1

I’ve been tasked by one of my clients with allowing people to work from home, on their own home PC, but basically remote controlling their work PC. As you can imagine, that could (and eventually will) mean any device with a mouse, keyboard, and screen at home. :slight_smile: The IT team wants to minimize installing anything on the home PC, or knowing anything about it. Troubleshooting home PCs could get out of hand quickly. An “any PC will work if you just go to this website/link” message is the goal.

The work environment does not have virtualized/thin desktops. It is a mix of local PCs, with various installs, and 10% laptop users. Over 100 devices/users.

The original idea, submitted quickly by another consultant/friend of the company, was to simply install the VPN client on home PCs, connect to the router/firewall, and then have users RDP to their own work PC. As you can imagine, I cringed at this idea for a variety of reasons. (If you think this is a good idea, I am open to your opinion though.) It is a cheap quick solution though, sort of. It violates the touching/troubleshooting the home PC requirement right away.

So, based on these constraints I am at a bit of a loss.

Will something like Citrix Workspace Suite work? I’m getting hung up on (the idea of) them getting all the way back to their own PC (which is hopefully not powered off or doing updates/nightly maintenance or whatever.)

My guess is that they need to take the intermediate step of virtualizing their desktops. Then they use that desktop whether they are in the office OR or at home.

Thoughts on my odd situation?

12 Spice ups
2

If your firewall has something like a SSL-VPN, which is basically like a website, they log into, there is no need to install a client, that’s what I’d try first.

What firewall do you have?

8 Spice ups
3

Like Neally says, the VPN you have can make this totally trivial or totally insecure :slight_smile:

You could go with RD Gateway too if you already have a Windows Server on-site.

2 Spice ups
4

That is expressly not allowed where I work. Written policy.

No way to control what is connecting directly to your network. Old windows install lacking updates, pc with no AV protection etc.

5 Spice ups
5

Something like Screen Connect may be a solution. The users access a website, then have access to their PC, but not full network access. Could be handled similarly with a VPN client, only allow through protocols necessary to make the RDP or other remote connection (recommended for all VPNs).

2 Spice ups
6

I use Citrix for this. I enabled RDP on the end-users machine and put them in the Remote Desktop Users local group. I then published the RDP client and have the users log into their PC that way. The only “install” that needs done is the Citrix Receiver on their home PC.

2 Spice ups
7

Snufykat, yes that was my first thought.

Neally, they have a SonicWall NSA 3600. There is an SSLVPN option. Looks like it is not configured. Assuming they use that VPN, this only makes the connection, right? They’d still need to RDP to their desktop?

Thanks you all for all the quick replies so far.

8

I’m not familiar with Sonicwall but from a quick dig around it may have a web portal where you can publish shortcuts to RDP sessions.

Users connect to the portal over HTTPS but they are not connected directly to your internal network.

9

This is correct.

I mean if you want to avoid that your options are limited, you can look into VDIs or Termnial services

2 Spice ups
10

That’s the SSL-VPN option in the Sonicwall. From there you can just put a shortcut to RDP to the workstation, or whever really.

2 Spice ups
11

As far as not touching the home computers, but they should be able to install the Netextender VPN client and fill in a few credentials and server information. Just have to check how many licenses they have for VPN. They may be licensed for the Global as well. I actually have a few clients that do this. Strongly recommend to my clients that they supply the PC, but, as they say, you can lead a horse to water.

12

Sounds like the job then, removed pretty much all risk and can hopefully tie into something like Duo for two-factor.

1 Spice up
13

This has ugly written all over it. Again, no control over what is connecting to the network. You can say that it needs to meet a list of specifications in order to connect, but how do you enforce it?

RDP with Yubikeys or similar,

SSLVPN

Or you can do the work, and create a script that launches the VPN, and then connects to the RDP session. Have the shortcut on their desktop look like an RDP client icon. Give everyone a USB with the client software on, and the RDP script on it with instructions. Get ready for 100 phone calls.

Uggggh, there is just no good way to do this without spending money.

1 Spice up
14

Anything past publishing RDP or published apps to an externally available website… I would just say “No” to the client and cite some of the reasons already posted here, security being the forefront.

Past security, the next problem would be snowballing support queues (ie: I can’t print from my home computer, my home internet isn’t working, etc.).

1 Spice up
15

Letting users remote in via their own devices is never desirable but sometimes you just swallow your pride and give the customer what they want - or walk I suppose…

I would go the VPN/RDP route as well. I wish I had a suggestion for a VPN that didn’t require admin rights to install, or any kind of tweaking at all but it’s been years since I’ve dealt with one. I would just make sure that however they connect you are able to restrict them to just port 3389 so their personal machines don’t have access to the entire network.

Printing will probably be the number one thing you will have to support. It can be super frustrating given the number of printers out there. It’s usually as trivial as installing a matching driver on the server but sometimes even that won’t work.

I do not envy you.

16

We use RD Web (Remote Desktop Web Access) for our users who work from home on their own machines. No VPN nonsense to deal with and I even got it working for our marketing girl who uses a Mac at home. They can connect to their desktop PC and it works pretty well. The RD Web portal runs on our regular RDP server which sometimes slows down when people don’t log out. Kill a few stale sessions and good as new.

1 Spice up
17

I am genuinely curious - do you find that this is just as secure as using a VPN and RDP’ing through that? I assume users authenticate via an HTTPS page against AD. To me this is not much different that a user RDPing straight into their computer via port forwarding - at least as far as a secure connection is concerned. Please correct me if I’m wrong on that.

Normally you would get slammed here on SW for suggesting anything other than a VPN. I am not doing that - just curious what your thoughts are on it.

@danobrien3

18

I would say it’s almost as secure as a VPN. You are correct in that it authenticates against an HTTPS page and runs under SSL. The benefit of RD Web VS regular RDP is that you don’t need port 3389 open, just 443. Having 3389 open is a pretty big attack surface in itself. Multiple brute forces on it were actually what led to switching to RD Web.

Really haven’t had any security problems with it. We keep our servers up and SSL up to date. Thank you for the polite inquiry.

1 Spice up
19

SO you can avoid having to install anything on the home PC and avoid messing with it completely your best bet is to install the Windows Essential Feature on a 2012 R2 server. You will need and external cert and a 433 port setup in your firewall also you will need to install some connection software on the internal PCs and setup access. It is close to Remote Web Workplace if you ever messed with that in Small Business Server.

20

I’m just dialoguing here to get more info on this - what is preventing multiple brute forces on your HTTPS page? I know that with RDP the remote server will throttle the connection attempts after X number of failed logins which to me is a plus.