Avatar of mkramer777
mkramer777
Flag for United States of America asked on

vpn to office

I am currently using logmein hamachi to connect 4 users to our accounting system in my office.  This has worked fine in the past but we have updated to a more advanced accounting system and the speeds are pretty slow now.  I was using an as400 before and speeds were good.  I was wondering if I would use terminal services if that would help with the speeds or is it dependent on the speed of their internet connection?
VPN

Avatar of undefined
Last Comment
Rob Williams

8/22/2022 - Mon
epichero22

I did something similar with a patient database application and Hamachi.  Once the computers were communicating over the Internet, I tried installing the database application on the client and connecting to the server.  It was incredibly slow - the server wanted to send something like 5 MB over their 768 kbps upload bandwidth just to open the application.  We switched to terminal services and got the client to remote desktop into the server, and it ran at much more acceptable speeds, so it worked in our case.
Rob Williams

Agreed.  Many database related apps will not work over a VPN due to the slow speed, and can even result in data corruption.  Databases are very 'chatty'.  Terminal services (now called remote desktop services) works extremely well even over slow internet connections since only the screen refreshes are forwarded over the wire.  Terminal services is also far more secure for many reasons, and makes for central management and control of all services and data.

If doing so try to use Server 2012.  Server 2008 R2 SP1 with Windows 7 SP1 and newer support the Remote FX protocol, which is terminal services on steroids.  Server 2012 and Win 8 support it out of the box and do not need the special hardware requirements.
mkramer777

ASKER
I am pretty intermediate on these kind of issues.  I will need some advice.  I have a Windows 2008 R2 server.  It has 3 remote licenses out of the box (I think)  How would I go about implementing terminal services (remote desktop services) on the server and adding more licenses?  After adding the licenses would all the user need to have is the remote ip of the server and credentials to login?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
epichero22

This is how I would go about doing it:

1. Setup Hamachi on all your clients and the server (sounds like you've got this).
2. Run Remote Desktop on your clients and connect to the server with their usernames / passwords (you can use IP address if you'd like; if they're connected to Hamachi then they should be able to route to the server).
3. Check the performance and reliability of what it is they need to do.  And if it passes, then worry about adding more licenses; you don't want to purchase licenses if they won't be able to use them effectively.

To implement terminal services, simply enable remote desktop on the server:
Right click on computer, go to properties, Remote Settings.  From here you can specify what users can and can't do.
colonytire

Add USER license to your server so both the user and device are covered, then add users to the Allowed RDP Users on your Terminal Server.  Create a VPN connection for the remote users and they can connect to the IP of your server securely.

If your Terminal server is behind a firewall, make sure you create the apropriate rules to allow traffic thru.
Rob Williams

Any windows server, except Small Business Server and Server Essentials has Remote Desktop Services (RDS formerly Terminal Services) built in and can be enabled by choosing to add a role.  You have no existing licenses for accessing RDS.  All Windows servers have remote access enabled for management purposes but this is not for running applications.  This is limited to 2 admin accounts, and a console access.  Accessing for the purposes of running applications without enabling RDS is a licensing violation and the server is not properly configured for doing so.  Adding the remote Desktop Services role not only enables the service but also optimizes the server for that purpose.  Once done you have unlimited licenses for 120 days, you then have to set up a licensing server (just a service) and buy CALs  (RDS client access licenses) for each user (recommended) or device.  There is no need for Hamachi at all, and it is not recommended.  This will also enable the Remote Desktop Gateway roll which allows you to access securely using port 443 and SSL, any device on the network.

Enabling Remote FX on 2008 R2 requires the server meet some hardware requirements and is a little more involved.  For an accounting app it is likely not needed, but for graphics such as AutoCAD it is a life saver.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Rob Williams

PS- The following "Step-by-step" guides for Remote Desktop Services may be helpful:
http://blogs.msdn.com/b/rds/archive/2009/07/07/new-step-by-step-guides-available-for-remote-desktop-services.aspx
epichero22

RobWill, by not using Hamachi, I'm assuming that mkramer777 would also have to set up his networking equipment for port forwarding, configure the firewall, and maybe even install a Dynamic DNS client on the server.  I usually use Hamachi to avoid these steps, but why do you say that it's not recommended?  True, it may be another step and degrade performance to some small degree, but will simplify things and since he already has it installed and running, why not use it?
Rob Williams

>>"True, it may be another step and degrade performance”
Exactly.

To add:
1) I am not against Hamachi, it is a great product, but DDNS and a single port forward is a pretty minor configuration.  Why add the overhead of a VPN, and most corporate sites have a static IP.
2) Hamachi is no longer free, though there are ways to force the free version to still work, but doing so in a corporate environment is a licensing violation.
3) Some security audits will not allow Hamachi as it is a 3rd party service that could act as a "man in the middle".
4) The other primary concern is any VPN has one major security flaw, a wide open tunnel between a remote uncontrolled network and the corporate network.  Hack the remote site and you have easy access to the corporate site, or a virus that spreads via network shares, has easy access to the corporate site.  Using just terminal services eliminates any data from traversing the connection, and by using group policy to disable remote drive connections, you protect against corporate data theft by disgruntled employees.  

Again, Hamachi is not a bad option, but I see no need.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
mkramer777

ASKER
Ok.  A bit confused.  Talking a little over my head.  Our accounting software tech login to our server using a remote desktop connection with the ip address for the server and the correct credentials.  This is, like you said above, only for 3 user access.  If I enable terminal services (remote desktop services) will I have to do anything else or can I just add usernames and passwords that are able to access the server and run the software?  Right now when the accoutning system techs are logged on I can see that 3 users are connected on the server when I click ctrl alt del.  If terminal services is enabled and I have more liceneses will I be able to see let's say 10 users the same way as I see the 3? Is that how it works?

Marc
ASKER CERTIFIED SOLUTION
Rob Williams

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
mkramer777

ASKER
This is not a domain controller.  So my next step is to enable remote desktop services and then purchase some CALS?  Is it true about the 100 or so days I get unlimited user access?
Rob Williams

Yes, just use the server manager page and select add a role.  At some point (within 120 days) you will need to set up a licensing server, basically add the licensing service to a server of your choice, buy, and install RDS CAL's.  No problem to install the licensing service on the same server as the terminal server but some prefer to install on a file server where they run daily backups so the licensing is backed up. You do not have to decide yet.  The licensing service will show temporary licenses being used for the 120 days and then refuse connections after that unless you add the CAL's.

Once done test by connecting from the LAN, and then you need to configure port forwarding, though you may already have that configured, or no need if using Hamachi.  If you want to use the remote desktop gateway service and port 443, which I recommend, you need to configure the RD Gateway service.  I believe there is a step-by-step in the link I posted earlier.

When buying CAL's there are User and Device RDS CAL’s.  Most often User CAL’s are preferred.  A user CAL allows a user to connect to the terminal server from any of their devices such as PC, laptop, phone, home computer.  A device CAL only allows connections from one device, but by as many users as you like.  The latter is usually only beneficial in a situation like a call center where many users might share 1 device.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.