Networking optimize

Supporting remote users with VPN


I've had only one instance of having to support a remote user, and the challenges it presents can be, at best, quite difficult, or, in the worst case, practically impossible. This is especially true when considering the fact that this particular user was almost 100 miles away from the office, and providing step-by-step phone support to a user who's struggling though an issue has never been my primary means of providing support. All my users are supported face-to-face and in person, and I can sit down, if necessary, at any computer and go on a search and destroy mission in my quest to solve any particular problem.

I initially had issues with this user's means of accessing the Internet - which was everyone's worst enemy, satellite connection. The first challenge I had was not solving the latency problem, but learning what the heck the word even meant. Well, I eventually learned all about it and how to solve it. However, the connection was anything but reliable, and I had to go through myriad questions each and every time I received that dreaded phone call: "Joe, I lost my Internet connection. What should I do?"

Well, I always went through the normal trouble-shooting steps, such as recycling the router and modem, confirming that the network device did not become disabled, and so on, but more times than not, the real problem was either an abundance of snow on the satellite dish unit, or we just had to wait for the orbiting satellite to properly align itself with Jupiter and Mars. I was never so thankful as I was when he finally was able to have a broadband connection in his neck of the woods -- and he really was in the neck of the woods!

Using a nifty little software program called SSH Sentinel, I was able to give him some safe, easy and reliable VPN service by simply allowing him a gateway through my router and mapping network drives on his computer. He couldn't work with the files as though he was in the office, however, but rather had to copy files to his local computer, change them as needed, and then copy them back. Simply copying files back and forth was fast enough, but trying to work with them through a running application was simply too slow.

Now that I'm faced with installing Vista on this user's new computer, it's probably a good time to readdress the best way to establish a safe and simple VPN connection using a broadband Internet connection. I think instead of upgrading that SSH Sentinel software to a Vista compatible version, I'll instead look for ways to do it totally within the Windows environment itself.

My VPN considerations are as follows: Perhaps I should consider upgrading my VPN/Firewall router. This particular LinkSys brand, although it's working perfectly, can't have its firmware upgraded, hasn't had a firmware upgrade since 2002, and isn't supported with Vista; for $100, or so, it might be a worthwhile investment to get a current model. Should I consider configuring my VPN totally within the Windows environment, or rely on a third-party service or software? There's bound to be more remote access requests by other users, either those of the permanent variety or because of employee travel that might require remote access. Will my current Windows 2000 Server environment be treated differently than my next Server upgrade, either to SBS 2008 or Server 2008?

Let's consider this a study in VPN possibilities and considerations.

27 comments
doeslayer
doeslayer

What is wrong with using LogMein? All of their products seem to work as advertised.

rabebox-info
rabebox-info

I have been using logmein for about 3 years. We have 100 of our customers on our 1 free account. It takes about 2 mintues to add a new computer to the account. We also use the Logmein Rescue for about $1K/ year for unlimited one time help desk sessions. For VPN, try Logmein's Hamachi VPN Service. There is a free version and it is the simplest thing to setup. Once again it only takes about 2 minutes to setup a VPN Network and about 2 Minutes to add new computers.

ServiceTech
ServiceTech

Whether they are one mile or a thousand miles away, the pricipals don't change. It takes a certain set of skills to support remote users. Skills that a lot of Techs don't have and some simply don't want. As I write this, I'm finishing the process of creating a utility that will query the hardware and User settings on the remote PC. That way, I can ask the User to click on a icon and read/send the results to me. It displays such items as: IP address, Hostname, Asset tag, Serial number, Last boot time, User ID, Network ID, Internet and Intranet ping results, default printer name and port, available drives, OS type and Installed memory, among other settings. With this info in hand, I can tell if they are inside my network, outside my network or connected with VPN. All of which makes a difference as to what resources are available to the end user. This is the result of the frustration experienced trying to support 100's of PC's that I can't touch in person. But then, isn't that the true issue and not the distance away?

Joe_R
Joe_R

What should be considered? What are the VPN options? What has been successful for your organization?

hugo.mariani
hugo.mariani

For a SOHO appliance, I currently use OpenVpn (VPN over SSH). I have a Linux box on my home, which works as VPN server, and I connect to my job either with a Windows Xp or a Linux box as client. I don't have a static IP address, but OpenVpn is able to understand dyndns services (like NO-IP). And it's works really fine!!. Even OpenVpn's wiki is quite simple to understand!.

victorr837
victorr837

I use a batch file to extract customized sysconfig information from my user's computer to track hardware & software configurations/changes. It's simple & require minimal intervention. How different is your utility cf to the in-built sysconfig?

peter
peter

Any thoughts of putting this util up as a download on TechRepublic?

