Solved

Remote user Laptop setup (join to domain or local, and vpn options?)

Posted on 2009-05-04
5
602 Views
Last Modified: 2013-11-25
Here is the environment.
I have a CISCO asa 5505 with a VPN tunnel running and it can accept VNP client connections as well.  I also have a terminal server set up for remote access via direct RDP or VPN + RDP.  I have remote users that are using all kinds of options to get here and I seem to do it differently every time trying to get the best situation.  I really need some advice on how other companies handle remote workers (sales people with laptops) that work totally out of the office.
Im setting up a new laptop and Im weighing the options.  
Do I join it to the domain or leave it as a local machine only?  
Do I install the VPN client and all client side applications (ERP, Email) and have it start the vpn before boot?
Windows update to MSN or my SUS server?
AV updates to my server or the AVs server?
How much control over the remote machine is reasonable?
I know answers to my questions are likely it depends on the situation, but I want to know what others are doing in respect to these remote workers.

0
Comment
Question by:-Darvin-
  • 4
5 Comments
 
LVL 28

Accepted Solution

by:
jhyiesla earned 250 total points
ID: 24294934
We have a number of laptop users.  Because of the type of company we are, we force the users to come through our network even when remote.  Their laptops are on the domain, but thats primarily because they also occasionally come in to the office and it just makes it easier.  We have their IE settings locked down so that they have to start up a VPN and connect to our network before being able to access the Internet.

Our IT folks have more leeway because we need to be able to quickly get to multiple things.  We connect to a VPN or also have an RDP server available much as you do.  Most of us have PCs that have been tied to the domain because it makes it easier when connected to authenticate to resources. However, my PC has never been on our network directly and isn't tied to AD.  I get on OK as well, but because I'm not tied to AD I have to do more "manual" authentication... but I'm a geek and don't mind the extra key strokes.  :)
0
 

Author Comment

by:-Darvin-
ID: 24295655
Thanks for the response.  I'm still not sure what way i should go with this.  Do you control the windows updates for these machines and AV updates as well or do you let them go out to the net for that?  If they are a part of the domain, do they authenticate during login, use cached credentials, or is there authentication built in to your vpn?
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 24295915
They should be getting security patches from our WSUS server either when they are back at the office or even while connected remotely.



0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 24295943
Sorry hit send before I meant to:

AV should work the same... but I've had to define a group for them so that it they can't get it from my AV server the remote machines connect to the LiveUpdate server.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 24295947
We use simple MS VPN to a RRAS server through our Cisco PIX. So in our scenario they don't actually authenticate to the domain, but because they are using their domain name and password to gain access to the laptop, when they need a resource, that seems to work without further authentication.   The only problem would be if these machines never were on the LAN, like my support computer, when we change passwords, we need to remember to either change it on the PC or log onto the PC with old creds and then we would be prompted for each resource... but this wouldn't be any different than not having the computer bound to AD and having to deal with authentication.

We are considering doing away with the VPN and forcing the users to access the LAN via a secure RDP session. We're also considering using a new device from the Pano folks (www.panologic.com).  They have a new remote dongle that is supposed to hook to any PC and give users access from there.  The downside of this is that it does require having a virtual environment at the LAN site.  In essence the users would use the remote device to connect to a virtual desktop... haven't tried it yet, so don't know how well it works.

Personally, if you have enough resources available on the server, I think the RDP option probably gives a more smooth experience, but we've used VPN for years and haven't really had any major issues with it.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You can provide a virtual interface for remote stakeholders in a SWOT analysis through a Google Drawing template. By making real time viewing and collaboration possible, your team can build a stronger product.
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question