Providing remote access for users direct to their PC is as simple as setting a fixed IP address for that PC then opening a firewall port (specifically for that user) and they can logon.
However scaling this solution up does present some challenges the first challenge is that the router will only support a certain number of port redirections and one has to be set up for each PC that needs to be accessed remotely In addition it becomes quite cumbersome to manage the fixed IP addresses for all the PC's and confirm that the right user has the right port number, record all that information and make sure that that information gets passed onto the user.
I've been looking for a better solution for this for some time Microsoft offer a product called remote desktop gateway which is very complicated in cumbersome to manage an I have been looking for a solution which provides the same functionality but is a lot less complex and onerous to manage plus be cost effective.
Today I have evaluated TSX gateway by thinstuff.com I have been aware of these guys for several years but haven't had a specific requirement to use any of their products.
The way that this product works is you install it in one location on your network, on an existing server and then all of the users connect from outside the network to that one [gateway] server, authenticate to that server and then connect to their own PC based only on the PC name. this means that no specific port number and no set of remote desktop icons is required. Also if user needs to use another PC or gets a new one it's just as simple as them using the other PC name that they would like to connect to and so long as I have given them access to that PC they can connect without further requirement for support or interaction with me.
There are another couple of benefits to this product as well:
- A reduction in support costs to manage this scaled out remote desktop solution
- The data is now transferred over the web using HTTPS (Port 443) which should allow users to connect from locations that would normally block traditional remote desktop connections. This is because HTTPS is the same protocol that the normal modern internet web pages use. For example if you are connecting from a library, a coffee shop or McDonald's hotspot you should be able to connect as usual without impediment.
- Closing port numbers 3389, 3391, 3392… etc should also reduce hammering attacks (where someone on the internet constantly tries to connect to your PC using usually random names and passwords) this will offload this task from the PC meaning that each PC no longer needs a product such as https://rdpguard.com (approx. US$50-70 *per PC*) plus install and maintenance costs associated with that. Base in mind that any hammering would now happen at the gateway.
- Additionally, the software allows [requires], for creation of one central SSL security certificate to identify the gateway server end. Once all the PCs are aware of this certificate it is probably not feasible for a hacker to "pose as" your remote desktop PC, intercept your password and store that to allow connection later. Although that would be a very unusual and quite complex thing to do under normal/current circumstances it's a benefit to be able to secure the system with a certificate. This does mean that you require a basic certificate in place for this purpose. You have 2 options for the certificate:
The free included certificate which the gateway software creates itself. This needs to be manually (but easily) installed on each PC that will connect remotely.
Or, alternatively you can purchase a public certificate for about $50 per year which means that any PC on the Internet (for example staff home PCs) can connect to your remote desktop PCs so long as they have the password without any setup requirement.
The software is US $259.00 for unlimited connections and can install on one of your existing servers.
This blog post has been provided for the benefit of digitalwelcomemat IT customers.
Treat this information as informative only and do not take actions or make decisions on the basis of the information contained here. All IT decisions and actions should be made after consultation with your chosen IT professional taking into account all the of the relevant factors.