Re: VPN versus Terminal Server for remote workers

'first contact' has been established :-)

"Claus" <cjobes@xxxxxxxxxxxxx> wrote in message
news:O8xbDG9LIHA.3916@xxxxxxxxxxxxxxxxxxxxxxx
This is very amusing.....

Canadian sitting back grinning......

--
Claus
"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in message
news:OkqGVz8LIHA.1168@xxxxxxxxxxxxxxxxxxxxxxx
I am, somewhat obtrusively, trying to discuss the software VPN client that
would install, usually on a notebook computer, but also on a desktop where
there were not enough clients to justify a hardware appliance, and allow,
by virtue of a pass phrase and the possession of the software, access to
the VPN tunnels that the base hardware unit sets up.

In the Watchguard family, any ("any" in my experience) of their hardware
will allow a remote system to connect by virtue of installing their
software "mobile user", meaning "one who is not bound to a place where
there is a corresponding hardware appliance, and importing the key
previously setup by the central administrator of the "home unit".

So, am I confused, or are you, or both of us, or ?

If it is this hard for AU folks and Yanks to figure out our language
barriers, what will happen when we finally (if ever) make contact off
planet?

--
Larry

"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:ewRySX8LIHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
I think my confusion was in 'mobile software client'. In AU what you guys
call a 'cell phone' we call a 'mobile', with possibly added confusion due
to 'HUH? of course both (hard and soft) can do this.(most times, or
possibly optional from the admin)'. I wasn't sure if we were talking
about Windows VPN client, Windows Mobile VPN client, or a 3rd party VPN
client.

HEY!!! If you guys cal it a 'cell' why isn't it Windows Cell 6?

"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in
message news:uTZBTZ7LIHA.4272@xxxxxxxxxxxxxxxxxxxxxxx
Hi Super:

Well, I have been trying to say that in my, admittedly limited
experience, the mobile software client that I have used blocks any
access to the internet. It is tunnel to the appliance or nothing. If
you want access to the inet, you have to break the connection to the
appliance VPN, and disable the mobile client.

The same mfg's appliance to appliance VPN is both at the same time.
There may be a way to configure the appliance to be VPN only, and the
software to be/do both, but I admit that I have not looked very hard.
This is the first time I have had a reason to question it.

Sort of like taking for granted that the bus will go from stop A to
stop B to stop C, without considering that it might be quicker and
easier to walk or bicycle from A to C. Very crude, but you get the
drift. When one is presented with a fig, we tend to see it as a fig.
But really, unless tested, how do we know it is a fig?

--
Larry


"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:e3HMIS7LIHA.4808@xxxxxxxxxxxxxxxxxxxxxxx
Larry, I do not understand what you mean by this statement:

However, this does not really help me understand why the hardware
will allow it while the software mobile client will not.

Both hard and soft VPN mechanisms allow split tunneling and though it
may not be a standard option in some VPN client software (I think the
Cisco client's ability can be hidden or disabled by admin) and IME is
common for 'commodity routers' to default to split tunneling, the
option is _normally_ there.

"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in
message news:%23SoQvA7LIHA.4308@xxxxxxxxxxxxxxxxxxxxxxx
I have always explained it thusly:

If one gets in a small boat and ventures out into a busy waterway,
all kinds of bad things can happen. Storms, currents, waterfalls,
bigger boats, hi jackers, pirates, and so on.

If one wants to cross the river and gets into a secure tunnel, not
much bad will happen.

What I failed to consider is the consequences of allowing some of
each at the same time, as explained by SG.

However, this does not really help me understand why the hardware
will allow it while the software mobile client will not.

--
Larry


"Claus" <cjobes@xxxxxxxxxxxxx> wrote in message
news:eYCnay2LIHA.4308@xxxxxxxxxxxxxxxxxxxxxxx
SG,

I never thought about it from that angle. I see the likelihood of
this happening as very slim but you are right, in theory that would
be possible.

--
Claus
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:eQGrGc2LIHA.5400@xxxxxxxxxxxxxxxxxxxxxxx
The mechanism of 'split tunneling', ie. not using the VPN as
default gateway, breaks your security whether implemented in
software or hardware.

The logic behind it is that if split tunneling is implemented an
infected PC establishes a connection to your network and the
malware calls home without going through your firewall, 'Hey, the
machine I'm on just linked to their corporate network, FUN TIME'.
An attacker then connects to the malware, again without traversing
and therefore being stopped by your firewall, and has full access
to the corporate network through the remote system.

Split tunneling is _BAD_. _All_ VPN clients should _force_ the
default gateway as the VPN server. Like everyone else I commonly
break this rule.

It's funny really. The less high up in the corporate ladder the
easier it is to explain to the user 'I'm sorry, but when you are
connected to HQ we do not want you being able to go direct to the
internet, it's a security thing.', and the more likely they will
accept it. As you move up the ladder you are more likely to hit a
user 'stuff you, my time is important!!! and if I don't split the
tunnel my internet is slow.'. Of course, the higher up the ladder
the more important that security principles are followed and the
more damaging the consequences should they not be.

