Looking for solutions to allow remote users access to their internal psychical computers
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
When you say things are clunky - what exactly do you mean?
If you are seeing performance issues - that could easily be your ISP connection at the office is saturated. How many users do you have VPNing in? what size pipe to the internet?
Clunky means users have multiple logins and other user-unfriendly aspects of using RDP. It would be ideal to have them be able to connect with a single login (or even SSO) and then have their desktop delivered to them quickly and cleanly.
Boy this is a lot to worry about for a temporary situation. I mean if you were looking to move to WFH in general, sure I'd care, but even for 60 days, I wouldn't spend the time or the money. But that's just me.
I'm trying to envision any of the other solutions being 'less clunky.' Sure SSO can help some, my office connects to several hospitals that have SSO, we still have to log into most systems at least twice - once into the citrix/webportal and again to an app on that portal (the app often being RDP inside that portal). Now some of the apps do work with the first login to the Citrix/webportal, but not all.
Well I mean who knows, it could actually end up being long term. It may be worth it if it runs through the year. Plus we may end up keeping some WFH users through all this.
Creating apps that are LANLess would seem like a better solution if possible. Put them on the internet, and don't worry about RDP anymore. I realize this might not be possible, but it should at least be a consideration. You're potentially looking to fundamentally change your workflow... so evaluating the whole thing becomes worthwhile... Don't work from the "goal is to get remote desktop" instead work from - how do we best provide access to our stuff to offsite people.
-
Maybe take a step back. Why are they using an entire desktop? CAD? Something intense on CPU? Or just basic email and O365 stuff? If the latter, just use published apps on a standard MS RD server and (again) eliminate the issued equipment. You could take future steps to go with a thin client via pi0 or whatever, but at the end of the year, you'd have everyone using the RD farm through rdp as a full remote desktop or published apps.
-
I don't understand how the use of RDP could do anything to cause multiple logins?
If you RDP in to your desktop using the same login as usual then everything is exactly the same as if you're physically there.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
I don't understand how the use of RDP could do anything to cause multiple logins?
If you RDP in to your desktop using the same login as usual then everything is exactly the same as if you're physically there.
You'd want to setup a remote gateway and configure it to talk to all of your desktops.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
I don't understand how the use of RDP could do anything to cause multiple logins?
If you RDP in to your desktop using the same login as usual then everything is exactly the same as if you're physically there.
You log into VPN, then you log into RDP - I assumed that was the multiple logons he was talking about... beyond that, if there are additional ones that don't already exist when users are working onsite, then it seems like something would be wrong.
The idea to get away from two logons (VPN and RDP) seem like a lot of effort.
-
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
I don't understand how the use of RDP could do anything to cause multiple logins?
If you RDP in to your desktop using the same login as usual then everything is exactly the same as if you're physically there.
You log into VPN, then you log into RDP - I assumed that was the multiple logons he was talking about... beyond that, if there are additional ones that don't already exist when users are working onsite, then it seems like something would be wrong.
The idea to get away from two logons (VPN and RDP) seem like a lot of effort.
OK, maybe semantics but I wouldn't say you log into VPN. More like connect.
Most companies I know have 2FA (for VPN) and the user enters a pin code into that. But I guess that's a password too in a way.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
OK, maybe semantics but I wouldn't say you log into VPN. More like connect.
Most VPNs use a login. It's the same mechanism as the RPD login. You can say connect as well, but only in the sense that connect is another way to say login. You "connect" to RPD as well, in the same sense.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
Most companies I know have 2FA (for VPN) and the user enters a pin code into that. But I guess that's a password too in a way.
That's how Windows desktops often connect, too
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
OK, maybe semantics but I wouldn't say you log into VPN. More like connect.
Most VPNs use a login. It's the same mechanism as the RPD login. You can say connect as well, but only in the sense that connect is another way to say login. You "connect" to RPD as well, in the same sense.
You connect with RDP but the login you enter is for the computer - the only place you actually log into. IMHO.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
OK, maybe semantics but I wouldn't say you log into VPN. More like connect.
Most VPNs use a login. It's the same mechanism as the RPD login. You can say connect as well, but only in the sense that connect is another way to say login. You "connect" to RPD as well, in the same sense.
