Looking for solutions to allow remote users access to their internal psychical computers
- 
 @scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers: @dave247 said in Looking for solutions to allow remote users access to their internal psychical computers: @scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers: @dave247 said in Looking for solutions to allow remote users access to their internal psychical computers: I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible. You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process. True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much. For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier. yeah I know its a balance. We have had a few trade offs between password length and expiration time 
- 
 @dave247 said in Looking for solutions to allow remote users access to their internal psychical computers: Login 1 : User logs into business issued laptop 
 Login 2 : User connects to company over SSLVPN using domain credentials
 Login 3 : User connects to their internal physical PC via RDP using their domain credentialsDo they use the domain credentials to log in on the laptop as well? What's the timeout on the laptop / VPN link / desktop (over RDP) that would require them to have to login again? Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected? 
- 
 @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected? I'm curious how this plays into the current conversation? 
- 
 @Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers: @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected? I'm curious how this plays into the current conversation? OP said he wanted to "make the best use of the remote session in terms of data transmission". It also plays into the security issue, together with credentials and logins. 
- 
 @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: @Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers: @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected? I'm curious how this plays into the current conversation? OP said he wanted to "make the best use of the remote session in terms of data transmission". It also plays into the security issue, together with credentials and logins. aww - definitely understand the bandwidth portion, but not the creds/logins though. 
- 
 @Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers: @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: @Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers: @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected? I'm curious how this plays into the current conversation? OP said he wanted to "make the best use of the remote session in terms of data transmission". It also plays into the security issue, together with credentials and logins. aww - definitely understand the bandwidth portion, but not the creds/logins though. Split tunneling is in general considered less secure because the user's computer is basically bridging the internet and your corporate network. And you have zero or little control over the traffic outside the VPN, unless you have some security in place for this. When not using multi-factor authentication for the VPN tunnel (which the OP isn't) you are more susceptible to phishing attacks. With split-tunneling and no 2FA on the VPN it's much easier to trick the users to enter their credentials into something that looks just like real thing. That's how it ties into the security - overall risk. Here are some covid-19 recommendations for VPNs. 
 https://www.us-cert.gov/ncas/alerts/aa20-073aMicrosoft have some new recommendations on how to do split tunneling VPN, particular with O365 and on-prem, to make it secure and to take load and bandwidth off the VPN connection. Not related to security but it's also possible to have a bandwidth limitation in the VPN appliance without having a bandwidth limitation on the WAN link. There is usually a maximum VPN bandwidth in the firewall / VPN appliance. 
- 
 I don't know the best solution to @dave247 and his clunkyness problem. But I'm thinking if you can raise the security on the VPN link with 2FA, you could probably relax screen savers, VPN link timeouts and other things. Workers that are 100% remote should basically only have to login once per day and establish their RDP session and then just have screen lock on their laptop. 
- 
 @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: @Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers: @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: @Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers: @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected? I'm curious how this plays into the current conversation? OP said he wanted to "make the best use of the remote session in terms of data transmission". It also plays into the security issue, together with credentials and logins. aww - definitely understand the bandwidth portion, but not the creds/logins though. Split tunneling is in general considered less secure because the user's computer is basically bridging the internet and your corporate network. And you have zero or little control over the traffic outside the VPN, unless you have some security in place for this. When not using multi-factor authentication for the VPN tunnel (which the OP isn't) you are more susceptible to phishing attacks. With split-tunneling and no 2FA on the VPN it's much easier to trick the users to enter their credentials into something that looks just like real thing. That's how it ties into the security - overall risk. Here are some covid-19 recommendations for VPNs. 
 https://www.us-cert.gov/ncas/alerts/aa20-073aMicrosoft have some new recommendations on how to do split tunneling VPN, particular with O365 and on-prem, to make it secure and to take load and bandwidth off the VPN connection. Not related to security but it's also possible to have a bandwidth limitation in the VPN appliance without having a bandwidth limitation on the WAN link. There is usually a maximum VPN bandwidth in the firewall / VPN appliance. We do split tunneling since it doesn't make sense to send/receive ALL traffic through the VPN connection. The connection is secure since we use our security appliance's specific SSLVPN application for users to connect through with specifically configured settings. 
- 
 @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: Split tunneling is in general considered less secure because the user's computer is basically bridging the internet and your corporate network. And you have zero or little control over the traffic outside the VPN, unless you have some security in place for this. While true, you have that risk with VPNs anyway because even if you don't split the traffic, the end point device goes to "dangerous" locations then returns so acts like it is split all the time. VPNs are just a huge danger in general. 
- 
 @Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers: I'm not entirely sure how you solve that? If you allow the RDP to save credentials, you remove the clunk after connection for the first time. Then they authenticate with VPN and 2FA, followed by a saved credential RDP connection. Not my preference, but it is a way to de-clunkify the double login. 
- 
 @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: And you have zero or little control over the traffic outside the VPN, unless you have some security in place for this. We use our Firewall appliance to restrict traffic to port 3389 in the VPN, RDP is a pretty safe protocol. Jared said we don't know of anything that can penetrate it. Maybe he can add some light to the safety of RDP if you need more info. 
- 
 @scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers: Just adding 2FA to RDP is a better option. Wouldn't you need to open port 3389 to the public if your users had dynamic IPs at home? We prevent a lot of RDP login attempts by only allowing 3389 through our VPN tunnels. 
- 
 @JasGot said in Looking for solutions to allow remote users access to their internal psychical computers: @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: And you have zero or little control over the traffic outside the VPN, unless you have some security in place for this. We use our Firewall appliance to restrict traffic to port 3389 in the VPN, RDP is a pretty safe protocol. Jared said we don't know of anything that can penetrate it. Maybe he can add some light to the safety of RDP if you need more info. RDP uses the same tech as most VPNs. It's extremely safe as a protocol. It's the assumed ties to AD that make it risky. 
