David Szpunar: Lead Engineer, PC Help Services

David's Church Information Technology

March 6th, 2007 at 12:27 am Print This Post Print This Post

Traditional VPNs: Not Just All-or-Nothing Access

Most people think that when they use traditional VPN technologies, such as PPTP, L2TP, and/or IPSec, that they are opening their network to a full, unfiltered connection from a computer, which is especially bad for a home computer, with unknown anti-virus and anti-spyware status, connected to a work network. This is true. However, with a Microsoft ISA 2004 firewall (ISA 2006 likely supports this from everything I’ve read about it, I just haven’t tested it myself), which can terminate PPTP and L2TP VPN connections, VPN users are on a separate network controlled by the standard ISA firewall rules. You can set up user groups within ISA and assign certain groups of users certain network permissions, with the same granularity as firewall rules for another network segment, including the Internet.

This means users can connect using the standard Microsoft VPN clients, but they can only do what you allow via firewall rules. A network administrator could have full network access if needed, while users connecting to Terminal Services could be allowed to connect using only Remote Desktop (TCP port 3389), and only to the terminal server, based on their user name.

This is great! [sarcasm]It’s so great that we’ve started using LogMeIn services for some of our remote access.[/sarcasm>]Why? Well, configuring both the VPN connectoid (even with the CMAK) and Remote Desktop, not to mention actually using them, can be a bit of a chore for some users, especially if they’re setting it up at home where it’s harder to walk them through it. LogMeIn, on the other hand, has an excellent, web-based interface, very compatible remote control, and some easy options like remote printing and file transfer that are harder to set up with plain-vanilla VPN. LogMeIn has a free version, without file transfer or remote printing, which is excellent for proving basic remote support to people like family (I should know, that’s how I use it!), or connecting to your home computer remotely (yep, that I do, too). The Pro version is normally almost $13/month per remotely-controlled PC, which is a bit pricey. They have a special going on right now, however (unknown end date) where you get 5 computers for $20/month (or more at the same price, if needed) that makes it much attractive, and I’ve switched our two heaviest non-Terminal Services users over (it wouldn’t work for Terminal Services because of the multiple sessions issue), plus myself.

They also offer a service calls LogMeIn IT Reach, for the same price (and special price) as the LogMeIn Pro service, but it is targeted towards IT users managing servers remotely. The web interface to logs, shares, users, performance stats, and more is excellent! Better in some cases than the built-in Windows tools in some cases, in my opinion. And the price, at the moment, is excellent and worth every penny, if you need more than the basic features. Just a happy customer.