The challenges (and solutions) of remote access

Standard

For many IT solutions, you see a naturally occurring need/response timeline – where an IT need emerges, and sometime later, a number of solutions come to market to address that need.  As our workforce needs shift towards more mobile or remote users – be it for social or economic reasons – we’re in the fortunate position that the solutions out there haven’t lagged behind as much as some others, and are fairly mature and robust.  This is good for firms, good for users, and (yay) good for IT staff.

Let’s start with the basics.  You have a bunch of resources in the office, but the person that needs them is at home/on the road/in Zimbabwe.  What do you do?  Assuming we’re dealing with groups of individuals, not small offices, the options can be broken down cleanly.

Option One: VPN.

Grandpapa.  The old stand-by.  VPN is tried and true technology; in a nutshell, it allows the remote worker to create a connection to your internal network, over the internet, without fear of anyone “overhearing” the communication due to encryption.  This can be accomplished through a number of methods; the most common is a simple piece of software installed on the end user’s PC that establishes a tunnel into your firm’s firewall.  If you have a home worker, you can have their firewall create a site-to-site VPN, which would allow all their devices to access the firm’s resources without software.  Lastly, you can use something called SSL VPN, which establishes a VPN through a web browser connection.

During the connection, you can authenticate users using their normal network logins, through a secondary login database, or use two-factor identication, where they have a normal login, but also have a secondary device or token for validation.

VPN is a very popular solution for a number of reasons; it is cheap, and easy, and requires little maintenance.  But it has a couple of significant limitations.

The first issue with VPN is that the speed of the connection is the lowest common denominator between the firm’s internet connection and the home user’s internet connection.  Even under optimal conditions, that speed will be nothing like what is experienced on a decent LAN.  If the user is in a low-bandwidth situation, or at extreme distance, just browsing through the server files can be painful.  Simple document editing can be possible, but working with large files, or Revit databases, can be impossible.

The second issue with VPN is that when the user connects, they have performed the equivalency of bringing in their home PC and plugging it into the network.  You may have great faith in your user’s ability to keep their pc fully updated with the latest antivirus/malware, etc… but when a home PC is shared with friends and family…. we all know what happens.

Unfortunately, for the bandwidth issue, there’s little you can do (although Riverbed does make a Mobile appliance for VPN users).  For situations that call for large file access, you may have to look at Remote Desktop (coming up) rather than VPN.  For the security issue, you have a couple of options.  First, if home users are given a company-owned desktop or laptop, you can control it much more easily than a home PC, including forcing AV updates, scheduled scans, etc.  Secondly, there is a technology called NAC (Network Access Control) that the major vendors support.  This solution attaches to your internal network as an appliance or software, and when any computer connects to your network (physically, through wifi, or VPN) – the system can ensure that it has the latest patches and antivirus installed before allowing it access to internal resources.

Option Two: Remote Desktop

Again, as IT professionals, we’re lucky that this technology is just as mature and robust as VPN is.  Like VPN, Remote Desktop can come in several different permutations or flavors, but the underlying foundation is the same.  A user connects to a PC that is physically in your environment, and “remote controls” that PC.  The user can be using their home PC, their Mac, their iPad, their smartphone – whatever – because all that they’re doing is getting constantly updated screenshots of the remote PC sent to their device, and sending back keyboard and mouse inputs.

Remote desktop is great for a number of reasons; first, it works well even in low-bandwidth situations, usually requiring less than 56Kbps.  Second, the remote processing means you can run the beefiest programs in the world on the office PC, and it will appear just fine on the home user’s 10-year old pc (or iPad) – and the home user doesn’t need any work software installed locally.  Lastly, the remote desktop connection means that the user’s computer is not a node on  your internal network – minimizing the risk of viruses or other security issues.

There are a number of Remote Desktop solutions – I’ll try to list the top three.

Option A: One-to-one.  In this scenario, there is a dedicated PC for the user to remote into.  Joe, working from home, remotes into his work PC.  This can be accomplished using RDP (Microsoft’s Remote Desktop Protocol) – which is built into Windows.  This is simple and free, but it requires Joe to either VPN in, or for you to allow RDP connections to his PC through your firewall.  The second option is to use an internet middleman, like http://www.logmein.com or http://www.gotomypc.com.  Both of these services install a small piece of software on Joe’s work PC, which can then be controlled by logging into a website.

Option B: Many-to-one.  It can be hard to have dedicated PCs sitting around waiting for a remote user to log in.  Among others, Microsoft and Citrix offer solutions where many remote users can log into the same PC (server).  Obviously, this can require more resources, and the additional software and licenses can be costly.  But in the end run, allowing 10 users to use the same PC to run MS Office will be much cheaper than buying 10 dedicated PCs.  Microsoft’s solution is called Remote Desktop Services (formerly Terminal Services), which extends RDP for many-to-one usage.  Citrix has two solutions – XenDesktop if you want to give someone the flexibility of their own desktop, or XenApp – if you just want them to access specific applications.  Interestingly, both Citrix solutions require that you purchase the Microsoft Remote Desktop licenses, as Citrix “runs on top of” Remote Desktop Services.

Conclusion

As you know, as an IT pro, it is really about fitting the solution to the need.  Do you have users that need to run Revit from a distance?  Remote Desktop.  An exec who needs to get to excel files anytime, day or night? VPN.  An intranet with a time-sheet application that you want to give easy access to?  SSL VPN.  A consultant needs to run Autocad using your project files?  Logmein.com.

Having worked with these technologies for almost 20 years now, Flying Buttress has a familiarity with what works and what doesn’t in the AEC space.  Please feel free to ask any questions here or contact us at mike@fbremote.com if you’re interested in implementing a remote access solution.

Products/technologies mentioned:

Riverbed Steelhead Mobile

 

Cisco NAC 

Symantec NAC

Two-factor Authentication example

logmein.com

gotomypc.com

Microsoft Remote Desktop Services

Citrix XenDesktop

Citrix XenApp