Enabling Remote Access for 50+ Users (help!)

DocGreen

DocGreen

Well-Known Member
Reaction score
44
Location
South Bend, IN
So... Coronavirus, quarantines, etc. You know the story.

I'm at a company with around 50 -75 employees. We need to find a way to enable everyone to work from home, and have it in place as quickly as possible, and ideally without having to convince the tightwad CEO to spend a bunch of money for something he thinks will be over soon.

Corporate network is an Active Directory network with 1x DC/DNS/DHCP, 1x Exchange server, 2x SQL servers, 1x Web and 1x Citrix server. They've used Citrix in the past to allow people to work from home, but it only gives access to one application and I don't think it will support everyone connecting remotely (not enough licenses maybe? I don't know anything about Citrix.)

Our gateway is provided by and I'm pretty sure managed by our ISP (because the guy in charge of IT isn't actually an IT guy and doesn't know what he's doing.)

The ideal situation would get users access to the corporate network and let them RDP into their work computers so they can access all of their locally-stored files and email archives. My thinking was, set up a VPN server, but I've never set up more than a simple router-based VPN... I've got a reclaimed HP Proliant (~2GHz dual-core, 5GB RAM) at my desk that I could use, but would it be able to handle that many connections?

What do you folks recommend? Anyone else dealing with similar situations?
 
A quick "down and dirty...low budget...but gets it done"....get a proper UTM firewall at the edge (any business network should have one).
One that supports being a VPN server. Create a VPN profile for each user, create an RDP file for each user, distribute those two things for each user with a hand holding guide to install and use.

Users install that, VPN to the firewall (which connects their home PC to the corp LAN)...and then RDP to their workstations.
Workstations have to have "allow remote desktop" enabled...and for this, any type (the less secure..but they're not exposed to the public so less worry)

Variables you have....
*How to setup each workstation and RDP client for each user. Could be IP address via DHCP reservation. Or...depending on the firewall you use and its VPN capabilities...can do host name...even leave it dynamic since some VPN services allow internal DNS to be leveraged.
*Different types of VPN, such as IPSec/L2TP, which requires more manual setup of each client (can still build hand holding guides with pictures). Or...such as with some firewalls...OpenVPN..can build a Windows installer for each specific end user.

You'd want to convert the ISP provided gateway to bridged or public static IP passthrough and setup the WAN port of your firewall for this. Some allow options of utilizing a second public IP address and not necessarily being the gateway for the corp LAN..but, I prefer a UTM being the gateway anyways.

Untangle has a free version....and OpenVPN is included in the free version.

Another option...more complex to setup, and has much more costs, install a TSGateway to proxy clients RDPs to their desktops.
 
What @YeOldeStonecat said. And if they balk at the cost, just show them what 50 seats of GoToMyPC of LogMeIn costs. @phaZed is also is spot on. If they are going from 0 remote users to 50, they are going to put way more stress on their internet connection than before, no matter how you set it up.
 
Thanks for the responses, guys.

phaZed said:
How big is the ISP pipe?
Click to expand...
HCHTech said:
...If they are going from 0 remote users to 50, they are going to put way more stress on their internet connection than before, no matter how you set it up.
Click to expand...

This was one of my concerns as well. I don't know what we're paying for, because Old Man River is keeping a tight grip on everything I don't already have access to... but Speedtest puts us at 30 down, 20 up.

YeOldeStonecat said:
(everything that Stonecat said)
Click to expand...

All of the corporate workstations already have static IP's and RDP enabled, so that part is good to go. (I also have access to all the workstations via Comodo RMM).
As far as setting users up, I would probably be doing most of that for them via Remote Support. Most of my coworkers are computer illiterate and are only capable of doing their jobs when everything works exactly perfect.

So is a windows-based VPN server out of the question?
Any recommendations on a gateway that can handle 50+ VPN connections?
What about a standalone VPN appliance?

Like I said, the CEO is a complete tightwad and the guy running the IT department is convinced that this is all for nothing and will be over in a week or two, so convincing the company to spend money on a solution is going to be downright impossible. :(
 
I stopped doing Windows based VPN back at the end of the NT 4.0 server days when we used to hang a 2nd NIC in there and fire up RRAS. For security purposes....I stopped doing it. And this was in the end of the dial up days, early broadband days. No way I'd support that now...I'd be wanting to nuke 'n pave the server every day! I don't want a Microsoft authentication service hanging out in the public. So..while it's not out of the question....no way would I want to support that!