Lovs2look
Lovs2look

He's just indicating to the audience (many of whom maybe noobs) that he couldn't just hop in a car and pop over there. The distance was significant...hence the need for a VPN or other solution. Hope this helps with your understanding of the problem.

Lovs2look
Lovs2look

A fixed IP address! It makes it so much easier when both parties have fixed IP's. Not impossible with DHCP, but harder, fiddlier.

Michael Kassner
Michael Kassner

I agree, but I might consider a different route in the scenario you described. Since it is a single user, I might look at a web-based application like LogMeIn. It is painless and will meet all of your requirements. It is especially useful if the remote worker is mobile.

JPLconsultant
JPLconsultant

I have several customers, each of whom has multiple users at their site(s). I find that I have three big considerations when doing remote support (which for me consists of taking control of the computer): Reliable VPN Connection with Speed, the tool to manage the VPN and Good software for the Remote Control. This is my general philosophy that tends to work well. My first task is a reliable VPN connection with some good speed to fight latency. It doesn't matter whether the VPN is managed by dedicated hardware (router) or you OS, you need reliability and speed. Therefor my customers must have broadband (cable or DSL). With one exception, my customers fork over the extra $10/month to get a static IP. Not having a static IP at both ends is OK, but you may have to rebuild the VPN each time the IP changes. Or you may choose to implement a Dynamic DNS. For my customers and me $10/mth for static IP is worth it. Second issue is the tool that will manage the VPN. I personally don't like the idea of letting the OS manage the VPN. I'll be the first to acknowledge that I'm no Linux or Mac expert. But I think my OS concerns may apply to them. The OS has a lot going on just sit there and do nothing. It's vulnerable to viruses and other malware, and vulnerable to crashes and lockups. Plus it's slower than a hardware solution. In general, an OS-based solution requires more upkeep than a dedicated hardware solution. I like to let my router manage the VPN. It's a dedicated machine that can handle the load more efficiently than an OS. Whenever you can limit the involvement of software in the management of core networking technologies, the better off you'll be (IMHO). I've had good experience with the netgear ProSafe VPN Firewall family. Skip the netgear home-use stuff. I've also had good success with D-Link. Cisco, Watchguard, Astaro, and others may be better, but they're more expensive than my customers can handle. Whatever you choose, make sure it's business-class. So the above gets you a solid device to manage your VPN, fast connection and reliable. Now the next piece is to figure out what remote support tool you'll use. I use RealVNC for many of my customers. For a few, I use the built-in Windows RDP tool. There are others out there, but I think you'll want to look at your needs and compare the ability of the tools to meet those needs. Whatever tool you use, understand that it's never going to be just like sitting at the machine. I recommend you set the options to disable or reduce the things that tend to eat up bandwidth: reduce colors to 256, don't display the desktop picture, etc. JPL()

