Remote Access Buyer's Guide

Remote Access Over VPN

With remote access over VPN (a virtual private network), we are starting to get beyond what a typical small business either can afford to deploy or has the technical experience to support. Before I get into the pros and cons of this approach, let me briefly explain what VPN is.

All networked computers and network devices have an Internet Protocol (IP) address assigned to them. Each network has a unique IP address range, and because each network is separated by and protected with a firewall appliance, users from one network don't have direct access to another.

To create a VPN, you have to have a VPN-capable firewall on one end and a VPN software client, usually based on IPSec (IP Security protocols) on the remote end to bridge these segregated networks. By establishing a VPN connection from your laptop on the beach to your office network in St Louis, it makes your laptop look like it is part of the office network and not really a thousand miles away. Think of it as stretching your network cable from the office to the beach--it looks as if you are still physically connected to the network, but you are doing it over the Internet.

The VPN connection eliminates the port-forwarding issues we've covered in the free and commercial remote access packages section. Now you can connect to any networked PC from your remote location because the VPN makes your laptop part of the network. This means you can take over any computer on the network instead of being limited to one or two. You can also access printers and other network resources, too.

Any remote control program will work over an IPSec VPN connection. Remote Desktop, VNC, pcAnywhere, Laplink--they all work the same over the VPN. Because traffic over the VPN is encrypted, this form of remote access is more secure. Not only is your remote PC protected behind a firewall and locked down via user names and strong passwords, but the very connection into the network itself is safe from potentially prying eyes.

The disadvantages with remote control over VPN come in the form of cost and complexity. Not every firewall/router purchased at Best Buy or other electronics store is capable of terminating a VPN connection. Linksys, D-Link, SonicWall, and others make VPN routers, but they cost more than a run-of-the-mill router, sometimes substantially more.

Configuring the VPN connection is also something that most small businesses aren't ready to tackle. Questions such as cipher strength, hash algorithm, and shared secret will stump many small business owners. So additional cost will be incurred by hiring outside help to define and maintain the VPN setup. But the greater cost of initial setup and configuration can be quickly recouped by the overall superior remote access experience provided by the VPN.

SSL VPN

Taking the virtual private network concept a little further is the SSL VPN. This is a form of remote access that uses your Web browser to establish a secure connection to your office without any additional software on your laptop. What it does require is a very specialized appliance on your office network that brokers your connection to the various network resources.

An SSL VPN appliance provides connectivity to network resources by proxying, or relaying, your requests through the appliance and then to the appropriate resource. SSL VPNs allow direct access to Web servers and e-mail, and to Windows- and Web-based applications, and some can also provide direct IPSec-style network-level access to servers and desktops.

In many ways, an SSL VPN is superior to an IPSec VPN because it allows the network administrator a fine level of control over who can access what resource, and they can do it for a group of users at the same time. Also, because the secure connection is based on SSL (encryption built into every Web browser), you have no software client overhead to maintain. Lastly, the current crop of SSL VPN appliances can all do some form of integrity check on the client to make sure they don't pose a security risk to the network. This integrity check can take the form of a scan to make sure that the laptop's antivirus signatures are up to date and that antivirus program is enabled, to make sure they have the proper operating system patches installed, and even to make sure they have a particular Registry entry (a form of secret key).

The big drawback to using an SSL VPN for your small business's secure remote access? Cost. A typical SSL VPN can cost anywhere from a few hundred dollars to well over tens of thousands of dollars. The benefits are huge when compared to the amount and type of access they provide, but it is going to be overkill for all but the deepest of small business pockets.

Server-Based Remote Access

One last form of secure remote access comes built around Microsoft Small Business Server. SBS is a bundle of Microsoft technologies specifically targeted towards offices with less than 75 users and includes file and print services, Exchange e-mail and collaboration, and SharePoint Web services. It also comes with Remote Web Workplace, a Web-based portal to the server and PCs on the network. Much like an SSL VPN, you would connect to the SBS server using your Web browser; and once logged in, you can choose to either log into Outlook Web Access (Webified Exchange e-mail) or connect to a client PC--your office computer.

Remote Web Workplace bridges your connection from the beach in through the firewall and over to your office desktop, all without any additional software on your laptop. It does, however, require a little initial setup in the form of open ports in the firewall and the SBS server's SSL certificate installed on your laptop, so it is a lot like standard Remote Desktop connection in that regard. But when properly set up, it acts more like a SSL VPN because it requires only Internet Explorer on the desktop, and you can then access any PC or server on your network.

The downside to using SBS server is that it has to be the first server on your network--Small Business Server can't be added to an existing Microsoft Active Directory domain. So if you've already invested money and resources into Microsoft servers, SBS probably won't be something you can add. If you don't have a network, or at least not one with Active Directory installed, SBS is a great way to get a lot of very useful technology at a great price.

As you can see, you have a lot of ways to skin the proverbial cat when it comes to remote access. I personally use or have used every form of remote access discussed here, and there isn't a day that I don't use at least one to either work from my home office or provide remote assistance for one of my clients. For me, remote access is an indispensible tool, and one I highly recommend for anyone looking to spend more time with the family or while travelling and still get some work done.

Keith Schultz is a contributing editor for the InfoWorld Test Center. E-mail keith_schultz@infoworld.com.

Subscribe to the Business Brief Newsletter

Comments