Tarkisal
asked on
Looking to
I'm looking for some guidance on how to allow Remote Users to access system applications. We currently are running a phase 1 setup where users are sent home with company equipment and use Sonicwall Global VPN software and Remote Desktop to remote into their own computers, located on site.
This is not, however, ideal, as it requires equipment on both ends.
Ideally what I'm looking for is to have a way for a user to have equipment at home, use a secure VPN connection with the Sonicwall Global Client, and then have the user access a desktop that is not in use. One way, obviously, is to have a bank of PC's with one dedicated to each person, but this seems cost prohibitive. So my thought is a virtual desktop.
I currently have two Windows 2016 Servers running my main system, including DNS and Active Directory, among other, core services. Is there a way I can build virtual desktops within that server? Should I have a separate server dedicated just to this task? What would be my starting point? Would I use Microsoft's built in Hyper-V? Would I use VMWare in some way?
The first group will probably be only 5-10 users, though this number may go up. I know there are options like Citrix which would provide a web interface but the way our applications are setup they would require a direct connection and so I don't know if Citrix and the like would work, though I am looking into this as well.
We have hundreds of available DHCP over VPN connections through our firewall, and the application has worked very well with this first batch. Now I just want to try and find a way to have an environment where each user can login to a single (Or fewer) machines at the same time without taking up valuable, individual PC resources.
Further information of my environment:
Users: About 120 total. Of those 120, About 8 are currently using the Global client to remote in but they are remoting in to their own PCs. Second proposed to group would use some kind of virtual setup or Citrix environment, if possible.
Firewall: NSA 4600.
Windows Environment: Two Windows Server 2016 servers running Hypver-V for Domain Controllers. Windows Update, Active directory, etc included. Domain Controllers are mirrored.
PC Environment: Windows 10 Pro across the board.
Any help would be greatly appreciated.
This is not, however, ideal, as it requires equipment on both ends.
Ideally what I'm looking for is to have a way for a user to have equipment at home, use a secure VPN connection with the Sonicwall Global Client, and then have the user access a desktop that is not in use. One way, obviously, is to have a bank of PC's with one dedicated to each person, but this seems cost prohibitive. So my thought is a virtual desktop.
I currently have two Windows 2016 Servers running my main system, including DNS and Active Directory, among other, core services. Is there a way I can build virtual desktops within that server? Should I have a separate server dedicated just to this task? What would be my starting point? Would I use Microsoft's built in Hyper-V? Would I use VMWare in some way?
The first group will probably be only 5-10 users, though this number may go up. I know there are options like Citrix which would provide a web interface but the way our applications are setup they would require a direct connection and so I don't know if Citrix and the like would work, though I am looking into this as well.
We have hundreds of available DHCP over VPN connections through our firewall, and the application has worked very well with this first batch. Now I just want to try and find a way to have an environment where each user can login to a single (Or fewer) machines at the same time without taking up valuable, individual PC resources.
Further information of my environment:
Users: About 120 total. Of those 120, About 8 are currently using the Global client to remote in but they are remoting in to their own PCs. Second proposed to group would use some kind of virtual setup or Citrix environment, if possible.
Firewall: NSA 4600.
Windows Environment: Two Windows Server 2016 servers running Hypver-V for Domain Controllers. Windows Update, Active directory, etc included. Domain Controllers are mirrored.
PC Environment: Windows 10 Pro across the board.
Any help would be greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sure thing.
To your first question: I meant, PC's, yes. We provide Remote users with company issued PCs that they use as a "gateway" of sorts that has the Sonicwall Global VPN on it to allow them to remote into the system. I'll explain the double VPN more down below and try to explain it better as to why they can't just use the computers at home and need to remote into a PC located on site.
The problem is most of the users won't have computers to login to or desks to sit in. We are trying to move multiple users to work from home so, if they did come in, they would work on a shared PC, not their own PC. So if User A works Monday, Wednesday and Friday, from home, and Tuesday and Thursday in the office, then User B is unable to use that computer at all since User A is remoting into it from home.
