AnyWhere Access vs. Remote Desktop

al4629740
al4629740 used Ask the Experts™
on
Could someone explain to me the difference between Anywhere Access and a VPN with Remote Desktop on Windows Server 2016 Essentials?  I am in the throes of setting up remote access and have to figure out how to set this stuff up.  Any advice on how to proceed would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
Anywhere access with regards to Essentials is just the general term for remote access of your site..  Running the Anywhere Access wizard sets up the SSTP VPN and the Remote Desktop Gateway service for RDP, securely using SSL.  It also creates a web page or landing page for remote access that allows you to access files via the web page or choose the other options. Thus there are 3 ways to connect, VPN, RDP, shares via the web page. You do not have to use the VPN and RDP in conjuction.

Author

Commented:
What's the easiest to get setup and still have secure access?
Top Expert 2013
Commented:
Both are easy.  There is  wizard that walks you through it.  You can check boxes for VPN or Remote Web access, or both.  You will need to buy a certificate as well.

Note: "Remote Web Access" is a landing page that allows you to choose to which computer you want to log in. Assuming you granted the user permission to do so. Or, as mentioned you can access files directly from here.  Useful if the user doesn't have an office PC to which they can connect.

https://www.server-essentials.com/support/setup-access-anywhere-with-a-ssl-certificate-on-windows-server-essentials-2016
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Where do we get this certificate from?

Is the remote web access a page hosted by microsoft or is that something we have to setup?
Distinguished Expert 2017
Commented:
Note remote desktop while the session would be secured, your system's remote desktop service will be exposed to the internet and susseptible to exploits.
https://smallbiztrends.com/2018/10/rdp-hacking.html
One way is to limit on your external firewall the source from which you can connect to a single IP.



There was a support firm whose systems were compromised through RDP.
the VPN is more secure since the attacker has to have either a passphrase to establish the VPN, if you also use username/password or certificates for authentication.. ANd all this is just to get a connection to the network, access to the computer is an additional step.

A certificate you can have your own CA on Microsoft if its use is solely internal. you can purchase a personal certificate from any number of certificate vendors.
Top Expert 2013
Commented:
The web page is hosted on your server.  Microsoft used to offer a service with Essentials where they provided a certificate and a web URL similar to remote.yourdomain.onmicirisft.com which redirected to your server, but they discontinued that.  It is possible to generate a self signed certificate within the server OS but you then have to export and manually install on every connecting device which is a pain in the neck, inconvenient, and very difficult on phones and other system.  Best to buy from a source like GoDaddy.  There are many providers.  GoDaddy is about $90/year.  A purchased certificate from a recognized source does not have to be manually added.

Arnold, is far more knowledgeable than I on matters of remote security but I am not yet convinced that a Windows SSTP VPN is more secure than Remote Desktop Services using the Remote Desktop Gateway service.  Both use port 443, a certificate, and a passphrase.  RDP and simple port forwarding is another matter and much less secure.
Top Expert 2013

Commented:
PS- do you have a static public IP or dynamic.  If dynamic you will also have to set up a DDNS service.  I wrote a blog an article many years ago about doing so with SBS.  The steps are different but the concept the same.
https://blog.lan-tech.ca/tag/dynamic-ip/

Author

Commented:
Is it possible to do this without the certificate?  If it costs 90/year, then I may as well get a third party solution like Splashtop.
Top Expert 2013

Commented:
No you need a certificate, though as mentioned you can generate one using the server.  I have not done so for 15+ years. Or, there are less expensive certificate providers or even free ones such as:
https://letsencrypt.org
https://ssl.comodo.com/free-ssl-certificate

I use GoDaddy as their support is excellent.

The concern I always have with services like Spashtop is a third party can access both client and server.  Not saying they do, but they can or if they were hacked.  You have a "monkey in the middle" you have to trust. I also have never seen a 3rd party service that performs as well as RDP.  Close, but not as good :-)
Distinguished Expert 2017

Commented:
Please clarify which certificate and for which purpose?

for anywhere VPN the people who manage the ASA system will provide you with a certificate if required for authorizatio/authentication.
Distinguished Expert 2017

Commented:
you can use openssl and generate a selfsigned personal certificate. You can then provide this certificate for them to add to be trusted for the service/function.....

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial