Looking for solutions to allow remote users access to their internal psychical computers
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
OK, maybe semantics but I wouldn't say you log into VPN. More like connect.
Most VPNs use a login. It's the same mechanism as the RPD login. You can say connect as well, but only in the sense that connect is another way to say login. You "connect" to RPD as well, in the same sense.
You connect with RDP but the login you enter is for the computer - the only place you actually log into. IMHO.
Even for IT people, we use connect and log in interchangeably. In all cases it's just a term for "using credentials to gain access to a resource."
To an end user (or to me) logging into a computer, a VPN, a website, etc. are all the same thing.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
the user experience is clunky
This is what I'm more interested in. Why is it clunky? (Besides the 1 extra login for VPN...)
I'm on VPN & RDP basically everyday. I think it's pretty smooth.
I think going through a login process twice is the clunky bit. I do this all the time with customers and it's definitely clunky. Not a big deal, and I know why I do it, but it IS clunky.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
the user experience is clunky
This is what I'm more interested in. Why is it clunky? (Besides the 1 extra login for VPN...)
I'm on VPN & RDP basically everyday. I think it's pretty smooth.
I think going through a login process twice is the clunky bit. I do this all the time with customers and it's definitely clunky. Not a big deal, and I know why I do it, but it IS clunky.
I'm not entirely sure how you solve that?
I suppose an SSO could, The machine itself is a trusted device, you log into the machine - launch VPN (and the creds are unlocked because you logged into the computer so the VPN just connects upon launching) then you launch RDP which then connects automatically to the pre setup device... but you're still launching two things. Of course you could have the system do those automatically upon logging into the machine I suppose.
-
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
the user experience is clunky
This is what I'm more interested in. Why is it clunky? (Besides the 1 extra login for VPN...)
I'm on VPN & RDP basically everyday. I think it's pretty smooth.
I think going through a login process twice is the clunky bit. I do this all the time with customers and it's definitely clunky. Not a big deal, and I know why I do it, but it IS clunky.
I'm not entirely sure how you solve that?
I suppose an SSO could, The machine itself is a trusted device, you log into the machine - launch VPN (and the creds are unlocked because you logged into the computer so the VPN just connects upon launching) then you launch RDP which then connects automatically to the pre setup device... but you're still launching two things. Of course you could have the system do those automatically upon logging into the machine I suppose.
The issue there is... if you tie the two together, you defeat the purpose of the VPN. The VPN isn't there for the tunnel, but for the 2FA.
-
Just adding 2FA to RDP is a better option.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
Just adding 2FA to RDP is a better option.
I wonder if that would mitigate the authentication bypass problem that RDP had a few months ago?
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
I don't understand how the use of RDP could do anything to cause multiple logins?
If you RDP in to your desktop using the same login as usual then everything is exactly the same as if you're physically there.
Login 1 : User logs into business issued laptop
Login 2 : User connects to company over SSLVPN using domain credentials
Login 3 : User connects to their internal physical PC via RDP using their domain credentialsOn top of this, sometimes the company issued laptop is encrypted and they must enter a password (if there's no TPM chip).
Then there are usually prompts between the SSLVPN and RDP steps such as SSL cert and other pop-ups. Yes they can check "dont ask again" but this all adds to the chunkiness of everything.We also had some telephony/call quality issues (that I won't go into) but I will say that I'm just trying to find something that makes the best use of the remote session in terms of data transmission, so like RDP vs ICA or something. I'm not too knowledgeable in this area though.
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
Then there are usually prompts between the SSLVPN and RDP steps such as SSL cert and other pop-ups. Yes they can check "dont ask again" but this all adds to the chunkiness of everything.
Those are problems that can be fixed, though. Those particular ones should not be like that.
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
Then there are usually prompts between the SSLVPN and RDP steps such as SSL cert and other pop-ups. Yes they can check "dont ask again" but this all adds to the chunkiness of everything.
Those are problems that can be fixed, though. Those particular ones should not be like that.
ok disregard then.. not worth mentioning
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
Login 1 : User logs into business issued laptop
Login 2 : User connects to company over SSLVPN using domain credentials
Login 3 : User connects to their internal physical PC via RDP using their domain credentialsWhile all of those exist, managing them is the key.
You CAN make Login 2 be automated as something that just connects once the laptop turns on and/or once the user logs in. Transparent to the user.
You CAN do the same with Login 3. Have the RDP client simply save the credentials. Nearly all users choose to do this anyway.
-
Now each time you save the credentials, you make the laptop a bit more risk if it were to be compromised. So it is all about balance. But if you want to, you can make all those piece be pretty much transparent and fast.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
We try not to encourage saving passwords too much.
Remember that there are passwords still not-being saved. The issue is eliminating how many times that they have to remember and type them in. Possibly the same one over and over again, as well.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
Login 1 : User logs into business issued laptop
Login 2 : User connects to company over SSLVPN using domain credentials
Login 3 : User connects to their internal physical PC via RDP using their domain credentialsDo they use the domain credentials to log in on the laptop as well?
What's the timeout on the laptop / VPN link / desktop (over RDP) that would require them to have to login again?
Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected?
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected?
I'm curious how this plays into the current conversation?
-
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected?
I'm curious how this plays into the current conversation?
OP said he wanted to "make the best use of the remote session in terms of data transmission". It also plays into the security issue, together with credentials and logins.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
Also are you using split tunneling on the VPN connection or is all traffic passing over VPN when connected?
I'm curious how this plays into the current conversation?
OP said he wanted to "make the best use of the remote session in terms of data transmission". It also plays into the security issue, together with credentials and logins.
aww - definitely understand the bandwidth portion, but not the creds/logins though.