Best Practices for remoting into a Server
I've remoted into test servers directly by installing Unattended GoToAssist - which is my preferred remote access platform.
But often servers are set up to not have web access on purpose.
I can imagine using RDP from a work station into the Server on the same LAN and use Unattended GoToAssist to reach that workstation first.
Any suggestions? What do *you* do?
But often servers are set up to not have web access on purpose.
I can imagine using RDP from a work station into the Server on the same LAN and use Unattended GoToAssist to reach that workstation first.
Any suggestions? What do *you* do?
We have VPN access to our clients (modest cost) and use Desktop RDP to access servers and client workstations if needed (Free with Windows). Works great. I agree with Lee above.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The Privileged Access Workstation (PAW) security initiative is where we are going with our business client management practice.
We use a dedicated set of systems for logging on to client systems.
The PAW principle we operate by is to keep all business related tasks like e-mail and browsing completely separate from IT Operations. WiPro found out the hard way why. And, just announced so did PCM.
We use a dedicated set of systems for logging on to client systems.
Primary:
We use the built-in SonicWALL NetExtender VPN setup to access on-premises networks then log on to a jump station set up on the client's network. From there, PowerShell Remote for most management needs or Server Manager that has all on-premises and cloud if site-to-site connected for at-a-glance views.Secondary:
Most clients are running Remote Desktop Services (RDS) Farms so have RD Gateway set up. We do _not_ modify the default Resource Access Policy to allow domain controller access via RD Gateway. DCs are accessed via jump station only if there is a need (rarely).Azure Cloud:
Azure Bastion is a new service that provides a jump station like experience for Azure located resources.The PAW principle we operate by is to keep all business related tasks like e-mail and browsing completely separate from IT Operations. WiPro found out the hard way why. And, just announced so did PCM.
We use Splashtop or Teamviewer (neither is free, Splashtop is cheaper, I think) to remote in to a workstation or server on-site. Both providers have secured and encrypted connections to the endpoint. From there we use VNC to connect to the other servers and workstations on the network.
Remote Desktop Gateway is a fairly reliable solution but requires additional infrastructure and client config to function (You need to have PKI or a public 3rd party cert, PKI is preferred because you can limit access to computers that trust the root CA). Uses the default RDP client, contacts the RDG server first, then you are immediately forwarded to the target server. Works over port 443, and doesn't suffer the same major issues of publishing port 3389 on the Internet. You have to have a server that includes the RDG role, though. Once you have that, though, it's immediate remote access to all servers on the Internal network with RDP enabled.
VPN then RDP is what I have tended to use. Lee has provided thr information for the upsides of it.
Also I recommend that you pay attention to regulations that may apply to each client. Cases where PCI comes into play just prevents you from using particular options off the bat. (I had to go back and forth with an old boss over this at one point)
Also I recommend that you pay attention to regulations that may apply to each client. Cases where PCI comes into play just prevents you from using particular options off the bat. (I had to go back and forth with an old boss over this at one point)
ASKER
Thanks all. The answers provide a pretty good framework even if some of it was expected - now all in one place!! Good ideas.
Most servers need internet though in smaller environments because you need to keep them updated. So on those, I also have Connectwise Control (with 2FA).