Solved

Need multiple Remote Desktop Connection functionality

Posted on 2015-01-20
25
268 Views
Last Modified: 2015-02-02
Our office currently has SBS2008, which we are losing. The Remote Web Workplace menu has a 'Connect to Computer' box which provides a list of Domain computer to which one can connect. We need a replacement for this functionality to let workers connect from outside the office.

We have a Linux host on the LAN acting as a firewall/router. I can accomplish what I want on a per-workstation basis using the following iptables command:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.100:3389

This example routes any Remote Desktop Connection requests (port 3389) from eth0 (Internet connected interface) to the workstation at 192.168.0.100. That's all well and good, but I can only get to one workstation at a time. I would like something like the RWW's computer list where I could select from among workstations.

I'm going to check the VPN Topic for this question, but don't really know what I'm talking about in doing that.

How can I accomplish what I want?
0
Comment
Question by:jmarkfoley
  • 9
  • 7
  • 4
  • +2
25 Comments
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 62 total points
ID: 40562725
Option 1: use a vpn
Once you vpn, you can use the mstsc or remote desktop connection manager just like you were at the office.

Option 2: use a remote desktop gateway server. Its a role for any MS server os
http://windows.microsoft.com/en-us/windows7/what-is-a-remote-desktop-gateway-server
https://technet.microsoft.com/en-us/library/cc754191.aspx
0
 
LVL 76

Expert Comment

by:arnold
ID: 40562774
You can duplicate the rule you have for one, by simply altering the port on the linux box which will forward to another workstation's port 3389.

Workstation2
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3301 -j DNAT --to-destination 192.168.0.101:3389
Workstation3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3351 -j DNAT --to-destination 192.168.0.102:3389

This mechanism does not validate the access until it hits the workstation.
The SBS workplace you have to provide credentials before the available workstations were listed.

etc. note though a VPN is a more secure way.  

Is a VMed Terminal Service an option/considered?

The other option is to use the external services such as from logmein, teamviewer, gotomypc, etc. where you would establish an account and users will loginto it and then access the workstations that are on and connected.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40562828
If you're used to RWW I'd just install RD Gateway, as Aaron said.  It'll make the users feel like it's something they're used to, but they'll lose the access to resources via the website as the SBS is going.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40565046
Re: RWW and MS server ... We do currently use RWW, but we are losing the SBS server. The replacement server will be Linux with Samba4, so MS server based solutions won't work anymore.

Arnold:
You can duplicate the rule you have for one, by simply altering the port on the linux box which will forward to another workstation's port 3389.

Actually, I thought of that idea, but couldn't figure out how to alter the port used by Remote Desktop Connection? I didn't see any settings for this. Is that doable? If so, it might be the simplest solution.

It seem like, other than a Windows solution, VPN is the best route. I really know nothing about VPN other than the basic concept. Do users have to download an application to run on their remote computers? Is it accessed via a web page? Is there some kind of terminal server hosted on the office (Linux) server? Any recommendations on VPN software that will work with Windows/MAC remote hosts and a Linux office server?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40565096
when you use mstsc host:port will do the trick. when :port is missing, 3389 is implied.

There are different types of VPN implementations IPSEC, PPTP, L2TP over IPSEC, OPENVPN, etc.  ipsec, I think the newer windows/macs include those in and would need only to be configured. A VPN might be needed, but it might be included in some of the windows/macs.
 
this would be a remote VPN (client to server)
There are feature that enhance security/control using a connection to establish the tunnel, but to complete/authorize and pass traffic, the user is required to provide a username/password that can be centrally managed, i.e. user deactivated so does the ability to establish a VPN.

You could add to your ongoing project to have your linux box function as the VPN end point, ipsec/pptp openvpn will require a client which is availble, be installed on the client system. Sorry can not post links, but a search for "make your linux box a VPN server" will provide you several examples.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 125 total points
ID: 40565146
VPN is the way forward then.  You don't really want to allow RDP to machines on your LAN direct from the internet - that's a big security issue.

