RAS/VPN or Citrix

T

tay829

Gawd
Joined
May 12, 2000
Messages
523
I have a customer that is setting up two new law firms and needs a remote access solution.
1. The server will be running Server 2K3.
2. The sites will be in different cities about an hour apart.
3. Being a law firm the data is highly sensitive and needs to be secure.
4. The software provider recommends "Citrix or something like it."
5. Data will be stored in a 1 SQL DB at one of the locations.
6. Opening two offices at once and Cost IS an issue.

I am leaning towards RAS VPN, but other recommendations would be greatly appreciated. VNC is not an option for security concerns.

Thank you in advance.
 
I would look into either getting a dedicated connection (T1) between the two sites, which is expensive, or using site-to-site VPN tunneling between the two site over a regular business class internet connection.

One thing to note, running SQL queries accross a WAN is painfull and slow. If the servers are all housed in Site A, try not to have Site B run queries to Site A. Instead use a terminal server a Site A and have Site B's users connect via that.

I would probably use a site-to-site VPN/SSL Tunnel and the equivilant of Time Warner business class.
 
Simply get a VPN concentrator, and your good to go..

Cisco makes some great products in that regards...

ie a Cisco VPN Concentrator, makes your life very easy that way.
 
The concentrator @ $3495 is a little out of the price range ATM. Cisco is releasing a new device within 1 - 2 months though for SMB's < $1000 that has many of the same features that we might look into when that comes, but for now we need a solution by next week.

MorfiusX, thank you for the info. That is what I was recommending as well.
 
If you don't have much of a budget, check out Linux. IPCop will do site-to-site VPN without a problem. I am growing to like Endian more and more as well.
 
We already have the server set aside. I have confirmed with the program provider that TermServ will work.

Aside from setting up the two new locations at once, the app its' self is the money hog.

$700 for the 1st license and $400 ever license there after and we need 5 to start with yearly.

Also required is the aformentioned server and six new workstations.
 
I would highly recommend doing a site to site hardware VPN solution, I prefer GTA products (www.gta.com) especially their GB-2000 series, but the smaller ones will be fine too , last I bought one it was about $3400 for the firewall. You would of course need two.

when spending $2300 on licenses every year, spending another 7000 upfront on two good firewalls capable of doing site to site VPN is reasonable. I don't know how much their smaller firewalls cost, but call them up they have great sales people.

You're already spending 20/30 grand on that setup so do it right, last thing you want to do is cheap out on security as it will bite you in the ass later. No offense to whoever suggested IPcop, but that for a business is a ridiculous solution, you need hardware, quality hardware and hardware that has commercial support.

You could of course do the same with cisco equipment but not for less $$$ (or much more for that matter) but with firewalls I prefer rather less known companies that have great products but aren't as well known as lets say Cisco PIX
 
zrac said:
No offense to whoever suggested IPcop, but that for a business is a ridiculous solution, you need hardware, quality hardware and hardware that has commercial support.
Click to expand...
Not every business can afford Cisco or other hardware solutions. It wasn't a suggestion, it was an option. Also, just because it's open source doesn't mean there is not support. I also mentioned Endian which has complete support. Hardware solutions do not equal god.
 
Citrix would be the way to go, depending on the number of remote access users, Citrix Access Essentials will cost roughly $200-$250 per user and that *includes* the necessary Microsoft Terminal Server CAL.

tay829 said:
Aside from setting up the two new locations at once, the app its' self is the money hog.

$700 for the 1st license and $400 ever license there after and we need 5 to start with yearly.
Click to expand...

Thats not a money hog, we deployed a app for a dermatology office which the software licenses wound up being around $80,000 for 12 computers plus annual maintenance fees.

My advice to you is if your going to do this, you had better get it right the first time by putting forth the necessary money to actually get the right components.

Otherwise your going to have one hell of a headache on your hands.
 
Depending on how many users at the remote location...and without knowing which software they run...I'd probably lean towards a "site to site VPN tunnel"...and run Terminal Server at the "main site"..have the satellite offices pull up a RDC connection through the tunnel.

Pair of Linksys/Cisco RV016 or RV082 units (depending on how large each site is)

Those also support PPTP VPN connections..so staff can securely VPN in from home...and pull up a RDC and do work.

As well as secure remote support from you.

Running Needles?

Some software supports multi-site...and will do data exchanges in between them...so you can run a server at each location..and the databases update through DEXIE import functions at set intervals.
 