The problem is less about giving users that work in the office the chance to remote into their own computer and more about freeing up computers so we have Remote users (Some of which may not work in the office at all) and then other users that have their own dedicated computers in the office. Imagine it as like having a PC sitting on an empty desk. No one is sitting there, but we can't use it because someone is remoting in from home.
Regarding double hop and VPN - So our main application works in two ways: Our own server and a client's (Offices we do work for) own server. So, for instance, we have some clients that have their information stored on our local server here. In this case, a remote user using the Global VPN client would have no problems. They remote in, get a local IP, and they're good to go. The EMR has a local IP so they can connect.
The problem, however, is when the application is housed remotely. To create this remote connection we use site-to-site VPN tunnels. The Sonicwall Global VPN does not seem to allow a connection twice. So, in this case, the user remotes into the network here. So far, so good. However, for reasons I can't fully explain, if they then try to connect to a remote connection, that is, someone that has their application housed remotely over a site-to-site tunnel, the connection will fail. The Global VPN doesn't seem to like to create a connection to the main site, and then jump over that site-to-site tunnel to make another connection. Hence, the double hop.
I realize this is a tad confusing, and I hope I am explaining myself well. If anyone knows a work around that would allow this function, I'd be very happy to hear it.
To your first question: I meant, PC's, yes. We provide Remote users with company issued PCs that they use as a "gateway" of sorts that has the Sonicwall Global VPN on it to allow them to remote into the system. I'll explain the double VPN more down below and try to explain it better as to why they can't just use the computers at home and need to remote into a PC located on site.
The problem is most of the users won't have computers to login to or desks to sit in. We are trying to move multiple users to work from home so, if they did come in, they would work on a shared PC, not their own PC. So if User A works Monday, Wednesday and Friday, from home, and Tuesday and Thursday in the office, then User B is unable to use that computer at all since User A is remoting into it from home.
The problem is less about giving users that work in the office the chance to remote into their own computer and more about freeing up computers so we have Remote users (Some of which may not work in the office at all) and then other users that have their own dedicated computers in the office. Imagine it as like having a PC sitting on an empty desk. No one is sitting there, but we can't use it because someone is remoting in from home.
Regarding double hop and VPN - So our main application works in two ways: Our own server and a client's (Offices we do work for) own server. So, for instance, we have some clients that have their information stored on our local server here. In this case, a remote user using the Global VPN client would have no problems. They remote in, get a local IP, and they're good to go. The EMR has a local IP so they can connect.
The problem, however, is when the application is housed remotely. To create this remote connection we use site-to-site VPN tunnels. The Sonicwall Global VPN does not seem to allow a connection twice. So, in this case, the user remotes into the network here. So far, so good. However, for reasons I can't fully explain, if they then try to connect to a remote connection, that is, someone that has their application housed remotely over a site-to-site tunnel, the connection will fail. The Global VPN doesn't seem to like to create a connection to the main site, and then jump over that site-to-site tunnel to make another connection. Hence, the double hop.
I realize this is a tad confusing, and I hope I am explaining myself well. If anyone knows a work around that would allow this function, I'd be very happy to hear it.
ASKER
I was able to get around my problem by fixing the initial issue with the VPN - namely, the double hop issue. I just had to add the site-to-site VPNs as a group within the Remote VPN configuration for the WAN Group VPN. Once I added that functionality, I was able to connect to all clients both local and remote, and I'll now be able to just have the users at home use their computers there, and they won't need to remote into anything else local besides the Sonicwall Global VPN. Thank you to everyone for your help!
ASKER
Thanks for the quick response. That would be an easy solution, but the problem is the application they are using. It's an EMR that often has to use established VPN tunnels to other clients to connect to servers elsewhere. Therefore, we run into what I've dubbed the 'double hop' problem. The Global VPN will allow you to remote into the network here, and they can access any clients within the EMR that are located here, but any clients that are located through another tunnel it won't jump twice and times out.
If you know a way to solve this problem with the Global VPN client that would actually solve multiple problems I've had. So far, I haven't found a work around.