Best Practices for remoting into a Server

Fred Marshall
Fred Marshall used Ask the Experts™
on
I've remoted into test servers directly by installing Unattended GoToAssist - which is my preferred remote access platform.

But often servers are set up to not have web access on purpose.

I can imagine using RDP from a work station into the Server on the same LAN and use Unattended GoToAssist to reach that workstation first.

Any suggestions?  What do *you* do?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
VPN to network, RDP to server.  ZERO Cost, Fastest connection.

Most servers need internet though in smaller environments because you need to keep them updated.  So on those, I also have Connectwise Control (with 2FA).
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
We have VPN access to our clients (modest cost) and use Desktop RDP to access servers and client workstations if needed (Free with Windows).  Works great.  I agree with Lee above.
Network Engineer
Commented:
I RDP (over RDP Gateway and 2FA) to my workstation, which is then used as a jump station to other devices. I can also connect to VPN (again with 2FA) and then RDP directly, or RDP to my workstation and then work from there.

Duo Security, now part of Cisco is free for less than 10 users.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
The Privileged Access Workstation (PAW) security initiative is where we are going with our business client management practice.

We use a dedicated set of systems for logging on to client systems.

Primary:

We use the built-in SonicWALL NetExtender VPN setup to access on-premises networks then log on to a jump station set up on the client's network. From there, PowerShell Remote for most management needs or Server Manager that has all on-premises and cloud if site-to-site connected for at-a-glance views.

Secondary:

Most clients are running Remote Desktop Services (RDS) Farms so have RD Gateway set up. We do _not_ modify the default Resource Access Policy to allow domain controller access via RD Gateway. DCs are accessed via jump station only if there is a need (rarely).

Azure Cloud:

Azure Bastion is a new service that provides a jump station like experience for Azure located resources.

The PAW principle we operate by is to keep all business related tasks like e-mail and browsing completely separate from IT Operations. WiPro found out the hard way why. And, just announced so did PCM.
We use Splashtop or Teamviewer (neither is free, Splashtop is cheaper, I think) to remote in to a workstation or server on-site. Both providers have secured and encrypted connections to the endpoint. From there we use VNC to connect to the other servers and workstations on the network.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Remote Desktop Gateway is a fairly reliable solution but requires additional infrastructure and client config to function (You need to have PKI or a public 3rd party cert, PKI is preferred because you can limit access to computers that trust the root CA). Uses the default RDP client, contacts the RDG server first, then you are immediately forwarded to the target server. Works over port 443, and doesn't suffer the same major issues of publishing port 3389 on the Internet. You have to have a server that includes the RDG role, though. Once you have that, though, it's immediate remote access to all servers on the Internal network with RDP enabled.
Distinguished Expert 2018

Commented:
VPN then RDP is what I have tended to use. Lee has provided thr information for the upsides of it.

Also I recommend that you pay attention to regulations that may apply to each client. Cases where PCI comes into play just prevents you from using particular options off the bat. (I had to go back and forth with an old boss over this at one point)

Author

Commented:
Thanks all.  The answers provide a pretty good framework even if some of it was expected - now all in one place!!  Good ideas.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial