Remote Acess Solution

jeremy8529

If I was designing a small/mid sized network for no more than 50 hosts, what would be the best way to allow my clients to remotely access their work computers from home? The first thing that comes to mind for me is a secure VPN connection, but what exactly would I need at installed on the business network and on the computers trying to access the network? Is this typically done through configuring the router, or would I need some sort of router/firewall solution?

Thanks!

RobertKaucher

There are a ton of different sollutions out there that you can look at. How much of the current infrastructure exists?

You could consider installling SBS 2008 and using the remote web workplace. There is Citrix, you could use RDP over a VPN connection. For 50 clients SBS might not be scalable enough... In my own opinion 50 clients (total, remote or other wise) is its practical limit. But there is also the TS Web access through Server 2008. There are so many things you can consider.

jeremy8529

I should have been more clear in my original post, there would be about 50 host inside of the internal network, and we could expect maybe around 6-7 at a time to connect remotely at the same time at the most. I should have also clarified that this would be for a case study were I can design the internal network as I please from the ground up so the sky is the limit. What do you think the most elegant solution would be? Is there a way that the service could be integrated into the boarder router?

Gogousa

The easy one would be to install a vpn concentrator (most routers would do the job) and connect the users via Remote Desktop (you would need a profesional version of windows to be able to use it).
If you want to spend more money and get sofisticated, the sky is your limit...

Hyper-Me

Remote web workplace would be great if they have SBS 08.

If not, something fairly inexpensive like a SONICwall netextender would work well.

RobertKaucher

Hyper-Me wrote: »

Remote web workplace would be great if they have SBS 08.

If not, something fairly inexpensive like a SONICwall netextender would work well.

My concern would be the total number of clients he has for SBS. The actual limit is 75 and in my experience 50 is already the practical limit. There would be a serious lack of scalability for him with SBS. But I believe the SonicWALL suggestion is very valid. We use one at my work and, while router to router VPN is a major pain, client to router is usually pretty easy.

jeremy8529

The biggest factors I need to keep in mind for the solution are, ease of use for the end-users, scalability, and price in that order. Although, the price should not be astronomical either. Do you believe that using a VPN concentrator on the router would be a bad idea if we have no more than 15 remote connections at a time? Now what about RADIUS, if I'm not mistaken you don't have to use a dail-up connection for that correct, or is that obsolete now?

Hyper-Me

RobertKaucher wrote: »

My concern would be the total number of clients he has for SBS. The actual limit is 75 and in my experience 50 is already the practical limit. There would be a serious lack of scalability for him with SBS. But I believe the SonicWALL suggestion is very valid. We use one at my work and, while router to router VPN is a major pain, client to router is usually pretty easy.

Well, if there is one thing i've noticed...it's that users dont always like the fact they can work from home (and therefore it generally goes under utilized)

At my last job we set up a VPN so teachers could enter grades from home. We had ~6000 teachers on staff and a large portion of them moaned about wanting to work from home. We had an older Cisco VPN concentrator that would max out at 700 concurrent users. After rolling the system out to 50% of the staff (3000 users), we never saw concurrent usage go above 150, even after we allowed the other 3000 to access it. The idea was that if we ever consistently hit the max users we would buy some newer equipment, but we never came close.

Daniel333

Well, few questions. What is your budget? What existing infrastructure do you have to work with? Are there any special platform requirements (Mac, Linux, Win2k) that we need to be aware of? What your expected growth? What servers are you already buying?

Maybe we can multipurpose your print server as a PPTP server. You won't have to worry about price, scales very well and the built in Microsoft client is easy to use. If you don't like multipurposing your servers, ISA2k6/TMG is an option.

Without any specifics I am just going to throw down for DirectAccess if you happen to have a 2008R2/7 environment.

cablegod

For 50 or less, I HIGHLY, HIGHLY recommend a Juniper SA SSL VPN, specifically, the SA700 in your case. Go here: Secure Access 700 - Clientless SSL VPN Solution - Juniper Networks

Buy it, install & configure it in a couple of hours, and don't worry about it again. We run a SA2500 and all of our users LOVE it. It's the easiest to deploy/manage/use than any VPN we have ever done, and we have done a lot of them over the years.

rsutton

RobertKaucher wrote: »

My concern would be the total number of clients he has for SBS. The actual limit is 75 and in my experience 50 is already the practical limit. There would be a serious lack of scalability for him with SBS. But I believe the SonicWALL suggestion is very valid. We use one at my work and, while router to router VPN is a major pain, client to router is usually pretty easy.

A couple weekends ago I migrated one of our clients off of SBS 2k8 - 100 users. We didn't migrate due to resource limitations though, we just wanted to get them in compliance with MS as SBS has a soft cap of 75 users. It was a very beefy server with solid network infrastructure in place. We had I think 15 users average that worked remotely. It was great for what they needed.