The other alternative with way less overhead is just like arnold said... use 3rd-party solutions which allow secure desktop sharing/connectivity via app or web.  Google even has a plugin for Chrome to allow Remote Desktop - the user just needs to use Chrome and log in to the app from the remote machine, then it will create a secure connection via web-page.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40565294
Arnold:
when you use mstsc host:port will do the trick. when :port is missing, 3389 is implied.
Wow, that's simple. Didn't know that. That could be good for a small office setup with less than a dozen workstations. I could also not use 3389 at all and thus throw some hackers off the track.

craigbeck:
You don't really want to allow RDP to machines on your LAN direct from the internet - that's a big security issue.
Hmmm, but this article, https://security.berkeley.edu/node/94, says, "Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing your session by listening on the network." Do you disagree?

The other alternative with way less overhead is just like arnold said... use 3rd-party solutions which allow secure desktop sharing/connectivity via app or web.
I'm a little fuzzy on the 3rd party thing. How does a 3rd party provide access to workstations behind MY office server LAN?

I have been exploring and reading up on OpenVPN in particular. At http://openvpn.net/ I can download a client for Windows workstations. What I'm not finding in my search is, once the VPN connection is established between e.g. my home desktop and the office server, how I then can connect to my office workstation. Does OpenVPN or other such tools also provide some kind of terminal manger program to let users select from among configured workstations and lot on (like RWW)?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40565400
3rd party like logmein or teamviewer.

Yes rdp sessions are encrypted, but the computer is listening to anything on that port. So not only can they brute force guess, but possibly get in though some security hole. If you have a direct ip:port->workstation, thats something that can be possibly exploited.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40565480
RDP doesn't have to be encrypted - it's optional in older versions of Windows.

Opening holes in your firewall always increases the risk of a breach especially when forwarding to a user machine.  You need to be absolutely sure that the service you're allowing is what's listening on the port you open.
0
 
LVL 27

Expert Comment

by:serialband
ID: 40565505
Typically, you do not want to put port 3389 as the standard listening port when you do a port forward.  (This goes for ssh port 22 as well, unless it's a general access server)  The script kiddies start attacking you constantly and your logs fill up.  I've always port forward that to some other port and their standard scripts won't find it.  It's security through obscurity, but stops 99% of the access attempts on your port and works well enough for a home connection with obscure IPs.

You can still do it for a small business, but if you have a static IP and host servers, you can still easily become a target.  You're still forwarding the port so anyone that really wants to target you can still scan for your ports and find them.  If you're willing to spend some money, a VPN firewall device, like a Juniper SRX or Fortigate, would be a better way to go.  It provides access to your internal networks as if your inside and allows you to set up user specific access and monitor traffic for attempted attacks and block them.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40565542
Aaron Tomosky:
3rd party like logmein or teamviewer.
Oh, right. That's probably not the route we want to go.
Yes rdp sessions are encrypted, but the computer is listening to anything on that port. So not only can they brute force guess, ...
True, but I can certainly monitor that port via iptables with --limit and --hitcount, and by examining log files looking for repeated attempt and shut them down. The advantage with RDC is the user can connect from anywhere they happen to be and need to get in, even if they don't have the VPN client installed.

craigbeck:
RDP doesn't have to be encrypted - it's optional in older versions of Windows.
That can't be enforced or possibly detected at the server end? I suppose enforcing encryption is the point of VPN, eh?

serialband:
Typically, you do not want to put port 3389 as the standard listening port when you do a port forward.
Agreed!
a VPN firewall device, like a Juniper SRX or Fortigate, would be a better way to go.  It provides access to your internal networks as if your inside and allows you to set up user specific access and monitor traffic for attempted attacks and block them.
OK, so help me to understand ... If I had a VPN on the server end, the user would connect with VPN client software (installed up using security certificates or some such thing). Then ... what? The user has to at that point use RDC or something similar to connect to his/her workstation, right? What do you mean exactly by, "allows you to set up user specific access and monitor traffic for attempted attacks and block them"?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40565616
Open vpn  as part of the configuration it includes a push directive where you "advertise" to the remote clients the Lan IPs as well as the local DNS along with a search domain from the lan
This way when the openvpn client connects to the server, all they do is use the name or the ip of the system on the LAN to which they want access.

