Remote Access Techniques for Business - How to Choose

RTA Information Technology - Tempe, Arizona

The Wonderful World of Remote Access keeps expanding. Small businesses now have remote access options that were unthinkable ten years ago. In fact, with Windows Small Business Server 2003, a small office has MUCH better remote capability than many large corporations.

There are four main techniques used for working remotely:
1) Remote Desktop
2) VPN (Virtual Private Network)
3) SBS Remote Web Workplace
4) Terminal Services

Each has its pros and cons. Each has appropriate and inappropriate uses.

1) Remote Desktop
Remote Desktop (using Microsoft's Remote Desktop or the open-software VNC) lets you work directly on your Office PC. Your remote PC is nothing more than a video terminal with a mouse and keyboard attached. Anything you do on the desktop is actually happening on your Office PC. This is a surprising low-bandwidth solution. You can work remotely with only a telephone modem connection.

Remote Desktop is recommended where you are accessing data-intensive applications, like databases. Since all the processing and data handling are done on your Office PC, Remote Desktop is much faster than VPN for viewing databases or working with large data files.

Remote Desktop is also quite safe for your Office network. Because your remote PC is only used as a video terminal, there's no direct connection between your Office's network and your remote PC. Worms, for instance, can't travel to your Office and infect the rest of your network.

Remote Desktop is my recommended access method when you can't be sure that the remote computer is secure and safe from viruses, worms, and other contamination. If employees are logging in from a home computer that others may use, it's by far the safest remote access method.

2) VPN (Virtual Private Network)
A VPN establishes a direct link between your remote PC and your Office network. It's pretty bandwidth intensive. Working with large files or databases is quite slow. On the other hand, you have direct access to the network, can perform drive mapping to resources, and data transfers (such as file transfers and directory listings) are much faster than with Remote Desktop.

As mentioned earlier, VPNs are a bit of a security risk. If a contaminated remote PC enters your network, your other Office PCs are exposed to worm propagation. This risk can be managed in various ways, but it never goes away completely.

VPN Flavors
VPNs come in two flavors: Client-to-Site and Site-to-Site. A Client-to-Site VPN connects single remtoe computers to the Office. A Site-to-Site VPN connects an entire Office to an entire Office. It doesn't require that each individual PC create a VPN connection.

Hardware versus Software VPNs
You can either use a hardware VPN server (like a SonicWall or Netgear VPN box) or a software VPN server (like Windows Server 2003 or SBS 2003, Standard or Premium Edition). There are advocates for both methods.

Personally, I use a lot of SBS 2003 servers (with or without ISA 2004), and I find that the built-in VPN server works fine. There's no need to maintain separate Windows and VPN accounts/passwords, since the VPN uses the same accounts as your Windows Server. Microsoft claims that an ISA 2004 Server can handle hundreds to thousands of simultaneous VPN connections, so, even if they are exaggerating, Microsoft's software VPN should be able to handle most small business offices just fine. Note that some hardware VPNs can also use LDAP to make use of your Windows accounts for authentication.

Alternative VPNs
There are some recent alternative VPN methods. A very recent one is Hamachi http://hamachi.cc Hamachi requires a special client to be installed on the Remote PC and at the Office. Once installed, Hamachi uses a 3rd-party public server to help create the secure link between the systems. Hamachi is quick and easy to configure.

Another interesting VPN method uses web browser technology. SonicWall's SSL-VPN http://www.sonicwall.com/products/ssl-vpn200.html uses the web browser on the remote PC to establish a secure connection to the SonicWall device. It still requires the use of Active-X or Java on the client PC, as well as SSL, cookies, and JavaScript.

3) SBS Remote Web Workplace
Although it looks pretty much like Windows Remote Desktop, and uses the same technology, SBS Remote Web Workplace offers foolproof remote access to your entire Office. No configuration is needed on the Office PCs. You just select which PC you want to access, click the mouse, and log in.

4) Terminal Services
This is similar to Windows Remote Desktop. The main difference is that Terminal Services, as run on a Windows Terminal Server, is intended for normal users and Terminal Services can handle many users at once. Remote Desktop on XP is limited to a single user (except for Remote Assistance, which allows two simultaneous logons, but only one active keyboard/mouse).

