Terminal Server vs VPN

B

Bambi

I Cleaned My Room - And I am a Dude
Joined
Jun 9, 2003
Messages
2,225
So correctly our company is set up on a server, but we want to be able to hit the server remotely. I have read a few pros and cons from different sites, but i figured Hard users would have better first hand experience, could you please explain to me the differences, pros and cons of each.
 
it largely comes down to the applications you want to run. you may well find that a combination of the two works best. some applcations purely arent written to work efficiently across a network and as such are acceptable over local area networks, but perform shockingly over typical internet type connectivity which is a fraction of the speed. can you give us some examples of what you actually want to be able to do remotely?
 
Well first, you are comparing apples and oranges. Terminal server means remote desktop, VPN means connecting to a network from a remote location.

If remote, VPN has to happen before you can see a server share, or use terminal services, for that matter.

Do users want to RDP into the server itself, or to their workstations? If they don't remote into the server now, then they shouldn't ever do it. If they do remote into the server, then that's your call, assuming you are the admin. It's not something I recommend, though.

If they want to access shares, that's easy. Just VPN into the network and hit the shares manually.

If it's an application server, then we are talking about different rules. The performance will most likely be limited by either their home upload, or the upload of the business site.
 
You should probably use both... tossing a TS server out on the web for "remote access" is just a gaping security risk. Set your self up some form of VPN, and once connected, have users connect to a TS server, rather than map drives over VPN. Its a much, much better user experience.
 
Yah..TS is fine...the only vuln I know about..is a man in the middle attack that was only done in a lab environment...not practically able to be recreated in the real world.

Strong administrator password, good passwords for user accounts...have it deny further connection attempts for a period of time after 3x failed ones...and you're quite good to go.
 
YeOldeStonecat said:
Yah..TS is fine...the only vuln I know about..is a man in the middle attack that was only done in a lab environment...not practically able to be recreated in the real world.

Strong administrator password, good passwords for user accounts...have it deny further connection attempts for a period of time after 3x failed ones...and you're quite good to go.
Click to expand...

Pretty much. Maybe rename the administrator account to something elce.
 
Haha...

I wouldn't trust an RDP port open to the web on a production server, especially on the default port 3389. That's just begging for something. I don't know exactly what, but SOMETHING. Then again, I don't trust a single MS service to be open to the web.
 
If you are going to be running some special application over the WAN then I would recommend TS. If you just need to share some files or whatever then VPN will do but it will be extremely slow. If your users are not tech savvy you could setup an SSL based WebVPN so users can access files or email or whatever through a web page.
 
TS has a massive cost implication for forty users I paid close to $4500
 
I don't buy the "exceeding cost of TS." The licenses are fairly cheap, and remember... you're only paying for concurrent connections if you go with Per User licensing.

I'm a devout follower of the Citrix faith, though. If remote access is your goal, yeah... VPN would suffice, but I wouldn't recommend anything less than SSL VPN. The reason I'm always so high on Citrix is because you have the SSL VPN option as well as application delivery if you use Secure Gateway or Access Gateway. Again, licensing is per concurrent connection, so the costs are there, but they're not overly exorbitant.
 
Jay_oasis said:
TS has a massive cost implication for forty users I paid close to $4500
Click to expand...

I wouldn't call that massive. CALs are about $30 per user. I bet when you compare that to company revenue or cost savings from productivity gains, the number doesn't look so large.
 
sorry for taking a while to respond. What i want users to be able to do, mainly the medical biller, boss and a few other users, is to hit our medisoft database from outside and our main database from outside aswell. The problem i have come across with VPN is getting everyone the software and explaining it to them.

When setting up a terminal service, i am currently running Windows Server 2003 R2, would i need to buy a TS license and then the CALs? Money is no issue as it will be set up for about 5 people and if we need growth, i can still add to it.
 