The short answer to the third party tools is that when they are installed, they run as a service when the system boots up, as part of their mechanism they connect to the respective provider.  The outgoing connection is commonly not blocked on firewalls.  

The client connects to the provider which then connects the existing session from the LAN system to the user who would then need to logon onto the LAN system.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:jmarkfoley
ID: 40565857
Open vpn  as part of the configuration it includes a push directive where you "advertise" to the remote clients the Lan IPs ... This way when the openvpn client connects to the server, all they do is use the name or the ip of the system on the LAN to which they want access.
Ah, so the client *does* get a list of computer names to choose from?! That wasn't clear from what I've read so far. Then what? the VPN client connects using ... RDC?

I'll see if I can find some client screenshots and more details on how it works.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40565899
The client does not get a list of computers to choose from, the client gets a network routing table entry that tells the computer how to get to the Company LAN.

i.e. home system LAn 192.168.0.0/24
Company LAN is 10.0.0.0/16

See examples: server config example http://openvpn.net/index.php/open-source/documentation/howto.html#server

client config example
http://openvpn.net/index.php/open-source/documentation/howto.html#client

on the server side look at the push options
push "route 10.0.0.0 255.255.0.0"
push "dhcp-option dns 10.0.12.10" #LAN DNS server
push "dhcp-option wins 10.0.10.15" # LAN WINS server

If you want to force the client once this VPN is establish to route all its outgoing traffic through the VPN, there is a route directive in the server example.
Difficulty to lookout for deal with the use of the same LAN IP segment at both locations.
IP overlap will get the VPN connected, but the user will not be able to access anything on the remote LAN since those requests will be seen and treated as local on that computer and will never be directed through the VPN tunnel.


Creating a separate batch file, vbscript to distribute to users that will initiate the openVPN client connection as well as  prompt the user to which system they would like to connect to.
The script will be static initially. and potentially could be dynamic i.e. if he openVPN connection is established, will get the list of available systems to connect to and then present these options to the user to choose from.
one maintaining a single text file with system available for connection. The other redstributing a static script with changes of available systems to connect to.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40566741
OK, I'm beginning to see the picture. So, the VPN basically makes the attaching workstation as if it were part of the office LAN, right? It then has access to LAN resources such as NAS files, probably printers, etc. One of your links even talked about routing all network traffic through the VPN such as http requests. I had a customer that used a VPN via a Cisco product and once connected, even my browser when through the VPN -- wherein they had restrictions on sites!

So, coming full circle back to the RDC question, our users would really only use this to connect to their office personal computers. I assume to do this the user, after connecting via the VPN, would still have to launch RDC in order to get to their office workstation, right? They could then possible connect via computer name (assuming the VPN is able to get the hostname of LAN computers, which your links indicated was possible), or at least via IP (e.g. 10.9.0.x)

Do I have that right?
0
 
LVL 76

Expert Comment

by:arnold
ID: 40566771
Yes, the VPN will make the remote user appear as though they are on the LAN.

yes, the option exists as part of the VPN establishment protocol that you push/set the VPN IP as the default gateway on the client computer routing any and all external requests through the VPN. It does not seem you wish to go this route and I would not recommend it.
At times,the implementation of the VPN default gateway deals/presumes that the remote client is the weakest point and if they can access external resources without restriction and the lan, they might get compromised (if the system is already compromised, the routing through the VPN will sever that ......) and through that the LAN will be compromised.

Yes, IP access will be without issues.  Using the push "dhcp-options DNS IP_of_LAN_DNS_Server" You should also push the search domain
will mean that RDP systemname.addomain can be used, the wins push may help in resolving the RDP systemname.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40567750
OK, I think I've got that sorted out.