A Terminal Server gives multiple virtual desktops on a single Server. You install Terminal Services on a Windows Server, create a Terminal Services Licensing Server, and install TS licenses for your users. As each user logs in, he/she gets a unique desktop and program settings. You install programs, such as MS Office and other applications, in a special way that allows multiple users to simultaneously use the programs.

Terminal Services is a good way to ensure that all users have identical desktops. But it has its own set of Server management challenges. Many antivirus applications, for instance, aren't really designed for Terminal Server use.

Notes About Remote Printing and Drive Sharing
Both Remote Desktop and Remote Web Workplace offer you the chance to print on your remote PC's printer. The only problem is: It ususually doesn't work!

The solution is install the DRIVERS for your remote printer on your Office PC. If Remote Desktop can't find IDENTICAL printer drivers on both the remote PC and the Office PC, it'll refuse to print remotely.

Drive Sharing between your remote PC and your Office PC is easier. Jut click the appropriate checkbox when you open up your Remote Desktop or Remote Web Workplace connection. You'll get a warning about the potential hazards of drive sharing, which you can accept if you trust both PCs.

Notes about Terminal Server Remote Printing
Just like Remote Desktop, Terminal Server has known remote printing problems. Solving them is tougher, because you have more users and they may have a wide variety of remote printers installed on their remote PCs. You can't possibly install all those printer drivers on your Terminal Server. Besides, installing 3rd-party printer drivers on a Terminal Server is asking for an unstable Server.

If you only want to support common printers, like HP Laser and Injet printers, you can set up Terminal Server to translate printers to those common drivers. This can work if the remote printers recognize the HP drivers.

But if you have Samsung or other printers that don't recognize HP drivers, you should take a look at 3rd-party "Universal Printer Drivers". ScrewDrivers and UniPrint are two well-known drivers. Licensing is pricey (ScrewDrivers is about $1500 per server and Uniprint around $1000), but these special drivers can make remote printing a breeze.

If you aren't currently taking advantage of remote access, you should give it a whirl!

The "Right Way" to Install SBS 2003

Myron Johnson - RTA Information Technology

SBS is an excellent choice for the vast majority of small businesses. It gives the owner and the employees the tools they need to actually run a small business.

In my opinion, any company with less than fifty employees that is not using SBS 2003 as its main business server should think SERIOUSLY if it's being properly served by its IT staff. There. I said it.

SBS's features:
* Full remote access via computer, laptop, PDA or SmartPhone
* "Get your email and appointments anywhere" Exchange Server
* That wonderful, pre-configured SharePoint site
* Its automated backups and monitoring
make SBS 2003 a no-brainer. If your IT staff or your IT consultant haven't told you about SBS, then they aren't doing their job.

Although I call this the "Right Way" to install Microsoft Windows Small Business Server 2003, there are obviously other ways to do it. And not all of them are "Wrong". But unless you ALREADY have hands-on experience installing and maintaining SBS 2003, please consider these suggestions. This is how I, and many other, Microsoft Small Business Specialists install SBS. It works, and it's supported by Microsoft.

[Opinion Mode On] First, although SBS 2003 has wizards for setup and installation, there are some "gotchas" that can cause problems. If you aren't an IT professional who specializes in SBS, you should consider hiring an outside SBS Specialist for the initial setup. You'll save lots of time, money, and frustration by doing so. You'll minimize any disruption to your business. And a consultant will show you how to take full advantage of what you've purchased. There are dozens of hidden features that could be valuable to your office that you may miss, otherwise.

If you are intent on doing your own installation, a common recommendation is to do TWO (or more) SBS installs:
1) Do a practice install and make the mistakes that you will surely make. Add a client PC that you don't care about. Doing the Client PC join to the Domain is the hardest part of installing SBS.
2) Wipe the box and do a second, REAL install.

Frankly, having played computer games and having built a couple of home PCs is NOT enough experience to install and manage an Active Directory Domain Controller and Email Server. Yes, SBS 2003 IS simple to install. Yes, it has great Wizards. Yes, it is reliable and trouble-free. But if you start messing with it and don't know what you are doing, you can easily end up with a mess that somebody else is going to have to come in and fix for you. [Opinon Mode Off]

The "Standard" SBS 2003 Setup:

1) Install the Server in a secured area. One of the points of a Server is to have security. Leaving your Server and your Company's data in an open area is not a good idea.

