RDP or VPN for single computer access?

michaelmalambri2356 · 2014-12-11T19:29:46.000Z

My company built a custom solution for another company. The solution consists of a PC that will be on their network. Our company still needs access to this machine for support, processing, and continued development. So we are looking into solutions to communicate.

I believe that RDP will be simpler, and more secure than VPN. But I could be wrong so correct me if you will. The thought process that guides this is simple. RDP will allow me to connect to the remote machine via a port forwarded to 3389 on the machine. I wont be able to access their network if they set the PC set up correctly and they wont be able to access mine. I would still be able to transfer data back and forth and make any changes to the system software that would be needed.

On the other hand, VPN comes with many more hoops to jump through it seems. Not only will they need to be concerned about blocking us from the rest of their network, but we in turn would need to ensure that the remote PC cant access any of our internal resources. And I don’t know why, but having a computer set-up in another company’s location with a VPN into our network doesn’t sit very well with me. Additionally, RDP would still need to be used.

So I ask… what do you think is best practice for communicating with a single machine on another company’s network?

Bonus spice: Something tells me the other company is pushing for VPN, how can I prevent them from accessing my resources? If they host? If I host?

jonahzona · 2014-12-11T19:34:29.000Z

We utilize a locally hosten app called ScreenConnect, which sort of acts like LogMeInRescue, only you can remotely manage (console / command line) any machine you install the agent on, inside or outside the network. In this case, all the machine would need would be an internet connection. The app pushes back to the relay in your network, creating a secure tunnel.

Just open the dashboard in a browser, select the device, and click join. Now you are controlling your computer - no firewalls to configure in their network, no VPN, no RDP.

Just a thought.

@ConnectWise

Robert5205 · 2014-12-11T19:40:44.000Z

I won’t let vendors expose a PC via RDP through my firewall. I prefer to manage a VPN so that I can see when they are in and from where they’re connecting. Because I manage other VPNs, it’s just one more.

We had a PC open on RDP and watched it get about 6,000 attempted logins per day.

kptim · 2014-12-11T19:43:27.000Z

LogMeIn sounds like it would do nicely.

michaelmalambri2356 · 2014-12-11T19:44:09.000Z

Robert5205:

I won’t let vendors expose a PC via RDP through my firewall. I prefer to manage a VPN so that I can see when they are in and from where they’re connecting. Because I manage other VPNs, it’s just one more.

We had a PC open on RDP and watched it get about 6,000 attempted logins per day.

How are you preventing unauthorized access to internal resources?

Thanks for the heads up on the 6,000 attempts. Thats a bit scary. Do you think changing the port would change the attempts on the machine?

michaelmalambri2356 · 2014-12-11T19:55:11.000Z

Tim-H:

LogMeIn sounds like it would do nicely.

Not in the budget. Must use existing resources only.

lenmc · 2014-12-11T20:08:00.000Z

if you have the ability and resources for a vpn I would use it as it is more secure. Hackers and script kiddies love looking for port 3389 open so they can run their brute force against a terminal services auth as administrator as administrator does not lock after too many failed attempts. I am sure you would not like your box to become part of some bot net etc. just my .02

michaelmalambri2356 · 2014-12-11T20:11:10.000Z

LenMc:

if you have the ability and resources for a vpn I would use it as it is more secure. Hackers and script kiddies love looking for port 3389 open so they can run their brute force against a terminal services auth as administrator as administrator does not lock after too many failed attempts. I am sure you would not like your box to become part of some bot net etc. just my .02

I do have the resources for a VPN, its just my first rodeo connecting to another company. My primary concern is keeping their company off my internal resources.

milesp · 2014-12-11T20:17:32.000Z

You shouldn’t have to set up a vpn. They should have one for you to connect to and then rdp into that one computer. Their resources should all be protected from whatever account they set up for you through domain permissions and accounts.

michaelmalambri2356 · 2014-12-11T20:20:59.000Z

smilesp12:

You shouldn’t have to set up a vpn. They should have one for you to connect to and then rdp into that one computer. Their resources should all be protected from whatever account they set up for you through domain permissions and accounts.

Excellent, I was hoping for this. If this is the case of what we decide to do, I should only have to be concerned with whatever client computer is going to be connecting to thier VPN, correct? I.E. they wont be able to access any other resources on my network.

lenmc · 2014-12-11T20:25:27.000Z

then deffinitly go vpn and configure rules for the vpn and you are set to go.

johnlimbacher · 2014-12-11T20:32:07.000Z

I too would suggest a VPN connection, they are far more secure than having a machine open to the world. If you don’t trust them all that much I would suggest having the VPN set up so that just the IP addresses of machines that you will use to maintain the remote machine be listed in the VPN.

Here we have a VPN to another entity that only has access to one server’s IP address and on there end only 2 servers. That way, only machines that can talk to each other are the ones at those IP addresses. We do it for HIPAA reasons but the idea is the same, and the tunnel is only open for a short time after it is used, otherwise the connection is closed.

Neally · 2014-12-11T21:40:43.000Z

I’d go both. Setup VPN and then via the VPN RDP into your computer. Change the Default port so no one from the the network is going to ‘accidentally’ remote into your machine. (yet it’s not that hard to find the new port, you know who is seeking shall find…).

DragonsRule · 2014-12-11T21:54:46.000Z

You could use Remote Utilities - they have a 10 remote PC license for free. They started offering that when logmein unexpectedly dumped their free product.

blairgroves · 2014-12-11T22:35:48.000Z

VPN and RDP are entirely seperate and complimentary things. Port forwarding from the public Internet to a PC on your private network is dangerous and asking for trouble. You can set up a vpn tunnel with the firewall on the client side restricting access to 3389 on the address of the target PC. Another solution is SSL vpn on the client dmz which can also enable them to telecommute.

anil-lepide · 2014-12-12T05:30:26.000Z

You can take a look on Lepide remote admin tool ( Lepide - Software Not Available ) that is available free and would be another better approach in your situation.

donknight3679 · 2014-12-12T15:43:36.000Z

Teamviewer sounds like it would work, you would install the full version on your machine and the host version on the other. You will be able to connect to it but it cannot connect to you, and you can transfer data back and forth as needed.

kptim · 2014-12-12T18:12:17.000Z

We have users use RDP and redirect the standard port to another and map that port to the specific IP address in our firewall, just so our standard RDP port doesn’t get hammered with the 6,000+ attempts like Robert was talking about.

michaelmalambri2356 · 2014-12-16T20:41:19.000Z

Larry thanks for the Remote Utilities Suggestion. While not being used for the topic in this thread, very useful. Spicy! 1 Question though, the 10 node license for free … Im assuming that is for business use?

DragonsRule · 2014-12-16T20:43:02.000Z

MustBeLucky:

Larry thanks for the Remote Utilities Suggestion. While not being used for the topic in this thread, very useful. Spicy!

Any particular thing about it that makes it not appropriate for your situation?

I’ve been very happy with it and use it almost daily.