Medisoft/database/and at least 5x users...you're without question going to want a terminal server, this isn't something I'd want to attempt to get remote users trying to run from their own computers at home across the thin straw of a VPN connection.

Bottom line for the bean counter over there...if management wants remote users to access this software....they will have to spend the cabbage for a terminal server.
 
yeah the money was not goign to be the issue as we long established here at the company we would need them and they would be beneficial in the long run to us.


Now to go into researching vendors and license.
 
swatbat said:
Pretty much. Maybe rename the administrator account to something elce.
Click to expand...

I ususally rename it to guest, and guest to administrator on domains. Always entertains me watching people try to hack the "adminsitrator" password over ftp or another service.
 
Bambi005 said:
sorry for taking a while to respond. What i want users to be able to do, mainly the medical biller, boss and a few other users, is to hit our medisoft database from outside and our main database from outside aswell. The problem i have come across with VPN is getting everyone the software and explaining it to them.

When setting up a terminal service, i am currently running Windows Server 2003 R2, would i need to buy a TS license and then the CALs? Money is no issue as it will be set up for about 5 people and if we need growth, i can still add to it.
Click to expand...

Yes you need a server 03/08 license for the box, ts cals for the users, and server cals for the users. With both the windows cals and ts cals being either device or user cals.

Yes you can start with 5 users and add cals as needed.

It should be noted that you generaly don't want to put the TS server on a domain controller. The correct way is to have it on its own box. That being said in smaller setups you can get away with running terminal server on a domain controller to save the need for a second server.
 
Thank you all for the help. By the looks of it, my research was correct with almost everything said here. Now the only question is, where do i find a vendor for the TS cals? Dell does not sell them, so i have elsewhere to look for them.
 
trying to find a vendor is still hard :( THanks for the links though.
 
MorfiusX said:
I wouldn't call that massive. CALs are about $30 per user. I bet when you compare that to company revenue or cost savings from productivity gains, the number doesn't look so large.
Click to expand...

Be aware that any programs you have installed on the TS server will need to have an individual license for each concurrent user/active login to be completely kosher. If 5 people are connected by TS and MS Office is installed on that server, then you will need 5 office licenses for that particular server. This is in addition to any office licenses on the workstations that these same users access.

There is no way for Microsoft to monitor that, and realistically there are no ways to insert 5 different serial numbers on the same copy of office, however, if you get audited by the software police, this is something that they look at.
 
MorfiusX said:
YGPM
Click to expand...

Replied :)

dahlhana said:
Be aware that any programs you have installed on the TS server will need to have an individual license for each concurrent user/active login to be completely kosher. If 5 people are connected by TS and MS Office is installed on that server, then you will need 5 office licenses for that particular server. This is in addition to any office licenses on the workstations that these same users access.

There is no way for Microsoft to monitor that, and realistically there are no ways to insert 5 different serial numbers on the same copy of office, however, if you get audited by the software police, this is something that they look at.
Click to expand...

Really? Wow. Im loving this networking gig but there is always something new i learn everyday. The system is up and running, and lets say i have 5 systems at the office. Thats 5 office license on those, then i would need 5 more office license on top of those. Now i see where MS makes money.
 
dahlhana said:
There is no way for Microsoft to monitor that, and realistically there are no ways to insert 5 different serial numbers on the same copy of office, however, if you get audited by the software police, this is something that they look at.
Click to expand...

Which is why for products like office it will not run in a ts enviroment unless it is a volume license copy.
 
Dell sells them. I bought 6 back in January from them. Your sales rep lied to you.
 