You mention you have a re-claimed Proliant server. ..can slap some new disks in there and be good to go..just a small pair in RAID 1 all that's needed. What generation? Assuming you meant 6 gigs. I'd want to see at least 8 gigs of RAM..but..6 prolly do OK. If I were to build one now I'd pick an Intel appliance, 1U, i5, 16 gigs, 256 SSD...

You can do a stand alone VPN, but...just trying to keep it simple. Used to install some Juniper "SA" SSL VPN appliances not too many years ago..they're rebranded now as PulseOS or something. But pricey!

I'd love to think it'll all be over in a week or so...but I have a hunch we won't see the "peak" of this for about another 2 months..and then it'll start declining. Tis why IMO going for a good UTM to take over the gateway duties would be good...as it's a business network...should have a UTM, not just some plain NAT router. And..heck, Untangle has a "free" version with OpenVPN. Could get this done for under 1000 bucks with a nice new appliance like I mentioned...or could get it done for FREE by repurposing that HP. But I'd really strive for the new appliance...dunno how solid that old HP is.
 
Through all this all so far I don't see anyone mention Chrome RDP. It's ubiquitous and works well. Not sure it is applicable to 50 seats here but is the silence due to the fact that no one can make reoccurring profits from it after initial install? It's simple to install. Runs securely under https. What am I missing?
 
YeOldeStonecat said:
I stopped doing Windows based VPN back at the end of the NT 4.0 server days when we used to hang a 2nd NIC in there and fire up RRAS. For security purposes....I stopped doing it. And this was in the end of the dial up days, early broadband days. No way I'd support that now...I'd be wanting to nuke 'n pave the server every day! I don't want a Microsoft authentication service hanging out in the public. So..while it's not out of the question....no way would I want to support that!


You mention you have a re-claimed Proliant server. ..can slap some new disks in there and be good to go..just a small pair in RAID 1 all that's needed. What generation? Assuming you meant 6 gigs. I'd want to see at least 8 gigs of RAM..but..6 prolly do OK. If I were to build one now I'd pick an Intel appliance, 1U, i5, 16 gigs, 256 SSD...

You can do a stand alone VPN, but...just trying to keep it simple. Used to install some Juniper "SA" SSL VPN appliances not too many years ago..they're rebranded now as PulseOS or something. But pricey!

I'd love to think it'll all be over in a week or so...but I have a hunch we won't see the "peak" of this for about another 2 months..and then it'll start declining. Tis why IMO going for a good UTM to take over the gateway duties would be good...as it's a business network...should have a UTM, not just some plain NAT router. And..heck, Untangle has a "free" version with OpenVPN. Could get this done for under 1000 bucks with a nice new appliance like I mentioned...or could get it done for FREE by repurposing that HP. But I'd really strive for the new appliance...dunno how solid that old HP is.
Click to expand...

Read you loud and clear RE: the Windows VPN. Thanks for the explanation.

The old HP is old... It's a ProLiant M350 that I've been using to experiment with ESXi.
1x Xeon 5130 dual-core 2GHz
5GB RAM (yes, 5... it's all I could find in the pile of salvaged parts)
2x 160GB HDD (RAID 1, I believe)

Diggs said:
Through all this all so far I don't see anyone mention Chrome RDP. It's ubiquitous and works well. Not sure it is applicable to 50 seats here but is the silence due to the fact that no one can make reoccurring profits from it after initial install? It's simple to install. Runs securely under https. What am I missing?
Click to expand...

The simplest solution is often the best solution. I thought of and immediately dismissed Teamviewer/GoToMyPc, etc. as far too expensive, but I completely forgot about Chrome Remote Desktop. Since this is a corporate environment and in-house IT, there are no recurring profits, etc. The only issue would be if Chrome RD is only free for personal use like Teamviewer... With ~50 users remoting into the same location, it would get flagged as business use pretty quickly, if that's the case.
 
Thing about freebies like chrome remote desktop....
*Now you have company resources accessible via credentials from end users personal/residential accounts. How secure are they all? MFA on all? Complex passwords? End users training in (and willing) to keep their personal google accounts secure (assuming they all have one!). How much are you willing to "lose control" of your remote access services to your corporate network..with something you "do not control".
 
DocGreen said:
Speedtest puts us at 30 down, 20 up
Click to expand...

Ouch.

DocGreen said:
Like I said, the CEO is a complete tightwad and the guy running the IT department is convinced that this is all for nothing and will be over in a week or two, so convincing the company to spend money on a solution is going to be downright impossible.
Click to expand...

