Looking for a remote access solution

Dashrender

The Ask: remote access to a client/server app that is on-premise.

The app is subject latency issues - i.e. running the client over a VPN connection will make using the software very slow and painful.

This mostly leads to a VDI type solution, at least in my mind.

Current environment:
App hosted on Windows VM
End users have laptops

Here's my current considerations:
Setup two PCs (old hardware already on hand) in DC for user's to access
Setup accounts on Screen Connect with MFA
Train user to use SC
Cost - zero, own all equipment
or

Purchase Software Assurance for Windows Pro (and maintain these licenses)
Assign two of the new laptops to these users (so SA attaches to those machines legally)
Setup accounts on Screen Connect with MFA
Train user to use SC
Cost - $120/u/2yrs

Am I missing any other cost effective options?

JaredBusch

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

Dashrender

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

1337

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.

JaredBusch

@pete-s said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.

Are you stupid?

1337

@jaredbusch said in Looking for a remote access solution:

@pete-s said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.

Are you stupid?

Always.

Dashrender

@pete-s said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.

Jared is saying to RDP into the PC in the DC I mentioned as an option.

But how you were reading it, is how I first read his recommendation - then duh.. realized the RDP part... which is a great idea...

JaredBusch

@dashrender said in Looking for a remote access solution:

@pete-s said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.

Jared is saying to RDP into the PC in the DC I mentioned as an option.

Which you can also do with VPN solutions.

Dashrender

@jaredbusch said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@pete-s said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.

Jared is saying to RDP into the PC in the DC I mentioned as an option.

Which you can also do with VPN solutions.

ZT is a VPN solution.

JaredBusch

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@pete-s said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.

Jared is saying to RDP into the PC in the DC I mentioned as an option.

Which you can also do with VPN solutions.

ZT is a VPN solution.

Not of the type you were discussing. Don't be a Scott.

OpenVPN with MFA: https://openvpn.net/blog/openvpn-mfa-setup-community-edition/

JaredBusch

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-free

Just use ZT to lower (all but remove) the attack surface.

Dashrender

@jaredbusch said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-free

Just use ZT to lower (all but remove) the attack surface.

There you go - I like that, and Duo has a free tier for 10 users.

scottalanmiller

@dashrender said in Looking for a remote access solution:

This mostly leads to a VDI type solution, at least in my mind.

Start with RDS. Only look at VDI when RDS isn't possible. RDS is easier to manage, less costly. (All this assuming that Windows is a requirement.)

scottalanmiller

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

ZT + RDP IS MFT!!!

scottalanmiller

@pete-s said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.

In this example, ZT is just for encapsulating RDP. So it's RDP encryption, not the app over VPN.

scottalanmiller

@jaredbusch said in Looking for a remote access solution:

Not of the type you were discussing. Don't be a Scott.

Always a type discussed if someone mentions VPN and knows anything. ZT is no more special or niche than any other VPN. It's every bit as much a VPN as some random other assumed solution.

To most people, VPN is purely a Netflix location trickery tool and has nothing to do with security or access to resources.

scottalanmiller

@jaredbusch said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-free

Just use ZT to lower (all but remove) the attack surface.

That would get them up to 3FA (which isn't a bad thing) assuming ZT isn't somehow tied to some other authentication mechanism.

scottalanmiller

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-free

Just use ZT to lower (all but remove) the attack surface.

There you go - I like that, and Duo has a free tier for 10 users.

But not required. You have 2FA without it. ZT cert + RDP password.

Dashrender

@scottalanmiller said in Looking for a remote access solution:

To most people, VPN is purely a Netflix location trickery tool and has nothing to do with security or access to resources.

I don't know about that - at least not anymore. The pandemic I think brought VPN and security into the general conscious.

Dashrender

@scottalanmiller said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-free

Just use ZT to lower (all but remove) the attack surface.

That would get them up to 3FA (which isn't a bad thing) assuming ZT isn't somehow tied to some other authentication mechanism.

As it's been AGES since I've used ZT - can you make the user have to log into it each time they launch it? If yes - and it's logon isn't associated with AD (as you mentioned) then OK - I see how you consider ZT and RDP MFA.