure that any firewall software you have set up also allows port 3389 through to your server. I've seen Norton Internet Security block this.
0
 
LVL 5

Expert Comment

by:bkellyboulderit
ID: 20060334
I disagree highly!!! Never open port 3389 through your firewall. Open port 1723 for RRAS to your server. Run Routing and Remote Access on server.

Once you VPN in, then you initiate a RDP session. The server will route those packets.

Only the PC software firewalls need to allow 3389, which is usually enabled.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
LVL 5

Expert Comment

by:bkellyboulderit
ID: 20060361
Please see leew's comment again. PS> 1723 is PPTP port. RRAS is routing and remote access.
0
 

Author Comment

by:MCSComputersServices
ID: 20061007
I am going to use vpn to go in and then do a rdp. But, I have the server up and running. Its setup as a domain controller. I am having an issue with getting other computers to be able to join the domain. IT says it cant find a domain controller for the domain. The signal comes in through a modem, then to a sonic firewall/vpn, then through a quest router (why i dont know) then to a patchpanel and switch goin out to the various wall ports. I put the pc's on the same subnet as the domain controller but it will not see it. I cant even ping it. I am sure either the sonic firewall/vpn or the quest router is blocking it but if i try to bypass either one of those i lose all internet connectvity.  Just an FYI, this is someone elses mess that set this all up a while ago and then abrubtly left. My company aggred to help out and get things running again. Any ideas would be much appreciated since I am on a extremely small time crunch here!!!!  
0
 
LVL 11

Expert Comment

by:Zenith63
ID: 20061053
I'm not sure it's just as simple as a VPN is more secure then RDP.  If we're talking about RRAS here, as we seem to be, and you're not using client certificates or anything fancy like that, then your main security risk is likely to be your passwords.  Anyone who gets the password can get access to the VPN just as easily as they can get access to RDP, the users will be using the exact same Active Directory username/password combos.  RDP sessions are encrypted by default and this encryption can be increased to something like 128bit.

So both a RRAS VPN and RDP are encrypted, both are protected by the exact same passwords, one is not necessarily more secure then the other, depending on your screnario.  If you are allowing users RDP to a server that is configured as a Terminal Server (and preferably isn't a DC as leew said) at least you can control what they have access to and how they can access to it, with an out of the box RRAS VPN you are opening your entire LAN to that laptop.  Opening a RRAS VPN then RDPing through this doesn't make a whole lot of sense to me, you're adding an overhead of doubly encrypting data and you're opening up your entire LAN (unless you know how to configure the VPN otherwise, which most people won't) to the laptop and any potential threats on it.

As leew said VPNs for remote file access is pretty poor most of the time, files take ages to open etc.  They're good if you want to open an IP based application directly on the laptop, but if your applications can be configured on a terminal server I'd argue that a straight RDP connection will be at least equally as secure as opening a VPN first, if not more so as your LAN isn't open to the laptop.


Now of course if you believe the NSA will be listening in on your communications you can argue that doubly encrypting your data offers extra security, but for most of us one layer is sufficient.  Also if we were talking hardware VPNs between static IP sites then yes it's more secure as you are helping to ensure the identity of both ends.

Just my 2 cents, interested to hear what others think.
0
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 2000 total points
ID: 20061055
Check you DNS settings on the clients and server (if your not familiar with DNS requirements in windows, I suggest you review SEVERAL of the links here:

http://www.lwcomputing.com/tips/static/dns.asp

In short, the clients must only know about the server for DNS - they cannot use other DNS servers, even as secondaries - and the server should point to itself as well.  You can setup DNS forwarders in the DNS server software component of the server to use other DNS servers, but the TCP/IP configs on the server and workstations can ONLY know about the windows server.
0
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 20061116
VPN requires only one port open.  You would need to open multiple ports to use Remote Desktops on your workstations.  For one terminal server, you only need one port, but then you need a terminal server.  In addition, you're not locked into using RRAS VPN.

I just see a lot of what-ifs and VPN just makes that safer.
0
 
LVL 11

Expert Comment

by:Zenith63
ID: 20061138
Could you draw out a connection diagram for us please?  It should be something like


ADSL Line in
   |
Modem
   |
SonicWall Firewall
   |
Network Switch
  |
------------------------------------------------...........
|               |                       |
Server      PC1                  PC2              ..........



The PCs need to be connected to the same switch as the server, then give the PCs IPs in the same subnet as the server (or even better setup DHCP on the server and let it give them out).  Most importantly the PCs need to have the IP of the server entered as their primary DNS server, otherwise they won't be able to locate the DC and join the domain.  Post all the details you can.
0
 
LVL 5

Expert Comment

by:bkellyboulderit
ID: 20061269
Setup DHCP on the server. You pretty much are using it anyway when you enable RRAS.

PS> If you have a sonicwall, then you can also buy sonicwall vpn licenses. It would do the VPN and be more secure then microsofts implementation. This is also the most costly option.
Then you would RDP to PC's....
0
 
LVL 11

Expert Comment

by:Zenith63
ID: 20061333
Yes the Sonicwall would actually add some security, though I'd still question if it is really necessary.  Decent passwords should be enough in most instances.  With the Sonicwall VPN you have a different set of credentials for logging in and can easily setup rules to only allow VPN traffic to certain locations on the LAN.
0
 

Author Comment

by:MCSComputersServices
ID: 20067304
What about using log me in. Either the free version or the pro one. We use that to get access to some of our clients computers but not sure if it will work in this situation. More than one user will be on the server at one time so that is my main concern.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question