RobertKaucher

Hyper-Me wrote: »

Well, if there is one thing i've noticed...it's that users dont always like the fact they can work from home (and therefore it generally goes under utilized)

At my last job we set up a VPN so teachers could enter grades from home. We had ~6000 teachers on staff and a large portion of them moaned about wanting to work from home. We had an older Cisco VPN concentrator that would max out at 700 concurrent users. After rolling the system out to 50% of the staff (3000 users), we never saw concurrent usage go above 150, even after we allowed the other 3000 to access it. The idea was that if we ever consistently hit the max users we would buy some newer equipment, but we never came close.

The limit is not VPN, it is actual CAL for the AD. You cannot have more than 75 clients period.

Forsaken_GA

do they need to actually access their work machines from home, or do they just need to be able access work resources like an internal web server or database or something like that?

If all you're needing is a VPN solution, and you want to do it on the cheap, build a decent server and install OpenVPN. If you've got the budget for it, deploy a Juniper. Don't do this kind of crap on the border router if you can avoid it at all

RobertKaucher

rsutton wrote: »

A couple weekends ago I migrated one of our clients off of SBS 2k8 - 100 users. We didn't migrate due to resource limitations though, we just wanted to get them in compliance with MS as SBS has a soft cap of 75 users. It was a very beefy server with solid network infrastructure in place. We had I think 15 users average that worked remotely. It was great for what they needed.

Yes, that's on a well-designed system that might not have been using it as their only server...? But what I have seen is in an SBS environment with only the SBS server and over 50 users file shares grow on average 10% per year, WSS site grows too fast and the company always flirts with being out of compliance and this is the real issue. Once they hit 50 users adding another 25 always seems to happen too easily, although this was before the recession. This is why I say 50 is the practical limit. Not so much resources but they are just getting too close to the 75 CAL cap on the EULA. If the company is starting at 50, there are just too many users. SBS would not be a good choice for them, IMO.

darkerosxx

Since you said "no more than 50 hosts," I would recommend a few Cisco Small Business products.

SR520W-FE-K9 (Router)
FL-WEBVPN-10-K9 (Feature license for SSL VPN to provide remote access to 10 users from any computer with a web browser)

Going further with the internal
ESW-520-48P-K9 (Switch w/PoE for VoIP phones for internal users)
521SG (VoIP Phones for internal users)


http://www.cisco.com/en/US/prod/collateral/routers/ps9305/data_sheet_c78-484356.pdf

Hyper-Me

RobertKaucher wrote: »

The limit is not VPN, it is actual CAL for the AD. You cannot have more than 75 clients period.

He said "no more than 50" ::

RobertKaucher

Hyper-Me wrote: »

He said "no more than 50" ::

Today. In 10 months or 2 years can he be sure that would be the same case? You know as well as I, you have to plan for future growth.

I'm not saying 50 is a hard and fast number. If *I* were pitching this type of investment (SBS 2008 + hardware + 50 CALs) I would want to be sure that in 4 years the system I designed and had my name associated with would still be the one the company needed.

With SBS we aren't just talking about a remote access solution he could buy more CALs for. We are actualy talking about a licensing limitation on the company's infrastructure. Would you suggest a solution to your company, right now, that could only ever add 25 more CALs without the additional cost of migrating to a new, seperate Exchange/AD?

If you consider roughly a 10% growth over 4 years, they have basically reached the licensing cap. I'm not saying it might not work, I'm just saying it is so close to that line I would find it hard to recommend. I believe SBS is a superb solution for companies around that size. Remember I was the first to mention it in this thread.

darkerosxx

I think what he's getting at is this is a network design competition and usually in competitions you have to follow the rules.

I don't think anyone's going to really argue that starting with 50 users on a max-75 user system, even if 75 was the soft-cap, is a bad idea, unless you have a specific reason or know your user base won't be growing.

RobertKaucher

I did not realize this was for a design comp... Duh. If the rules contain an expected growth to plan for then SBS might be prefectly within the limits.

Hyper-Me

RobertKaucher wrote: »

Today. In 10 months or 2 years can he be sure that would be the same case? You know as well as I, you have to plan for future growth.

I'm not saying 50 is a hard and fast number. If *I* were pitching this type of investment (SBS 2008 + hardware + 50 CALs) I would want to be sure that in 4 years the system I designed and had my name associated with would still be the one the company needed.

With SBS we aren't just talking about a remote access solution he could buy more CALs for. We are actualy talking about a licensing limitation on the company's infrastructure. Would you suggest a solution to your company, right now, that could only ever add 25 more CALs without the additional cost of migrating to a new, seperate Exchange/AD?

If you consider roughly a 10% growth over 4 years, they have basically reached the licensing cap. I'm not saying it might not work, I'm just saying it is so close to that line I would find it hard to recommend. I believe SBS is a superb solution for companies around that size. Remember I was the first to mention it in this thread.

