Two weeks ago, in my March 23 Microsoft Challenge, I asked for input on the best way to set up remote access to a small Windows 2000 network for a fleet of mobile users. I didn't get a single definitive answer, but I got exactly what I needed. Thanks to a group of very smart TechRepublic members, I now have enough information to weigh the pros and cons and make the right decision.
Should I set up a virtual private network (VPN)? Use Remote Access Services over dial-up lines? Or is Terminal Server or Citrix's WinFrame a better solution? If you're going through the same decision-making process, I urge you to read the complete thread. It's chock-full of detailed information covering a complete range of options.
Mjones pointed out, rightly, that I hadn't supplied enough details. Developing a good strategy, he writes, requires answers to some key questions, such as "How many in a 'fleet'? How often do they need access? Where are you?" In his office, VPN was the landslide winner even with only a half-dozen remote users: "Fifty percent of our users have access to high speed networks when remote. Why throttle them with a dial-up connection? And it didn't really cost us anything. We started with NT and PPTP, which was OK, then we procured new firewalls, which just happened to have an IPSec VPN option, which is much easier and faster to work with."
AJKing was even more bullish on VPN: "VPN vs. RAS? No contest. VPN is the road warrior's dream. It is also the admin's and accountant's dream." He points out that with RAS, you not only have to maintain the RAS server/services, you also have to maintain a small ISP of modem racks, pay the monthly charges on digital lines, and set up an 800 number so that users don't rack up hotel phone bills. With VPN, users make local calls to a big ISP like AT&T and get on the network through the firewall with something like RSA ACE/SecurID ."
Mahdeekus assumed, based on the tone of my question, that cost is less of a factor than security. In that case, he recommends RAS over dial-up lines with NT authentication as "a far more secure option than VPN. RAS will be easier to administer in terms of individual user access via permissions and groups." Don't want users to have to run up their own phone charges? Set up some toll-free incoming lines.
VPN earned kudos for its relatively low cost and ability to work at high speeds. That makes it appropriate for setups where remote users routinely plug into a high-speed network at a remote office. The downside? It requires a static IP address, is relatively hard to setup and administer, and may require third-party add-ons to tighten security.
Proponents of RAS point out that it's relatively simple to set up and administer, and it's more secure from random over-the-Net hack attacks. The biggest drawback is cost and complexity, both of which continue to increase as you scale up the capacity of the remote-access network.
Several members suggested I look at Windows 2000's Terminal Services or Citrix's MetaFrame server. This solution might be overkill (financially and logistically) for a small network, but if a significant number of remote users need access to apps and not just e-mail, it could be a viable option.
Whatever you decide to do, make sure you think it all through. In my original question, I said, "I want to make sure my network is safe from intruders." TechRepublic member michaelmoore pouncedon that one: "You don't want much, do you? You are opening your network to outside access, so any solution must rely on encryption and strong authentication. Since you say mobile, not remote, users, VPN is probably your best bet. Provide your users accounts on a large ISP, configure IPSec and L2TP, expire certs frequently, enforce strong passwords, and monitor your connections. Also develop contingencies for lost PCs or compromised passwords, and make sure your users know exactly what their responsibilities are. And kick butts when you need to."
Words to live by. Thanks to all respondents for a valuable discussion. I've awarded 500 TechPoints to every TechRepublic member quoted in this column.
Here's Ed's new Challenge
OK, I've settled on VPN, and I need your help once again. My small (10 users) network accesses the Internet through a 1-Mbps DSL line and Microsoft's Proxy Server. Where do I go from here? What kind of mistakes am I likely to make? Help me avoid the pitfalls and get my VPN running smoothly, securely, and as quickly as possible. The best suggestions (and confessions, if you've learned the hard way) will appear in my next column, with contributors earning a total of 2000 TechPoints. Tackle this week's Microsoft Challenge !