ServiceTech
ServiceTech

Sysconfig gives information overload to the help desk. My script extracts just the needed information to diagnose most issues. It's almost complete. I just have to add the dropdown boxes to be able to send it to any one of nine different Techs or the Help Desk. At this point, it retrieves the, Hostname The Adapter name, IP address, MAC address, DNS Server list, WINS server list, if the address is Static or DHCP assigned and if the Media is disconnected for each network adapter installed. The DNS Suffix search list Ping status between remote sites and the internet Manufacturer Model Chassis type Serial number Asset Tag OS and Service Pack Image clone date Image startup date Processor type and speed rating Current processor speed Installed memory Pagefile Min/Max size Local Username Local Profile name Novell Username Novell logon server Available drives, type and status For each printer it retrieves Printer name Port name Driver name If it's the Default The last boot time System uptime Current time I think I have most of my bases covered. Any suggestions to add anything else? To see what the output looks like, copy and paste the text below and save it as output.html and then open it with a web browser. Remote Diagnostic Utility by Service Tech Computer name :Bldg50? Adapter Name :IP Address :MAC Address :DNS Servers :WINS Servers :Intel(R) PRO/1000 MT Server Adapter? 0.0.0.0?- DHCP Link down ? 00:00:00:0F:AD:0B?? 192.16.xxx.39? 192.16.xxx.19 ? Adapter Name :IP Address :MAC Address :DNS Servers :WINS Servers :Intel(R) PRO/1000 MT Network Connection? 192.16.xxx.29?- Static? 00:00:80:AA:A0:E2?? 192.16.xxx.97? 192.16.xxx.98 ? Adapter Name :IP Address :MAC Address :DNS Servers :WINS Servers :Intel(R) PRO/1000 MT Network Connection #2? 0.0.0.0?- DHCP Link down ? 00:00:8B:00:AA:E0?? 192.00.100.97? 192.00.100.98 ? DNS suffix search list : abcd / xx.sta.xx.xx / xx.sta.xx.xx? Ping XD03 Success 0ms to address 172.16.000.000? Ping XT01 Success 0ms to address 172.16.000.000? Ping X01 Success 0ms to address 172.16.000.000? Ping OutsideAddress.xxx Success 38ms to address 64.000.000.000? Manufacturer:Dell Computer Corporation? Model:PowerEdge 2850? Chassis type :Rack Mount Unit? Serial Number :3xYxxx1? Asset Tag :Internal Asset Tag? Operating System :Microsoft(R) Windows(R) Server 2003, Enterprise Edition ?-? Service Pack: 1.0 ? ? Image creation date :Image (re)install date :01/12/2004 11:43:00 AM? 12/18/2005 3:41:40 PM? Processor 1:Intel(R) Xeon(TM) CPU 3.20GHz? Processor 2:Intel(R) Xeon(TM) CPU 3.20GHz? Processor 3:Intel(R) Xeon(TM) CPU 3.20GHz? Processor 4:Intel(R) Xeon(TM) CPU 3.20GHz? Current CPU Speed :3.19 Ghz? Installed Memory :2048 MB (Approx.)? Pagefile Min ~ Max:2046 MB ~ 4092 MB? Local Username :xxxxxxxx? Novell Username :xxxxxxxx? Logon Server :xAD03? Available Drives :A=Removable, C=HDD, D=HDD, F=Net, G=Net, H=Net, I=Net, L=Net, O=Net, P=Removable, R=Net, U=Net, V=Net, W=CD/DVD, X=CD/DVD, Z=Net? Printer # 1Port Name : Driver :HP LaserJet 4100 Series PCL on Bld3ne104(from Bld5NE73) in session 2????[DEFAULT]?? TS004?HP LaserJet 4100 Series PCL? Printer # 2Port Name : Driver :PQXEROX.PRINTING.XXX on OurDomainName (from Bld5NE73) in session 2? TS003?Xerox WorkCentre Pro C3545? Printer # 3Port Name : Driver :HP LaserJet1300 Series PCL? LPT1:?HP LaserJet 8150 Series PCL? Printer # 4Port Name : Driver :HP LaserJet 5Si? LPT1:?HP LaserJet 5Si? Printer # 5Port Name : Driver :HP LaserJet 4 Plus? LPT1:?HP LaserJet 4 Plus? Printer # 6Port Name : Driver :HP DeskJet 895Cse? LPT1:?HP DeskJet 895Cse? Printer # 7Port Name : Driver :HP Color LaserJet 4730mfp PS on xxxxd91 (from EE405) in session 1? TS002?HP Color LaserJet 4730mfp PS? Printer # 8Port Name : Driver :\\OurDomainName\ROX.PRINTING.xx.FFF? \\NDPS02?Xerox WorkCentre Pro C3545? Printer # 9Port Name : Driver :\\OurDomainName\UNIT.PRINTING.XX.NNNS? \\NDPS01?HP LaserJet 8150 PCL 5e? Printer # 10Port Name : Driver :\\OurDomainName\E801.PRINTING.BB.XXS? \\NDPS03?HP Color LaserJet 4730mfp PS? Last Boot TimeCurrent Time1/3/2008 5:43:54 PM?? ~ ??496 Hours ago (Approx.)? 1/24/2008 9:50:41 AM?

ServiceTech
ServiceTech

For a preview of what the output looks like, check my reply a couple of posts down. Just copy the text that begins with into a text editor and save as a .html file and then open it with your browser. Do you have any suggestions to add to the output? I'll post the script when it's complete. I just have to add the dropdown boxes for emailing the results to one of several Techs. Thanks, Roger

Jim Buttery
Jim Buttery

It's a lot easier for me to write a script and let the user run it to get that info.

