ruhkus
asked on
Remote desktop options?
We're a medium-sized business, with about 200 employees in multiple locations trying to enhance our remote access strategy. We would want staff to be able to remotely access their PCs and view their multiple monitors, typically in the event where we have to close the office, but still have power.
Right now, we have an older terminal services server. Some staff currently remote into this server, then remote in again to their office PC from that server. It works ok, so we're thinking of buying a newer server, with RDS and more CALs to support this on a larger scale. However, since this is more for a business continuity scenario, I'm thinking maybe there's a way to set this up in AWS or similar, and just spin it up if needed.
Not sure how easy that is. I also don't know if it's easy to just buy, let's say 5 remote CALs now, then I could just go to Microsoft direct and buy 50 more if necessary and get a key right away if such a situation called for it?
Maybe there's other cost-effective solutions that I should consider?
Thanks.
Right now, we have an older terminal services server. Some staff currently remote into this server, then remote in again to their office PC from that server. It works ok, so we're thinking of buying a newer server, with RDS and more CALs to support this on a larger scale. However, since this is more for a business continuity scenario, I'm thinking maybe there's a way to set this up in AWS or similar, and just spin it up if needed.
Not sure how easy that is. I also don't know if it's easy to just buy, let's say 5 remote CALs now, then I could just go to Microsoft direct and buy 50 more if necessary and get a key right away if such a situation called for it?
Maybe there's other cost-effective solutions that I should consider?
Thanks.
ASKER
Thanks for the comments. Is it "common" to have staff remote desktop into a RDS server, then remote into their PCs to do work? Assuming I go the route of purchasing a server solely to handle upwards of 100 people that do this, I'm trying to get a handle on resources needed, and whether there's preferred alternatives.
We don't have any AWS servers at this time, so the cloud may not be the best option, but I will look into that licensing anyways.
We don't have any AWS servers at this time, so the cloud may not be the best option, but I will look into that licensing anyways.
If each user has a physical PC at the office (that is not in use when the user is not in the office), consider using VPNs to remotely connect to the office and then use Remote Desktop to the users's specific computer. If your router/firewall supports VPNs, then there should be nothing to purchase.
Depends on what you mean.
An RDGateway is common to allow remote access. AND requires RDS CALs. It's not common (kinda kludgy, really) to establish a remote desktop connection to a server and then from the server establish another remote desktop connection to a PC.
I'd either use RDGateway OR VPN. If VPN, then RDS CALs aren't needed and people just connect to the office and RDP into their machine.
HOWEVER, VPN can be less secure as an RD Gateway solution can restrict mapping of drives and printing remotely whereas a VPN puts the user directly on the network over the internet and they can do essentially whatever they want from their remote PC (depending on the permissions their account has on the network).
An RDGateway is common to allow remote access. AND requires RDS CALs. It's not common (kinda kludgy, really) to establish a remote desktop connection to a server and then from the server establish another remote desktop connection to a PC.
I'd either use RDGateway OR VPN. If VPN, then RDS CALs aren't needed and people just connect to the office and RDP into their machine.
HOWEVER, VPN can be less secure as an RD Gateway solution can restrict mapping of drives and printing remotely whereas a VPN puts the user directly on the network over the internet and they can do essentially whatever they want from their remote PC (depending on the permissions their account has on the network).
An RD Gateway requires very little in resources - you should be able to just spin up another VM (you ARE virtualizing, right?)
If you are allowing people to work directly on the RDS server, then you would want to scale it appropriately. RAM, CPU, Disk - they all become factors but can vary depending on what they're doing. Passing through an RDS session, and it's probably relatively little. But consider the single point of failure. I don't know what you're infrastructure looks like, but if you have multiple offices, I'd create a mesh, so-to-speak with networks that connect to each other and I'd have two RDS servers at different locations, instructing half the users to use one and half to use the other... and you can always have everyone use one if one site goes down.
(I'm not a fan of the public cloud. I *AM* a fan of your own private cloud).
If you are allowing people to work directly on the RDS server, then you would want to scale it appropriately. RAM, CPU, Disk - they all become factors but can vary depending on what they're doing. Passing through an RDS session, and it's probably relatively little. But consider the single point of failure. I don't know what you're infrastructure looks like, but if you have multiple offices, I'd create a mesh, so-to-speak with networks that connect to each other and I'd have two RDS servers at different locations, instructing half the users to use one and half to use the other... and you can always have everyone use one if one site goes down.
(I'm not a fan of the public cloud. I *AM* a fan of your own private cloud).
ASKER
Thanks. I've considered VPNs, as I've tested this with my Fortigate and it works fine. However, I've always been hesitant to have users use their own personal PCs to install a VPN client. Is this still a fair concern, or would it be easy enough to minimize any of those security concerns, especially since their personal PC isn't part of the domain?
Would VPN->remote desktop be less clunky than remote desktop to server, then remote to their work PC?
Would VPN->remote desktop be less clunky than remote desktop to server, then remote to their work PC?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm not directly familiar with the Fortigate VPN, but VPN logins are typically different from RDP logins.Maybe with lower end VPNs, but higher end VPNs can work off RADIUS and uses the same domain account and password.
you may be able to use the same username and password, but it requires TWO logins - opening an RDP connection will not autoconnect to VPN in any VPN system I'm familiar with.
ASKER
Thanks everyone for their feedback. I did not realize the benefits of the RD Gateway even though I saw it before. I'm going to look into that some more.
It seems that I have to install the entire Remote Desktop Services role, then go from there? It's interesting that I didn't see much mentioned online regarding Gateway as it relates to Server 2019. Is it still a popular option?
It seems that I have to install the entire Remote Desktop Services role, then go from there? It's interesting that I didn't see much mentioned online regarding Gateway as it relates to Server 2019. Is it still a popular option?
As for RDS CALs, CALs are not concurrent and they are not by user account. If a person remotes in even once every 3 months, they need their own CAL. So with 200 employees, even if you only have 50 who never connect, 50 who regularly connect and 100 or do so on average of an hour a month, you still need 150 CALs to cover everyone who ever connects. Then, if you needed that other 50 to come in, you'd have to buy CALs for them - which typically takes 24-48 hours to get the necessary paperwork to install the license in the RDS server.
Also, I've heard that you can no longer bring your own licenses to the cloud - but I could be misunderstanding some aspect of that - but it's definitely a question you want to ask if you do go the cloud route.
And remember, when it comes to licensing:
Licensing Disclaimer
License information provided here is "best efforts". The comments of the respondents are based on interpretation of the license agreements and their knowledge of the particular laws and regulations in their geographic location. Laws in your location may invalidate certain aspects of the license and/or licenses can change. (For example, at least one major nation's laws allow OEM licenses to be transferred to new hardware). "They told me on Experts-Exchange" will not be a valid excuse in an audit. You need to contact the license granting authority to confirm any advice offered here.