You connect with RDP but the login you enter is for the computer - the only place you actually log into. IMHO.
But makes no difference however.
VPN might be an additional step unless you have site-to-site connection. However you don't have to commute, enter a parking garage, security code to building etc etc. So that should make it an even playing field between the hassles of getting to work physically versus connect with VPN.
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
the user experience is clunky
This is what I'm more interested in. Why is it clunky? (Besides the 1 extra login for VPN...)
I'm on VPN & RDP basically everyday. I think it's pretty smooth.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
OK, maybe semantics but I wouldn't say you log into VPN. More like connect.
Most VPNs use a login. It's the same mechanism as the RPD login. You can say connect as well, but only in the sense that connect is another way to say login. You "connect" to RPD as well, in the same sense.
You connect with RDP but the login you enter is for the computer - the only place you actually log into. IMHO.
Even for IT people, we use connect and log in interchangeably. In all cases it's just a term for "using credentials to gain access to a resource."
To an end user (or to me) logging into a computer, a VPN, a website, etc. are all the same thing.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
the user experience is clunky
This is what I'm more interested in. Why is it clunky? (Besides the 1 extra login for VPN...)
I'm on VPN & RDP basically everyday. I think it's pretty smooth.
I think going through a login process twice is the clunky bit. I do this all the time with customers and it's definitely clunky. Not a big deal, and I know why I do it, but it IS clunky.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
the user experience is clunky
This is what I'm more interested in. Why is it clunky? (Besides the 1 extra login for VPN...)
I'm on VPN & RDP basically everyday. I think it's pretty smooth.
I think going through a login process twice is the clunky bit. I do this all the time with customers and it's definitely clunky. Not a big deal, and I know why I do it, but it IS clunky.
I'm not entirely sure how you solve that?
I suppose an SSO could, The machine itself is a trusted device, you log into the machine - launch VPN (and the creds are unlocked because you logged into the computer so the VPN just connects upon launching) then you launch RDP which then connects automatically to the pre setup device... but you're still launching two things. Of course you could have the system do those automatically upon logging into the machine I suppose.
-
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
the user experience is clunky
This is what I'm more interested in. Why is it clunky? (Besides the 1 extra login for VPN...)
I'm on VPN & RDP basically everyday. I think it's pretty smooth.
I think going through a login process twice is the clunky bit. I do this all the time with customers and it's definitely clunky. Not a big deal, and I know why I do it, but it IS clunky.
I'm not entirely sure how you solve that?
I suppose an SSO could, The machine itself is a trusted device, you log into the machine - launch VPN (and the creds are unlocked because you logged into the computer so the VPN just connects upon launching) then you launch RDP which then connects automatically to the pre setup device... but you're still launching two things. Of course you could have the system do those automatically upon logging into the machine I suppose.
The issue there is... if you tie the two together, you defeat the purpose of the VPN. The VPN isn't there for the tunnel, but for the 2FA.
-
Just adding 2FA to RDP is a better option.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
Just adding 2FA to RDP is a better option.
I wonder if that would mitigate the authentication bypass problem that RDP had a few months ago?
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
I don't understand how the use of RDP could do anything to cause multiple logins?
If you RDP in to your desktop using the same login as usual then everything is exactly the same as if you're physically there.
Login 1 : User logs into business issued laptop
Login 2 : User connects to company over SSLVPN using domain credentials
Login 3 : User connects to their internal physical PC via RDP using their domain credentialsOn top of this, sometimes the company issued laptop is encrypted and they must enter a password (if there's no TPM chip).
Then there are usually prompts between the SSLVPN and RDP steps such as SSL cert and other pop-ups. Yes they can check "dont ask again" but this all adds to the chunkiness of everything.We also had some telephony/call quality issues (that I won't go into) but I will say that I'm just trying to find something that makes the best use of the remote session in terms of data transmission, so like RDP vs ICA or something. I'm not too knowledgeable in this area though.
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
Then there are usually prompts between the SSLVPN and RDP steps such as SSL cert and other pop-ups. Yes they can check "dont ask again" but this all adds to the chunkiness of everything.
Those are problems that can be fixed, though. Those particular ones should not be like that.
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.