One last question (hopefully). craigbeck metioned RD Gateway. In reading a bit about that it sounds like it would more-or-less work like the "Connect to a Computer" box in RWW. The docs also mentioned that it is accessed via port 443, not 3389 meaning, I suppose, the user accesses it via a browser.

Is that a possibility in this mix (even with VPN, the users need some way of accessing their remote workstations)? If so, does that need to run on an MS Server, or can it run on e.g. a dedicated WIN7. I suppose the RD Gateway server has to be running IIS, right? I'm thinking I could have the router/VPN server redirect these https request to the Gateway server computer. If that's possible, I've closed the loop on my problem!
0
 
LVL 76

Expert Comment

by:arnold
ID: 40567849
You can have both as they are not mutually exclusive and are not in conflict, though that is not really an option for your current plan.
RD Gateway explained: https://technet.microsoft.com/en-us/library/dd560672%28v=WS.10%29.aspx

Requires a windows server OS.
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 94 total points
ID: 40567864
Not only a Windows Server OS, but licenses if you need more than the default 2 remote + 1 console/admin connection.  If you're going to use a VPN, just have the users enable it on their desktops, unless you are spending money.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40570459
serialband:
If you're going to use a VPN, just have the users enable it on their desktops ...
Right, because they can access any IP on the LAN once connected.

arnold:
Requires a windows server OS.
Yes, I figured that out, but here is a remote desktop that does not: https://www.nomachine.com/ and a how-to: http://www.techrepublic.com/blog/tr-dojo/set-up-a-free-and-secure-terminal-server-with-linux/. I might check into those later as it would help support some of our home Mac users.
0
 
LVL 76

Accepted Solution

by:
arnold earned 219 total points
ID: 40570633
Another way to handle VPNmis using ssh tunnels. Look at ssh forwarding.
Though this requires the user add settings on their side such that Localport:remotesystem name:remote port I.e 1234:remote workstation:3389
When the ssh connection is established, the user using RDP would connect to localhost:1234 which will actually translate through the tunnel over the ssh connection to the remoteworkstation:3389

The sshd server configuration would need to include the forwarding option as active.
0
 
LVL 27

Expert Comment

by:serialband
ID: 40571275
NoMachine is still a bit slow compared to Remote Desktop for Windows, at least it was when I tried it several years ago for ubuntu.  It wasn't available for OSX until about 3 years ago.  You'll probably want to set a lower resolution screen size for it to work well.

There is a free open source version of NoMachine at opennx.net, but they haven't advanced past 32 bit Lion support since 2012.  There is a version of opennx in Homebrew, but I haven't tried it yet, since I'm always on the command line these days.

I only port forward ssh and rdp for my home systems.  I use a hardware VPN at work, as that makes it much easier to support all non-tech users when they need to connect.  How many users are you supporting?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40571862
serialband:
NoMachine is still a bit slow compared to Remote Desktop for Windows
In fact I've found most things slower than RDC including logmein and teamviewer. RDC was one of Microsoft's better efforts!.

How many users are you supporting?
Only 9 but 2 of those are MAC and one never connects remotely, so really 6 including me.

My current inclination is to research and "play around" with OpenVPN, and likewise with NoMachine for the MAC users, but in the short term do the port-forward approach at the server end using iptables as suggested by Arnold in post ID 40562774. Or ...

Arnold:
Another way to handle VPNmis using ssh tunnels
That looks interesting also -- ssh would insure a secure connection. I'll check into that as well.

I think you guys have really given me a lot of good information and advice. I'll leave this open a bit longer for any additional comment, but I'm pretty satisfied with these insights into my question.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40572149
Try not to use SSH tunnels instead of VPN.  That is just asking for trouble IMO, and it won't perform as well as VPN anyway.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40585420
Thanks all! I'm going to keep this listing for future reference. All good comments, points awarded based on number of posts. Wish I could give you all 500!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
installed old nagios.... 13 93
shrewsoft VPN client and DNS 6 48
Palo Alto Networks Global Protect 2 53
VPN doubts 4 26
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now