Joe_R
Joe_R

It is spot on.

rfreestun
rfreestun

I support clients running our SQL database application around Australia, and most are outback (ie No ADSL - usually Satellite or Next-G/3G broadband). Next-G/3G doesn't provide a routable IP address at the customer's end, so the only solution here IS to set up a VPN connection. TightVNC is fabulous for remote access TO the user's PC (via dial-up or ADSL), for support, but for them to access us is problematic, as VNC points (via NAT) to a specific PC, and only one user can operate the PC at a time. Using VPN then RDP to an Application Server on SBS2003 is the way I'm intending to move shortly (multiple desktops in Application Server Mode). I've tested it with several users, and it's vastly better using Terminal Services compared to trying to run the application locally on the user's remote PC (apart from the setup time). I prefer Microsoft's VPN option in Windows XP (and Vista?), but have previously used the Cisco VPN client, and found it very successful. You need to be a Cisco site though, in order to get the client.

papa
papa

I wrestled with this beastie too. Finally, we went with: 1. Static [fixed] IP 2. DLink VPN router to manage user entry access. 3. Remote desktop. Good bandwidth compromise, uses have all their apps because they are "at" their desks. Files can be transferred using Windows Explorer to the remote PC. Of course it requires desktop PC at the main office.

Joe_R
Joe_R

Thanks for posting your message. As a quick (and possibly temporary) solution I did indeed use LogMeIn. It does work very well for remote access. I may or may not keep it as a long term and permanent solution, however; but then again, I just might. In my case, the remote user seldom needs the remote access. And for that occasional need, it's a great solution. In the very least, it did allow me to take this particular issue with this particular user off of my list of things to do, and put it on my list of things to consider for the future.

Joe_R
Joe_R

Thanks for posting it.

techrepublic.com.com
techrepublic.com.com

For an IT consultant you seem to have a blind spot for some basic IT essentials. Every IT component nowadays has an operating system, even if it's fried into Flash or EEPROM. I guess that some 80% of the devices or appliances, with the exception of the network components of Big Iron vendors like Cisco an Juniper, are actually built upon the Linux kernel. From KVM switches and anti-malware appliances up to our Brocade SAN switches (handling 48ports @ 4Gbit/s at wirespeed simultaneously...) And those are devices where any hiccup is large-scale disastrous. But when it comes to running a VPN op top of windows I can only agree with you.

thelegman7
thelegman7

I use Logmein free version to help friends and family on 3 different continents. It works great.

bonkyhead
bonkyhead

free remote workstation sharing software. www.crossloop.com. Download and install on both ends, put in a couple code numbers on your, click connect, get permission from your client's end, and wham - you're working baby. Free...

CG IT
CG IT

I don't even recommend using VPN to connect, rather use the Remote Web Workplace. Users can do just about everything they need to using RWW and it's done with https. I personally like SBS 2003 RC2 Premium Edition as it has ISA Server 2004. ISA as a proxy/firewall gives your network added security. Note: future Small Business Server versions will NOT come with ISA Server [though I hear MS might reconsider. However that the plan with the new SBS "Cougar". ]

Michael Kassner
Michael Kassner

Glad to hear it was of some use. Their for-pay applications are pretty interesting as well. I had to use the troubleshooting one once to get a remote user up and running just before he was to give an important presentation. I know how you feel being able to take at least one thing off of the to-do list.

JPLconsultant
JPLconsultant

Yes, you're right that many hardware devices have an OS of some capability. I was trying to make the point that I don't like to use the computer operating system (Windows Server, Linux, OS X, etc) for the purpose of managing a VPN. While it may be true that a hardware VPN device has an OS, the OS is going to be tailored to the specific purpose(s) of the hardware making it a better solution (in my opinion), than using a more "generalized" OS, like XP, OS X, Linux server, Server 2003, etc. These tend to require more overhead and have more things going on to make them more prone to failure or slowness. While they can technically do the job, I find I have better experience with hardware that's developed for the specific job, and has an OS optimized for it. Is that better? :)

jmcrgr8976
jmcrgr8976

I personally use Team Viewer, because the other party knows you're there. A friend of mine likes RealVNC, connected through Hamachi software. You NEVER have to configure IP's on either PC with either software. If anyone needs any Windows based help with their PC just email me. jmcrgr8976@yahoo.com