Get it in writing:
By default and intention 'split tunneling' of VPN connections is
not allowed. I have been asked to allow users to use split
tunnelling and therefore am not responsible if an attack comes
through this vector. The purpose and consequences of these actions
have been explained to Joe Bloggs on this day dd/mm/yyyy who below
acknowledges this by signature.

"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in
message news:uAXZvZwLIHA.820@xxxxxxxxxxxxxxxxxxxxxxx
Claus:

That looks good. I've never understood why some of the others, un
named here, do not allow one to use both the tunnel and the
default gw at the "same" time. I will message "un named here",
(whose initials are WG) to see if they have revised this since I
last visited this issue.

Strangely, with hw to hw, it is not a problem. But with sw to hw,
using their mobile client, you get one or the other, in my
admittedly limited experience.

Thanks for your help.

--
Larry

"Claus" <cjobes@xxxxxxxxxxxxx> wrote in message
news:OAgJ7UwLIHA.2024@xxxxxxxxxxxxxxxxxxxxxxx
3060 supports about 100 simultaneous connections. Only traffic to
the subnet goes through the VPN. The rest goes out to your
default GW.

--
Claus
"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote
in message news:e1hgiLwLIHA.4684@xxxxxxxxxxxxxxxxxxxxxxx
What about the simultaneous use of the tunnel and the default
gateway?

--
Larry

"Claus" <cjobes@xxxxxxxxxxxxx> wrote in message
news:OyTSsDwLIHA.1212@xxxxxxxxxxxxxxxxxxxxxxx
Larry,

We are using SonicWall 3060 at several locations. They have
something called GlobalVPN client. It works very well. Once the
software is installed, you can email the key file to the user
to give them access. They import the file and select "enable".
It is very easy for the user.

--
Claus
"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote
in message news:OkYaV$tLIHA.2432@xxxxxxxxxxxxxxxxxxxxxxx
Hi Kevin:

Hoping you can help here. With the "solid" hardware that
supports VPN that I have used, you have to have either a
corresponding piece of that same flavor hw at both ends, or a
mobile user software client from that mfg, say Watchguard or
NetGear.

If all the remote users are in one, or even two places, the
hardware to hardware route seems perfect. But if there are 15
single users at 15 distinct locations, this has proved
impractical for our folks. The mobile software that I have
used and tried is a pita to configure and maintain, and when
it is active you can only use the tunnel, not your browser
independently.

Please tell me there is a better way and that I have missed
it.

--
Larry


"Kevin Weilbacher" <kw@xxxxxxxxxxxxxxxxxxx> wrote in message
news:E8F65A78-3F6D-453A-8AA3-D7F10D5B8ADF@xxxxxxxxxxxxxxxx
for 10-15 users, if you wanted to go VPN, then I would say
look for a solid hardware box that supports VPN.

as far as using Term Server, the question really is: does the
app that they will be using work in a term server
environment? the advantage of Term Server is that the remote
users are connecting to a separate server, and not directly
to the SBS server.

--
Kevin Weilbacher [SBS MVP]
"The days pass by so quickly now, the nights are seldom long"
*

"Orlando Bob" <OrlandoBob@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:3907BC27-BE28-40E7-8E54-91C1061AA639@xxxxxxxxxxxxxxxx
What are the pros and cons of using VPN versus Terminal
Server to support
10-15 remote workers? The primary application is a .NET
Windows Forms
application that seems to run fairly well over a VPN
connection. I am
inclined to use VPN unless there are compelling reasons to
set up a Terminal
Server.





























.

Relevant Pages

  • Re: VPN versus Terminal Server for remote workers
    ... the mobile client. ... The same mfg's appliance to appliance VPN is both at the same time. ... Both hard and soft VPN mechanisms allow split tunneling and though it may ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN versus Terminal Server for remote workers
    ... I think my confusion was in 'mobile software client'. ... VPN client, Windows Mobile VPN client, or a 3rd party VPN client. ... Both hard and soft VPN mechanisms allow split tunneling and though it may ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN versus Terminal Server for remote workers
    ... the VPN tunnels that the base hardware unit sets up. ... call a 'cell phone' we call a 'mobile', ... Windows VPN client, Windows Mobile VPN client, or a 3rd party VPN client. ... Both hard and soft VPN mechanisms allow split tunneling and though it ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN versus Terminal Server for remote workers
    ... call a 'cell phone' we call a 'mobile', ... Windows VPN client, Windows Mobile VPN client, or a 3rd party VPN client. ... It is tunnel to the appliance or nothing. ...
    (microsoft.public.windows.server.sbs)
  • Re: DD-WRT VPN
    ... Anyone want to suggest some other solutions for the VPN that wont require ... OpenVPN has to encrypt and decrypt the tunnel at both ends. ... setup a fast computah at each end of the simulation to a LAN ...
    (alt.internet.wireless)