Solved

Remote user Laptop setup (join to domain or local, and vpn options?)

Posted on 2009-05-04
5
603 Views
Last Modified: 2013-11-25
Here is the environment.
I have a CISCO asa 5505 with a VPN tunnel running and it can accept VNP client connections as well.  I also have a terminal server set up for remote access via direct RDP or VPN + RDP.  I have remote users that are using all kinds of options to get here and I seem to do it differently every time trying to get the best situation.  I really need some advice on how other companies handle remote workers (sales people with laptops) that work totally out of the office.
Im setting up a new laptop and Im weighing the options.  
Do I join it to the domain or leave it as a local machine only?  
Do I install the VPN client and all client side applications (ERP, Email) and have it start the vpn before boot?
Windows update to MSN or my SUS server?
AV updates to my server or the AVs server?
How much control over the remote machine is reasonable?
I know answers to my questions are likely it depends on the situation, but I want to know what others are doing in respect to these remote workers.

0
Comment
Question by:-Darvin-
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 28

Accepted Solution

by:
jhyiesla earned 250 total points
ID: 24294934
We have a number of laptop users.  Because of the type of company we are, we force the users to come through our network even when remote.  Their laptops are on the domain, but thats primarily because they also occasionally come in to the office and it just makes it easier.  We have their IE settings locked down so that they have to start up a VPN and connect to our network before being able to access the Internet.

Our IT folks have more leeway because we need to be able to quickly get to multiple things.  We connect to a VPN or also have an RDP server available much as you do.  Most of us have PCs that have been tied to the domain because it makes it easier when connected to authenticate to resources. However, my PC has never been on our network directly and isn't tied to AD.  I get on OK as well, but because I'm not tied to AD I have to do more "manual" authentication... but I'm a geek and don't mind the extra key strokes.  :)
0
 

Author Comment

by:-Darvin-
ID: 24295655
Thanks for the response.  I'm still not sure what way i should go with this.  Do you control the windows updates for these machines and AV updates as well or do you let them go out to the net for that?  If they are a part of the domain, do they authenticate during login, use cached credentials, or is there authentication built in to your vpn?
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 24295915
They should be getting security patches from our WSUS server either when they are back at the office or even while connected remotely.



0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 24295943
Sorry hit send before I meant to:

AV should work the same... but I've had to define a group for them so that it they can't get it from my AV server the remote machines connect to the LiveUpdate server.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 24295947
We use simple MS VPN to a RRAS server through our Cisco PIX. So in our scenario they don't actually authenticate to the domain, but because they are using their domain name and password to gain access to the laptop, when they need a resource, that seems to work without further authentication.   The only problem would be if these machines never were on the LAN, like my support computer, when we change passwords, we need to remember to either change it on the PC or log onto the PC with old creds and then we would be prompted for each resource... but this wouldn't be any different than not having the computer bound to AD and having to deal with authentication.

We are considering doing away with the VPN and forcing the users to access the LAN via a secure RDP session. We're also considering using a new device from the Pano folks (www.panologic.com).  They have a new remote dongle that is supposed to hook to any PC and give users access from there.  The downside of this is that it does require having a virtual environment at the LAN site.  In essence the users would use the remote device to connect to a virtual desktop... haven't tried it yet, so don't know how well it works.

Personally, if you have enough resources available on the server, I think the RDP option probably gives a more smooth experience, but we've used VPN for years and haven't really had any major issues with it.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Use packet tracer to verify anyconnect VPN 11 101
benchmarks for comparing CPU head to head.. 13 92
What is the VPn crypto table on a Cisco ASA? 2 29
Problems with VPN 4 27
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question