Solved

Remote user Laptop setup (join to domain or local, and vpn options?)

Posted on 2009-05-04
5
598 Views
Last Modified: 2013-11-25
Here is the environment.
I have a CISCO asa 5505 with a VPN tunnel running and it can accept VNP client connections as well.  I also have a terminal server set up for remote access via direct RDP or VPN + RDP.  I have remote users that are using all kinds of options to get here and I seem to do it differently every time trying to get the best situation.  I really need some advice on how other companies handle remote workers (sales people with laptops) that work totally out of the office.
Im setting up a new laptop and Im weighing the options.  
Do I join it to the domain or leave it as a local machine only?  
Do I install the VPN client and all client side applications (ERP, Email) and have it start the vpn before boot?
Windows update to MSN or my SUS server?
AV updates to my server or the AVs server?
How much control over the remote machine is reasonable?
I know answers to my questions are likely it depends on the situation, but I want to know what others are doing in respect to these remote workers.

0
Comment
Question by:-Darvin-
  • 4
5 Comments
 
LVL 28

Accepted Solution

by:
jhyiesla earned 250 total points
ID: 24294934
We have a number of laptop users.  Because of the type of company we are, we force the users to come through our network even when remote.  Their laptops are on the domain, but thats primarily because they also occasionally come in to the office and it just makes it easier.  We have their IE settings locked down so that they have to start up a VPN and connect to our network before being able to access the Internet.

Our IT folks have more leeway because we need to be able to quickly get to multiple things.  We connect to a VPN or also have an RDP server available much as you do.  Most of us have PCs that have been tied to the domain because it makes it easier when connected to authenticate to resources. However, my PC has never been on our network directly and isn't tied to AD.  I get on OK as well, but because I'm not tied to AD I have to do more "manual" authentication... but I'm a geek and don't mind the extra key strokes.  :)
0
 

Author Comment

by:-Darvin-
ID: 24295655
Thanks for the response.  I'm still not sure what way i should go with this.  Do you control the windows updates for these machines and AV updates as well or do you let them go out to the net for that?  If they are a part of the domain, do they authenticate during login, use cached credentials, or is there authentication built in to your vpn?
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 24295915
They should be getting security patches from our WSUS server either when they are back at the office or even while connected remotely.



0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 24295943
Sorry hit send before I meant to:

AV should work the same... but I've had to define a group for them so that it they can't get it from my AV server the remote machines connect to the LiveUpdate server.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 24295947
We use simple MS VPN to a RRAS server through our Cisco PIX. So in our scenario they don't actually authenticate to the domain, but because they are using their domain name and password to gain access to the laptop, when they need a resource, that seems to work without further authentication.   The only problem would be if these machines never were on the LAN, like my support computer, when we change passwords, we need to remember to either change it on the PC or log onto the PC with old creds and then we would be prompted for each resource... but this wouldn't be any different than not having the computer bound to AD and having to deal with authentication.

We are considering doing away with the VPN and forcing the users to access the LAN via a secure RDP session. We're also considering using a new device from the Pano folks (www.panologic.com).  They have a new remote dongle that is supposed to hook to any PC and give users access from there.  The downside of this is that it does require having a virtual environment at the LAN site.  In essence the users would use the remote device to connect to a virtual desktop... haven't tried it yet, so don't know how well it works.

Personally, if you have enough resources available on the server, I think the RDP option probably gives a more smooth experience, but we've used VPN for years and haven't really had any major issues with it.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
Lithium-ion batteries area cornerstone of today's portable electronic devices, and even though they are relied upon heavily, their chemistry and origin are not of common knowledge. This article is about a device on which every smartphone, laptop, an…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now