Banking

DIY: VPN vs. Terminal Services in a Windows Server 2003 environment

Jack Wallen offers a TechRepublic member advice about whether it's better to use a VPN or a terminal server to set up a remote access solution for a Windows Server 2003 environment.

Here's a question I recently received from a TechRepublic member. After you read my answer, please post any additional tips you have for the member in the discussion.

Q: First of all, thanks for this segment. It comes in handy. My question is related to a Win2K3 environment. I want to set up a server, so my customers can access their part remotely. Let's say, they have QuickBooks on the server. This way, I can manage a couple of servers from one point. Which is the best solution, VPN or Terminal Services? All ideas are welcomed. A: The answer to this question is not that simple; you need to consider how much security you need vs. how much security you trust your users with. But even with all of the possible variables, I want to focus on the one tangible piece of information that very much changes the equation: QuickBooks. I can say with 100 % certainty that you do not want your QuickBooks data file being written to over a VPN. QuickBooks might be one of the most sensitive applications I have ever worked with. The slightest hiccup in a network can cause a lost connection with the data server, and it can also cause data loss or corruption.

With QuickBooks out of the equation, then I would say the choice could be based on one very simple factor: Does your terminal server live on a WAN or within a LAN? If there is no public access, then a VPN will be required just to gain access to the machine with the LAN. If there is a machine that has an external IP (or traffic can be routed to that machine from the WAN), then allow those users to have access to a terminal server.

What I like about the terminal server option is that it will allow you to control what applications the user has access to while on your network. If you want those users to use only specific applications, you should install only those applications and lock out the ability for users to install applications.

Ask Jack: If you have a DIY question, email it to me, and I'll do my best to answer it. (Read guidelines about submitting DIY questions.)

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

5 comments
carl212
carl212

I know I'm a bit late with this but I just discovered this article today. I definitely agree with "techr" above. Having tried out a number of different configurations at the Chicago SEO company where I work, 2K8 definitely seems like the better choice.

Realvdude
Realvdude

Having done a little research into RDP, I believe that the security options for terminal services in 2K8 are stronger. Also, not mentioned yet is the memory requirements for terminal services clients; how many concurrent clients are you planning to support? As for the Quickbooks aspect, how many users per client are you expecting? If it just a few, would QB online be more cost effective?

Justin James
Justin James

I would *never* expose a terminal server over a VPN. The correct answer is, "require VPN access to get to the terminal server". Then, you can tightly control the resources that VPN users have access to (restricting it only to the Terminal Server, for example), while adding a layer of security to your system. Do you *really* want the outside world being able to directly pound on the machine that is hosting Quickbooks? "The answer to this question is not that simple; you need to consider how much security you need vs. how much security you trust your users with." This is QUICKBOOKS. This isn't... I don't know... the TPS reports. QB is the *lifeblood* of any given company. The compromise of QB data is not only crippling to the company, but potentially puts their customers at risk too for losses. This is no "balancing" of security here. PERIOD. The QB data needs to be protected at all costs. "I can say with 100 % certainty that you do not want your QuickBooks data file being written to over a VPN. QuickBooks might be one of the most sensitive applications I have ever worked with. The slightest hiccup in a network can cause a lost connection with the data server, and it can also cause data loss or corruption." There is a (very expensive) solution for this, and that's the Enterprise version of QB that uses a database on the backend, allows multiple users to be connected, etc. I *still* wouldn't have people install QB locally and access it over the VPN though, unless their computers were centrally managed by the company and things like antivirus could be maintained. Most smaller businesses aren't going to be set up for this, unless their IT staff has a ton of extra time. A nightmare scenario in my mind is someone using their home PC to access an app like QB, their PC has a virus of some sort, and the QB data gets stolen or destroyed. J.Ja

jstevensfit
jstevensfit

In addition to what Jack mentioned there are other things that you have to consider. Considering the vpn solution, depending on what networks in your organization are accessible via the vpn; you might be giving your customers access to more resources then you want them to have. Considering the terminal server solution (which I think could the best of the two), Licensing becomes an issue with some applications. For example if you install Microsoft office on a terminal server, you as an organization are supposed to make sure that the end users using the software already own a copy of the exact version of the software or higher (this varies based on your agreement with Microsoft i.e. Volume Licensing, etc.). So, depending on the policy of the software company of the software you want to install on the terminal server, I personally would try to implement the terminal server solution (for a customer based solution).

douglas.gernat
douglas.gernat

The terminal server route is the best option, but by proxy, and as in most decisions, the more expensive one. Not only to be concerned with the EU applications (very good point @jstevenfit), but also the terminal server CAL's, and the labor of setting up a robust enough GPO or local policy to keep the users from making changes or disrupting other items. The VPN route is quick and easy, but again as stated, leaves too much access to the user in most cases.