Given both of these things, I think you are left without options. Sorry about that.
 
Your bottle neck is usually the outbound. So you've got 20, so 20/50 gives you a theoretical .4mb connection. In reality it'll probably be half that.

I always pitch a VPN connection to all of my customers for emergency stuff. The good thing is I always setup a VPN on USG/ERL's. So I just have to deal with adding accounts.

I did use Hamachi for one customer when I had an undocumented feature trying to connect over VPN to their onsite POS. You can use a free account for up to 5 users. But this is just a point to point. So you'll need Hamachi on each destination. The performance is adequate but their documentation leaves a lot to be desired. Supposedly you can do more complicated things but all I got to work properly was a mesh setup.
 
If you're losing that much bandwidth over wifi, it's time to get better wifi!

A decent RDP connection is going to consume half a megabit, it's actually less but I don't like using less than that. 2 users per mbit, so 20 mbit would be a 40 user connection, if it was doing nothing else.

P.S. I'm voting for the run away and never return choice on this project.
 
Hey guys, just wanted to pop back in with an update. First of all, thank you all for the advice and suggestions. Based on the cost, simplicity, and the urgency of the situation, I've decided to go with the Chrome Remote Desktop (CRD) solution suggested by @Diggs .

I've spent the past 2 days helping each user set up the connection on their work computers using their pre-existing Google accounts and making sure everyone is using 2FA, and training them on how to connect to their computers and use the remote session. Obviously this is just a stopgap solution to address the immediate need considering, as @YeOldeStonecat pointed out, that this is surrendering access control to the users. My hope is that as the seriousness of the situation sets in I'll be able to convince the owners that we need to implement a proper permanent solution.

It's been a madhouse at the office today. We learned, as I was just getting back to the Dispatch dept. that one of the dispatchers potentially has COVID-19. She has all the symptoms and hadn't told anyone because she was afraid of being sent home unable to work. She was sent by her doctor for a test, but the people doing the testing refused to test her because she hadn't traveled outside the country. I'm ******... at the doctors for refusing her test; at the employee for hiding her symptoms; and at our company's administration for not taking this threat seriously, and for ignoring my repeated insistence that we needed a remote access solution WEEKS ago.

I've convinced a handful of department heads that we need to start doing "practice runs" with the CRD starting tomorrow. The plan is to take turns working from home for a day (1 person from each department) so that, first of all, we can work through the bugs and not have 50-some users calling me at the same time for help, but also so users can ease into the whole idea and learn how to be productive without being in the office. I'm worried that it's too late for practice, though... our Mayor has already restricted non-essential travel starting today. Its only a matter of time before we're shut down entirely.

I really appreciate all of your help. Stay safe... wash your hands.
 
I know this is an older threadbut with many places still in lockdown I just wanted to add to this post for anyone else looking for another solution.
Microsoft Teams, allows you to use remote access (perfect for people needing to work from hone and access their work computer).
Yes Microsoft teams free works and also Microsoft Team exploration licenses (full version of Microsoft teams).

For several Clients, this was a great option as it allowed them the video conferencing options they required (300 -10,000 people in one meeting). Added an easier way to work with company departments and added the remote support all in one application.
 
We love Teams...and we've migrated many clients over recent years to "the cloud"...getting them off of "on-prem servers".
It's a great way to maintain collaboration and file sharing in an organized manner...to replace those old fashioned file servers. And then with OneDrive....you can replace those folder redirections you did on workstations to servers so users docs/desktop files are backed up.

And Teams does SOOOO much more than just "messaging" and "zooming"..and "files". You have additional apps you can load into Teams, such as Planner, and OneNote, and Forms, and Stream. And soon they're releasing a greatly improved calendar feature...to utilize the calendar that's built into the 365 Group mailbox that team Team sits on top of.
 
You must log in or register to reply here.

Similar threads

HCHTech
Automating certificate deployment for RDP over VPN
Replies
11
Views
2K
sits
S
YeOldeStonecat
Ubiquiti's new Unifi Express came in
Replies
5
Views
862
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Which Unifi VPN should I be using here?
Replies
5
Views
565
Sky-Knight
Sky-Knight
thecomputerguy
AutoCAD LT .... Egnyte, Vault, or in-house?
Replies
8
Views
818
Sky-Knight
Sky-Knight
NETWizz
Access Lists
Replies
0
Views
810
NETWizz
NETWizz
Back
Top