- 
 @JasGot said in Looking for solutions to allow remote users access to their internal psychical computers: @scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers: Just adding 2FA to RDP is a better option. Wouldn't you need to open port 3389 to the public if your users had dynamic IPs at home? We prevent a lot of RDP login attempts by only allowing 3389 through our VPN tunnels. You'd have to open something, but not necessarily 3389. A VPN also has to have a port open. So that particular risk remains the same with either approach. 
- 
 I know this is late to the discussion, but the State of Kentucky uses two different types of VPN connections. PaloAlto Applicance And SSL-VPN -which opens RDP session to the end users desktop. The desktop has to be defined in the parameters. The SSL-VPN is routed via a Third Party. Open a browser, log in, click your RDP session and there you go... 
- 
 @JaredBusch said in Looking for solutions to allow remote users access to their internal psychical computers: @dave247 said in Looking for solutions to allow remote users access to their internal psychical computers: I know this topic is all the buzz right now.. Currently we are having our users remotely access their internal computers by using secured laptops as "dumb terminals" as they establish an SSLVPN connection to our firewall/security appliance and then RDP from said laptop into their workstation. It works ok but the user experience is clunky with multiple logins and we have had various issues/concerns and hope to eventually get something in place that works better. I was looking at Citrix and VMware Horizon 7 and they have some "remote to PC" options that are included with each of their main packages. It would obviously be a waste to purchase an expensive product for the purpose of using one single side-feature that lets remote users access their internal company computers. So I wanted to see if you guys could provide any suggestions. I understand there may be a lot of resistance here against a lot of these products since they are big and expensive and may not be wise business choices, but I am trying to work with what I have and what I know and I know that I don't know much.. If anyone can point to a product/service/mixture of technologies that would help users directly connect to their internal computers while providing a simple and solid user experience, that would be a huge help. ZeroTier (with Flow rules) + RDP is how I solved this for my clients. After reading everything, this is honestly the simplest and most transparent to the users. You don't need an RDS gateway, you don't need to sign into a VPN. Clients are allowed on the SD-WAN by a centralized control and then the users can just RDP to their desktops. It's two steps: - Login into local machine
- RDP into desktop.
 
- 
 @scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers: @JasGot said in Looking for solutions to allow remote users access to their internal psychical computers: @Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers: And you have zero or little control over the traffic outside the VPN, unless you have some security in place for this. We use our Firewall appliance to restrict traffic to port 3389 in the VPN, RDP is a pretty safe protocol. Jared said we don't know of anything that can penetrate it. Maybe he can add some light to the safety of RDP if you need more info. RDP uses the same tech as most VPNs. It's extremely safe as a protocol. It's the assumed ties to AD that make it risky. That's interesting - how does the assumed ties do that? I'm not disagreeing, just not understanding. As for the safety of RDP - on the surface I agree with Scott, RDP does use the same tech as VPNs and I assume SSH as well. Unfortunately, even recently RDP has been found to have authentication bypass flaws. I'm assuming SSH doesn't mainly because it's so old, and open source. 
- 
 @stacksofplates said in Looking for solutions to allow remote users access to their internal psychical computers: @JaredBusch said in Looking for solutions to allow remote users access to their internal psychical computers: @dave247 said in Looking for solutions to allow remote users access to their internal psychical computers: I know this topic is all the buzz right now.. Currently we are having our users remotely access their internal computers by using secured laptops as "dumb terminals" as they establish an SSLVPN connection to our firewall/security appliance and then RDP from said laptop into their workstation. It works ok but the user experience is clunky with multiple logins and we have had various issues/concerns and hope to eventually get something in place that works better. I was looking at Citrix and VMware Horizon 7 and they have some "remote to PC" options that are included with each of their main packages. It would obviously be a waste to purchase an expensive product for the purpose of using one single side-feature that lets remote users access their internal company computers. So I wanted to see if you guys could provide any suggestions. I understand there may be a lot of resistance here against a lot of these products since they are big and expensive and may not be wise business choices, but I am trying to work with what I have and what I know and I know that I don't know much.. If anyone can point to a product/service/mixture of technologies that would help users directly connect to their internal computers while providing a simple and solid user experience, that would be a huge help. ZeroTier (with Flow rules) + RDP is how I solved this for my clients. After reading everything, this is honestly the simplest and most transparent to the users. You don't need an RDS gateway, you don't need to sign into a VPN. Clients are allowed on the SD-WAN by a centralized control and then the users can just RDP to their desktops. It's two steps: - Login into local machine
- RDP into desktop.
 If you want to manage everything from top to bottom, Tinc exists, but I don't see the value over ZeroTier. Especially getting into things like having multiple networks and flow rules. 
- 
 @scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers: @JasGot said in Looking for solutions to allow remote users access to their internal psychical computers: @scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers: Just adding 2FA to RDP is a better option. Wouldn't you need to open port 3389 to the public if your users had dynamic IPs at home? We prevent a lot of RDP login attempts by only allowing 3389 through our VPN tunnels. You'd have to open something, but not necessarily 3389. A VPN also has to have a port open. So that particular risk remains the same with either approach. If you're saying you have to open a port to allow VPN to function, and that is the same risk as opening a port for RDP, then I agree with you. 
- 
 @dave247 said in Looking for solutions to allow remote users access to their internal psychical computers: @scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers: @dave247 said in Looking for solutions to allow remote users access to their internal psychical computers: @scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers: @dave247 said in Looking for solutions to allow remote users access to their internal psychical computers: I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible. You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process. True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much. For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier. yeah I know its a balance. We have had a few trade offs between password length and expiration time NIST guidelines were updated in 2017. They mostly follow XKCD.  