Ok so this project was on hold for awhile but now im back working on it again. I have it running locally but im having trouble connecting externally. THe setup is currently like this

DSL Modem -> Netgear Router -> Server

Im guessing the problem is between the modem and router. On the router i do have port 3389 open. Under NAT from the modem, do i forward the public ip to the server which is connected to router and then to server, or public ip to router to server :( Im stuck on this point. First time setting one up
 
Bambi005 said:
Ok so this project was on hold for awhile but now im back working on it again. I have it running locally but im having trouble connecting externally. THe setup is currently like this

DSL Modem -> Netgear Router -> Server

Im guessing the problem is between the modem and router. On the router i do have port 3389 open. Under NAT from the modem, do i forward the public ip to the server which is connected to router and then to server, or public ip to router to server :( Im stuck on this point. First time setting one up
Click to expand...

You should have some ports already open in the router like 53 for dns. You pretty much set it up like they have already been. In the router under nat you want to forward 3389 to the internal ip address of the server.

Personaly I would change the rdp port to something elce but you can leave it at 3389 for all it matters
 
swatbat said:
Personaly I would change the rdp port to something elce but you can leave it at 3389 for all it matters
Click to expand...

I have always seen this as security through obscurity. It will stop script kiddies, but it won't even come close to slowing down some one who knows what they are doing. A simple port scan is all it takes to get started.
 
MorfiusX said:
I have always seen this as security through obscurity. It will stop script kiddies, but it won't even come close to slowing down some one who knows what they are doing. A simple port scan is all it takes to get started.
Click to expand...

This is true but it does add a small layer of protection. Having strong passwords and lockout policies is still important. I also like renaming the administrator account.
 
swatbat said:
This is true but it does add a small layer of protection. Having strong passwords and lockout policies is still important. I also like renaming the administrator account.
Click to expand...

Agreed on the strong passwords and lockout policy. Also, depending on the infrastructure, you can use certificates to encrypt the traffic which will be even more secure than the built-in RDP encryption.

Renaming the Administrator account is security through obscurity as well. Most security breeches don't come from cracked administrator account. Far more come from compromised user accounts with more privileges than they need to get the job done. Not that renaming the account is a bad thing, I just think it is more important to make sure user security is established properly.
 
swatbat said:
You should have some ports already open in the router like 53 for dns. You pretty much set it up like they have already been. In the router under nat you want to forward 3389 to the internal ip address of the server.

Personaly I would change the rdp port to something elce but you can leave it at 3389 for all it matters
Click to expand...
Im still stuck.

Some from the modem i forward it to my router? Then my router will forward it to my server>
 
Bambi005 said:
Ok so this project was on hold for awhile but now im back working on it again. I have it running locally but im having trouble connecting externally. THe setup is currently like this

DSL Modem -> Netgear Router -> Server

Im guessing the problem is between the modem and router. On the router i do have port 3389 open. Under NAT from the modem, do i forward the public ip to the server which is connected to router and then to server, or public ip to router to server :( Im stuck on this point. First time setting one up
Click to expand...

You are going to want to forward the external IP to the server, not the router. The router "knows" where your internal IP is, and if it's a decent router, and your ISP has given you several IPs, will have an option to set the external IP you want to use with that server.
 
Yeah.

Heres is my hardware

INTERNET > Modem (Netopia 3346N-002) > Router (Netgear FVG318) > Server (192.168.0.5)
 
IIRC, some of the Netopia devices act as a router/firewall. What is the public IP of the Netgear?
 
Ok yea you are running a router behind a router. You need to forward 3389 from your modem/router to the netgear(which needs a static ip). Then from the netgear you need to forward 3389 to the server.

I would get with your ISP and see if you can bridge your modem so it acts only as a modem. Then all you have to do is worry about the netgear router.
 
Your Netopia is acting as a firewall/router, therefor you are double NATing. What type of internet connection do you have? Is the Netopia acting as a Cable/DSL modem?
 
MorfiusX said:
Your Netopia is acting as a firewall/router, therefor you are double NATing. What type of internet connection do you have? Is the Netopia acting as a Cable/DSL modem?
Click to expand...
its sbc business dsl modem
 
As mentioned above, give SBC/AT&T support a call and see if they can set the modem up as a bridge.
 
You must log in or register to reply here.
Back
Top