I see what you mean. The idea of expected growth didnt pop into my head immediately. Generally almost all our of customers are SMBs and some have been on SBS nearing a decade. The biggest move most make are to SBS 08. Some require additional servers in a member capacity to run apps or TS apps, but as far as numbers of actual users they have stayed consistent.

jeremy8529

Guys, the good new is, I am suposed to adress expansion, but it is to my descression. Any spending that I advocate, I must be able to justify it and explain the technology to the judges to make sure that im not just flinging around tech jargon. The connection would be needed for working at home and possibly even for an intranet with a branch office. What do you guys think about building a beefy multi-purpose server and running the apps on virtual machines? Like have a print server, email server, and a VPN server all on the same physcial machine. The only problem is that it will be a single point of failure. What can you tell me about SBS as far as how it works. Were would I best be off placing the SBS,juni, or multipurpse server at on the network? Attached to the boarder router inside a DMZ?

Thanks so much!

cablegod

jeremy8529 wrote: »

Guys, the good new is, I am suposed to adress expansion, but it is to my descression. Any spending that I advocate, I must be able to justify it and explain the technology to the judges to make sure that im not just flinging around tech jargon. The connection would be needed for working at home and possibly even for an intranet with a branch office. What do you guys think about building a beefy multi-purpose server and running the apps on virtual machines? Like have a print server, email server, and a VPN server all on the same physcial machine. The only problem is that it will be a single point of failure. What can you tell me about SBS as far as how it works. Were would I best be off placing the SBS,juni, or multipurpse server at on the network? Attached to the boarder router inside a DMZ?

Thanks so much!

The juniper has an external port, which would be best to put on a DMZ, then hook the internal port up to your access layer if most users are only connecting to their own workstations. The fine-grained controls in the Juniper SA are great.

For instance, you'd go to https://vpn.company.com

Login with a pre-created account, and click on the Terminal Server Session that you have pre-defined, and bam, you have a RDP session to your workstation.
You could also use Network Connect, by clicking Start by Network Connect. That is just like you plugged into the LAN. The Juniper also has a nice hostchecker that you can use to make sure the user has AV on their machine, and that it's updated. If not as you define the rules, it will not allow the VPN connection to happen.

earweed

I was just looking at an article on Direct access. One 2008 R2 server with 2 NICs one to the internet and one to the intranet. Takes a lot of setting up but it's scalable.
Windows Server HQ by Train Signal.com Direct Access: How It Works And How To Configure It

cablegod

For the money spent for a server, windows license, and time spent securing,administering, troubleshooting, rebooting, and backing it up, you'd come out cheaper short and long term with a boxed, purpose-built solution like Juniper, Cisco, or Sonicwall. They are purpose built appliances with extremely fine-grained access control that just can't be beat. I wouldn't want to do VPN as just a simple "add-on" to an existing router. It's a router, not a VPN device. The add-on VPN functionality seems like a secondary thought to me. I know most here are fans of using Windows for everything under the sun like routing/RAS, etc, but to me, it just ain't meant for that. Sure, it can "do it", but does it do it better and cheaper than the rest?

Hyper-Me

The SBS route wouldnt simply be for adding the ability to connect remotely, but rather adding a plethora of features to the SMB.

I think Robert and I's approach was that they likely already had SBS 2003 or perhaps could generally benefit from an SBS 2008 installation.

darkerosxx

If you're including expansion, don't use the items I linked.

jeremy8529

I have decided to go the juniper route for my VPN solutions, the SA 700 looks like it would do nicely for most of the small business networks, but I could go with the 2500 in a cinch. All in all, it looks like I could get by for around 3-5 grand depending on which solution I used. So let me get this right, I would connect the external port to a router and use a firewall between the two to make a DMZ, and the other port would go to an internal switch right?

ilcram19-2

i would try a cheap solution like changing RDP port on each computer and do translation on the firewall for each port on the router for each user

for example user 1
1.1.1.1:3389
user2
1.1.1.1:3390

that way you can assigned a user to each port and they can just rdp to it


also you could get a cisco 1800 series router and use the ssl/webvpn with anyconnect

rsutton

RobertKaucher wrote: »

Yes, that's on a well-designed system that might not have been using it as their only server...? But what I have seen is in an SBS environment with only the SBS server and over 50 users file shares grow on average 10% per year, WSS site grows too fast and the company always flirts with being out of compliance and this is the real issue. Once they hit 50 users adding another 25 always seems to happen too easily, although this was before the recession. This is why I say 50 is the practical limit. Not so much resources but they are just getting too close to the 75 CAL cap on the EULA. If the company is starting at 50, there are just too many users. SBS would not be a good choice for them, IMO.

Correct, we had a separate server for the fileshare. And I also agree that if you are starting with 50 users you won't deploy a system that needs to be replaced in 2-4 years. Actually, in migrating them off of SBS2k8 to Standard 2008/Exchange 2010 the systems we built should last them a very long time.

jeremy8529

So as of now, Juniper looks like the the easy and efficent solution except for price, and I am willing to go with that for a company that is on the rise, now what about somthing on the cheaper side, lets say a solution for under $1,000?