I have setup multiple locatations for SMB's and I use a DLink DFL-200. All they do is share files and resources accross the network. No SQL server running queries or anything, but I think it could be a viable solution if cost is an issue and you don't have the money to spend on Cisco hardware.

The DFL-200 will run L2TP connection between devices.

Good luck to you!
 
Thank you all for the advice.

I have hit a little snag. I found that they are using Server 2K3 SBE. I have never deployed small business server and cannot find any accurate information as to whether or not it supports Terminal Server. I have read a lot of information that seems to say it does not have Terminal Server as a native option. Can anyone please tell me if this is correct?

Site B needs to access application @ Site A.
 
From what I remember, this is correct. It only has terminal services for remote administraton.
 
tay829 said:
Thank you all for the advice.

I have hit a little snag. I found that they are using Server 2K3 SBE. I have never deployed small business server and cannot find any accurate information as to whether or not it supports Terminal Server. I have read a lot of information that seems to say it does not have Terminal Server as a native option. Can anyone please tell me if this is correct?

Site B needs to access application @ Site A.
Click to expand...

If they are running Small Business Sever 2003 then you'll need a separate server for Terminal Services.

As MorfiusX pointed out, SBS 2003 has two conncurrent connections for remote administration only.
 
SJConsultant said:
If they are running Small Business Sever 2003 then you'll need a separate server for Terminal Services.
Click to expand...

Yup..not a show stopper...just slap in a second server.

How many at remote office? What application?
 
MorfiusX said:
Not every business can afford Cisco or other hardware solutions. It wasn't a suggestion, it was an option. Also, just because it's open source doesn't mean there is not support. I also mentioned Endian which has complete support. Hardware solutions do not equal god.
Click to expand...

yes they do equal god if not surpass him (her?) :)

open source DOES mean no support when your firewall is down and not a bit or byte are going anywhere, no half decent commercial support that is, the commercial support that does exist lacks any reliability IMHO (just my two cents).

and look at how much they are spending , 6 workstations , 2 servers (two offices I am assuming each has one) , SQL server + expensive app on top of it ... you're talking easy 20/30 grand if not more just looking at that list. What's another 4-10k for good quality firewalls that will outlive the owner of that place? ESPECIALLY when he mentions security is an important factor. I realize cost is a factor for them, but when you spend that much you can't cheap out on the most important part.
 
We plan to add additional hardware, but at the moment, there is just no room in the budget. I can only work with what I have. We will be looking at the new Cisco VPN Concentrator designed for small business, once it hits the street in about 2 - 3 months (according to Cisco). No offense, it is easy to say just spend the extra money now when it is not your budget, but I am just not in the position to make those calls, I am just putting it all together.
 
tay829 said:
We plan to add additional hardware, but at the moment, there is just no room in the budget. I can only work with what I have. We will be looking at the new Cisco VPN Concentrator designed for small business, once it hits the street in about 2 - 3 months (according to Cisco). No offense, it is easy to say just spend the extra money now when it is not your budget, but I am just not in the position to make those calls, I am just putting it all together.
Click to expand...
You're exactly right. I've been in that position many a time and its not fun, but you work with what you are given.

What the client may not see or doesn't realize is where they are going to spend the money, because they WILL spend it if its not done right. Its up front cost for equipment vs. man hours to fix a solution that will fail because it wasn't built using the best equip available for the task. Avoid one-off, ad-hoc, and "this will get the job done for now" solutions at all cost, because although the initial investment may not be steep the TCO sky rockets if anything breaks.
EDIT: Although that is nice for job security :p
 
dx2 said:
You're exactly right. I've been in that position many a time and its not fun, but you work with what you are given.

What the client may not see or doesn't realize is where they are going to spend the money, because they WILL spend it if its not done right. Its up front cost for equipment vs. man hours to fix a solution that will fail because it wasn't built using the best equip available for the task. Avoid one-off, ad-hoc, and "this will get the job done for now" solutions at all cost, because although the initial investment may not be steep the TCO sky rockets if anything breaks.
EDIT: Although that is nice for job security :p
Click to expand...

exactly!

