PDQ Link

Ambarishrh

Hi all,

Hope all well and everyone safe! Long time haven't gotten a chance to come back here.

Just got an email from PDQ about their new product called PDQ link

From their site and videos it looks like a simplified and automated implementation on built-in Windows Server roles Remote Access Server(RAS) and Network Policy Server(NPS). From the newsletter I got they've mentioned:

Your next question might be, how much is this going to cost me? We’re offering PDQ Link as a free download through 2020. Download it before the end of 2020 and keep using this version of PDQ Link through 2020, 21, 22, 23, and beyond at no cost.

Also asked them few questions I could think of and got the answers as well

1. Does it support change AD password via PDQ link?
   Because PDQ Link relies on user authentication rather than machine authentication, it is only able to communicate with remote devices while a user is logged in. While a user is logged in and connected through PDQ Link, they and their computer will be able to communicate with your domain controllers for things like password changes and group policy updates like normal. Since that connection is not made until after a user is logged in however, you will not be able to remotely reset the password for a user who is not already logged in.

2. Once PDQ link is enabled and connected, assuming we can continue using PDQ deploy & inventory to do its job without additional changes on DHCP/DNS?
   As long as you're making use of AD-integrated DNS zones, PDQ Link is able to update DNS and DHCP as clients connect and disconnect. After the initial configuration, you will not need to make additional changes to DNS or DHCP in order to use PDQ Deploy or PDQ Inventory while connected with PDQ Link.

3. Any limits on concurrent connections?
   While there may be limits based on the bandwidth of the server on which you install PDQ Link, there are no hard caps on the number of connections that PDQ Link allows. PDQ Link can be configured to assign IP addresses to clients either from a static list or using your existing DHCP server, so the only technical limit to the number of connections will be the number of IP addresses available for assignment though whichever method you select at setup.

4. Can we use AD based user authentication (yes, assuming users are given access based on AD group membership)?
   Yes, PDQ Link functions entirely based off of AD user authentication. Machine-based authentication and authentication for non-AD users are not possible at this time. This authentication is managed through the NPS server role that is installed along with PDQ Link on your server.

5. Does the client auto update or via PDQ deploy schedule updates?
   PDQ Link does not currently have any ability to update itself automatically. In the future when updates are released, it should be possible to install these with PDQ Deploy as long as machines are able to maintain a connection to the PDQ Deploy server while disconnected from Link for the update installation.

6. Can we make this VPN transparent to users to ensure that they don't disconnect it? This way, IT department can ensure that its always connected to PDQ for patch management
   There is not currently any way to prevent users from disconnecting from PDQ Link. By default users will be automatically connected at login and will not need to have any interaction with PDQ Link to make the connection, but an icon does exist in the system tray which can be used to open the console that includes an option to disconnect. Even if disconnected in this way, your users will be reconnected the next time they log in.

7. Does it support AD single sign on?
   PDQ Link does make use of AD credentials for authentication. The connection is made using the logged in user's credentials when they log into a computer with the PDQ Link client installed, without any manual entry of credentials being necessary.

8. Will this be part of PDQ suite (PDQ deploy+Inventory paid) or is it a separate product that we need to buy? If separate license, how much does it cost?
   PDQ Link is a separate product independent from PDQ Deploy and PDQ Inventory. It is currently being offered for free until at least the end of 2020, but we're still evaluating the best way to address licensing and costs beyond the end of the year.

What do you guys think?
I am going to test this in my lab!

black3dynamite

That's some good questions.

Ambarishrh

The only catch I could see is the mandatory port 443 as per their site

The majority of work for Link is done with our installer, but there is one bit that will have to be done by you or your network team. Your external firewall will need to route incoming TCP 443 to your PDQ Link server. 443 is the only port SSTP can utilize. This configuration is mandatory to allow your external clients to connect.

If you already have another service on 443 with a public IP, we need to use an additional IP for PDQ link.

jmoore

Great info, thanks for sharing.

JaredBusch

@Ambarishrh said in PDQ Link:

The only catch I could see is the mandatory port 443 as per their site

The majority of work for Link is done with our installer, but there is one bit that will have to be done by you or your network team. Your external firewall will need to route incoming TCP 443 to your PDQ Link server. 443 is the only port SSTP can utilize. This configuration is mandatory to allow your external clients to connect.

If you already have another service on 443 with a public IP, we need to use an additional IP for PDQ link.

That is what inbound proxy servers are for.

scottalanmiller

AD only. Odd.

scottalanmiller

From the main site, it seems like it is basically a limited, AD-connected VPN.

donaldlandru

This has piqued my interest as well. Might be a good option for people in their key demographic. I will be attending the webinar on Thursday to learn more.

dafyre

@scottalanmiller said in PDQ Link:

From the main site, it seems like it is basically a limited, AD-connected VPN.

That's what it seems like to me. But I don't see that as a bad thing for primarily windows shops.

jclambert

PDQ Link is an add-on for the W.F.H. era. It keeps PDQ Inventory and Deploy usable so they do not lose market share.

It being integrated with AD makes perfect sense for their use case, as their product suite is for updating/managing Windows devices

Ambarishrh

@jaredbusch said in PDQ Link:

@Ambarishrh said in PDQ Link:

The only catch I could see is the mandatory port 443 as per their site

The majority of work for Link is done with our installer, but there is one bit that will have to be done by you or your network team. Your external firewall will need to route incoming TCP 443 to your PDQ Link server. 443 is the only port SSTP can utilize. This configuration is mandatory to allow your external clients to connect.

If you already have another service on 443 with a public IP, we need to use an additional IP for PDQ link.

That is what inbound proxy servers are for.

digging an older topic as I am testing this now. Regarding inbound proxy
, what would you suggest to be used?

JaredBusch

@ambarishrh said in PDQ Link:

@jaredbusch said in PDQ Link:

@Ambarishrh said in PDQ Link:

The only catch I could see is the mandatory port 443 as per their site

The majority of work for Link is done with our installer, but there is one bit that will have to be done by you or your network team. Your external firewall will need to route incoming TCP 443 to your PDQ Link server. 443 is the only port SSTP can utilize. This configuration is mandatory to allow your external clients to connect.

If you already have another service on 443 with a public IP, we need to use an additional IP for PDQ link.

That is what inbound proxy servers are for.

digging an older topic as I am testing this now. Regarding inbound proxy
, what would you suggest to be used?

First I try to simply do it through Cloudflare, and use a Cloudflare origin cert on the end device.

When I cannot use Cloudflare, I like Nginx for most things. Single purpose, etc.

Certain users here like Caddy. It tries to be "magic". I'm not a fan of that in general.

marcinozga

@ambarishrh said in PDQ Link:

@jaredbusch said in PDQ Link:

@Ambarishrh said in PDQ Link:

The only catch I could see is the mandatory port 443 as per their site

The majority of work for Link is done with our installer, but there is one bit that will have to be done by you or your network team. Your external firewall will need to route incoming TCP 443 to your PDQ Link server. 443 is the only port SSTP can utilize. This configuration is mandatory to allow your external clients to connect.

If you already have another service on 443 with a public IP, we need to use an additional IP for PDQ link.

That is what inbound proxy servers are for.

digging an older topic as I am testing this now. Regarding inbound proxy
, what would you suggest to be used?

This isn't that simple, you need a proxy that supports TCP streams, unless SSTP behaves just like HTTPS. You'd need to talk to PDQ support to get more details. If you do end up needing TCP streams, I think Nginx, Traefik, and Haproxy all support that, and there's a mod for Apache too, but if I recall it correctly, it was specifically for MSRPC, so Exchange OWA or RDS.