2) Use two NICs on the SBS Server. That way, SBS can serve as a Firewall for all the internal computers. Use a Static IP address on the "External (Internet)" NIC and hook it to your Router. Hook the second NIC to your switch. Hook the client computers to the switch.

3) Have the Router forward ports 25, 80, 443, 444, 3389, and 4125 to the SBS Server's IP address. The your email, web, secure email, remote access, and Remote Web Workplace servers. Forward 1723 if you want to VPN into your network. Be sure to turn on Protocol 47 (GRE) forwarding if you are using the PPTP VPN protocol.

4) Be sure to name your Domain with a NON-INTERNET name, like the suggested "XXXX.LOCAL". Naming your domain with the same name as your Internet Domain Name will cause problems. I recommend using a ".LAN" extension, to avoid an issue with older Macintosh clients.

Also, keep your internal Domain name and server name SHORT AND SIMPLE! "AAA.LAN" works great as a Domain name, as does "Server1" for the server name. A simple, non-specific Domain name will avoid a very-expensive Domain name change if your business grows and changes names or merges with another business.

5) After running through the Setup and the "To Do" checklist, you should have a working server, with email, internal Sharepoint site, and full Remote Access.

6) Add User Accounts and Computer Accounts to the SBS Server.

7) Join all your (Windows XP Professional and 2000 computers only!) clients to the Domain using the "ConnectComputer" Wizard. Make sure you understand how to do this properly or you will lose User's profiles on their PCs and will have to search for their old data and desktop files. You want to migrate their profiles over to their new Domain Profile on their PC.

8) SBS will automatically install Outlook 2003 on each computer and automatically create new Domain Email profiles for each user. You'll have to migrate old emails from their old email program to their new Exchange mailbox (using .PST migration if they already use Outlook).

9) Set up desired Security Groups to easily set up who can access what on the Server.

10) Set up required shared folders (for secure sharing of files) on the Server and set the desired sharing and security permissions, using the Security Groups you've created.

11) Implement and TEST your backup system. Hard drives fail all the time and people make mistakes. SBS makes it REALLY EASY to have reliable, automated backups of your Server and all your Office's important data. Don't ignore this capability. And be sure to make offsite storage of backups part of your backup process.

I STRONGLY recommend that you host your own email. This requires a business-level Internet connection, which doesn't block the required Server ports. Continuing to use the common POP-3 email accounts that many people use is a constant source of complication to email flow. You'll need to register a Domain Name ($10 per year) and set the public DNS settings to point to your new Server.

Each user will now have his/her own mailbox on the Exchange Server, and can read that mailbox from virtually anywhere, using Outlook, OWA, SmartPhone, PDA, etc. This includes personal mailboxes and contacts, as well as shared contacts. To create a shared contact list, you can create it in a Public Folder in Exchange. After giving each User Account access to the Public Folder, they'll all be able to see and modify (if you allow it) the common office contact list.

You can also use Microsoft's Business Contact Manager (Version 2) to create shared contacts. BCM is a free add-in to Outlook 2003. Sending email, both inside and outside of the Office, to each person will be automatically handled by Exchange and Outlook.

There are a couple of books on how to configure SBS. Harry Brelsford's two SBS 2003 books are popular. Microsoft has one, too. There's also a three-day Microsoft course and certification on SBS installation and management.

Security-related recommendations:

1) Install SBS SP1. Install Exchange SP2 and configure the IMF (Spam Filter).

2) Allow SBS to update all XP Professional clients to SP2.

3) Use third-party IP-based Spam Server block lists for Exchange.

4) Insist (and enforce through SBS) LONG passphrases.

5) Insist that everyone use their own account/password for logons. Medical practices have HIPAA compliance to worry about. Financial groups have SOX.

6) Perform monthly patching of the Server and all clients.

7) Don't allow Windows 95, 98, or ME clients on your network. They are NOT secure.

8) Install both Server-based and client-based Antivirus products. Get an email-server-aware antivirus for the Server, that will catch viruses BEFORE they enter your email system.

9)Do monthly tests of your backup integrity. Do monthly security and patch scanning, using MBSA.