Link to home
Start Free TrialLog in
Avatar of -Darvin-
-Darvin-Flag for United States of America

asked on

Remote user Laptop setup (join to domain or local, and vpn options?)

Here is the environment.
I have a CISCO asa 5505 with a VPN tunnel running and it can accept VNP client connections as well.  I also have a terminal server set up for remote access via direct RDP or VPN + RDP.  I have remote users that are using all kinds of options to get here and I seem to do it differently every time trying to get the best situation.  I really need some advice on how other companies handle remote workers (sales people with laptops) that work totally out of the office.
Im setting up a new laptop and Im weighing the options.  
Do I join it to the domain or leave it as a local machine only?  
Do I install the VPN client and all client side applications (ERP, Email) and have it start the vpn before boot?
Windows update to MSN or my SUS server?
AV updates to my server or the AVs server?
How much control over the remote machine is reasonable?
I know answers to my questions are likely it depends on the situation, but I want to know what others are doing in respect to these remote workers.

ASKER CERTIFIED SOLUTION
Avatar of jhyiesla
jhyiesla
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of -Darvin-
-Darvin-
Flag of United States of America image

ASKER

Thanks for the response.  I'm still not sure what way i should go with this.  Do you control the windows updates for these machines and AV updates as well or do you let them go out to the net for that?  If they are a part of the domain, do they authenticate during login, use cached credentials, or is there authentication built in to your vpn?
Avatar of jhyiesla
jhyiesla
Flag of United States of America image
They should be getting security patches from our WSUS server either when they are back at the office or even while connected remotely.



Avatar of jhyiesla
jhyiesla
Flag of United States of America image
Sorry hit send before I meant to:

AV should work the same... but I've had to define a group for them so that it they can't get it from my AV server the remote machines connect to the LiveUpdate server.
Avatar of jhyiesla
jhyiesla
Flag of United States of America image
We use simple MS VPN to a RRAS server through our Cisco PIX. So in our scenario they don't actually authenticate to the domain, but because they are using their domain name and password to gain access to the laptop, when they need a resource, that seems to work without further authentication.   The only problem would be if these machines never were on the LAN, like my support computer, when we change passwords, we need to remember to either change it on the PC or log onto the PC with old creds and then we would be prompted for each resource... but this wouldn't be any different than not having the computer bound to AD and having to deal with authentication.

We are considering doing away with the VPN and forcing the users to access the LAN via a secure RDP session. We're also considering using a new device from the Pano folks (www.panologic.com).  They have a new remote dongle that is supposed to hook to any PC and give users access from there.  The downside of this is that it does require having a virtual environment at the LAN site.  In essence the users would use the remote device to connect to a virtual desktop... haven't tried it yet, so don't know how well it works.

Personally, if you have enough resources available on the server, I think the RDP option probably gives a more smooth experience, but we've used VPN for years and haven't really had any major issues with it.