You work with what you're given, but you must put your foot down if what you have been given is not enough to do the job RIGHT, we all have done the "oh well, I'll address that later when it becomes a problem" route, all of us I'm sure at some point in time... but I doubt any of us were glad they did it when it did become a problem :)
 
zrac said:
and look at how much they are spending , 6 workstations , 2 servers (two offices I am assuming each has one) , SQL server + expensive app on top of it ... you're talking easy 20/30 grand if not more just looking at that list. What's another 4-10k for good quality firewalls that will outlive the owner of that place? .
Click to expand...


So far..already has 1x server at the main office. That's also most likely already running SQL (SBS Premium comes with it)...so as best we can tell so far..probably just needs to add 1x Terminal Server at the main office...for the clients at the remote office to run RDC to...through the VPN tunnel.

Add a few client licenses for this yet to me named application..appropriate TS licensing..so far it's not that big a deal...not knowing the number of clients...might even still be hovering 10K-ish overall.
 
I am actually looking at a Linksys VPN router for the server site, since Classes are not going to be an issue, I feel as though this should solve the remoting issue.. I have already tried to convience on higher end equipment, looking at ROI, but there are more background issues with with this is a rush and money is tight, that I am able to convey. This project is moving so fast, I barely have time to look up, thank you for the input everyone, keep it coming.
 
If you are using SBS Premium, it has ISA 2004. You could just have the remote users VPN directly to it and not worry about a site-to-site tunnel until the funds are available.
 
To be the obvious best choice here is Citrix. All bandwidth intensive traffic stays local. No secure information is being passed outside of the main site. You can run a lot of users over a single T1. The only downaisde to Citrix is cost. Depending on your application require ments you can run the remote site 100% off of citrix and have them use client clients. works wonders for support and they have no moving parts.
 
tay829 said:
I am actually looking at a Linksys VPN router for the server site, since Classes are not going to be an issue, I feel as though this should solve the remoting issue...
Click to expand...

They're pretty darned good..I'd sling an 082 model at both sites...maybe an 016 at the mothership just to feel good with double the RAM.

IMO Citrix for under 50 users is overkill...TS in Windows server is quite decent for most apps....the law office applications that I've worked with are quite basic. (Needles, PCLaw, Timeslips, Sanctions)
 
YeOldeStonecat said:
IMO Citrix for under 50 users is overkill...TS in Windows server is quite decent for most apps....the law office applications that I've worked with are quite basic. (Needles, PCLaw, Timeslips, Sanctions)
Click to expand...

Have you looked at Citrix Access Essentials?

It is Citrix geared for 75 users or less, I have it deployed for our own use and so far it is hell of a lot easier to configure access restrictions as well as providing easier methods to use "Terminal Services" than TS itself.

It's price is around $200-$250 per user and that *includes* the necessary TS CALs as well.
 
SJConsultant said:
Have you looked at Citrix Access Essentials?

It is Citrix geared for 75 users or less, I have it deployed for our own use and so far it is hell of a lot easier to configure access restrictions as well as providing easier methods to use "Terminal Services" than TS itself.

It's price is around $200-$250 per user and that *includes* the necessary TS CALs as well.
Click to expand...


I've seen a few pitches for it at some functions I've gone to...never really looked hard at it. "Easier to use" though..wow..IMO TS has already gotten quite simple on the basic level..guess I could see access restrictions for some places..law firms don't really bother much with that though....enough there to justify about 2x the $?
 
YeOldeStonecat said:
I've seen a few pitches for it at some functions I've gone to...never really looked hard at it. "Easier to use" though..wow..IMO TS has already gotten quite simple on the basic level..guess I could see access restrictions for some places..law firms don't really bother much with that though....enough there to justify about 2x the $?
Click to expand...

How about publishing one or two apps via website rather than an entire desktop?

How about publishing apps on a per user basis, ergo CEO gets 3 apps while secretary only sees one or two? yet another user could have an entire desktop published!

How about restricting the app to only run X concurrent instancesto keep licensing in check? or only allow users to run a single instance of any app?

How about two factor authentication?

Granted some of the items are more on the "techy" side, but when the user can simply visit a website login and access their Apps simply by choosing the icon, it can't get any simpler.

It beats SBS and RWW to TS for the mere fact users do not need to authenticate twice.

There are more things it can do, however I am still learning the ins and outs of CAE myself, but I can definitely see where it would cost less in deployment and administrative costs by using CAE vs pure terminal server environment. Not to mention it's alot easier to use by end users.
 
Citrix definitly has some nice features. You just have to justify the extra cost.
 
You must log in or register to reply here.
Back
Top