How do you handle remote access for users?
Originally, we setup a Sonicwall SRA device, which offers a pretty simple VPN method. Though more and more our software is browser-based which reduces the need for a VPN device. With a list of resources to which you need to provide access, we can probably help narrow down a list for you here. 
Jeremy Hoff
Shepherd Church
(818) 831-93333
We have a couple different methods including VPN, but most of our users that need remote access use RealVNC Cloud Connect. This bypasses a need for a VPN client and is much easier for the end users to use to remote the machines they need. It’s not exactly cheap, but since we have a full deployment of RealVNC on all of our workstations and servers for IT support it made the most sense to allow users that need remote access to piggy back off of it since there is no additional cost.
We used to use Logmein Central before migrating everything to RealVNC Cloud Connect this past year.
My perspective is that you should treat VPN in the first layer in your security boundary approach to the outside world. You are wanting to let authorised users in easily, but keep unauthorised users out. It should therefore have strong encryption (to eliminate snooping risk), be easy to use (e.g. standard implementation on any authorised user’s computer/device) and be fully supported either by your own IT admin or external vendor (to keep up to date with possible security threats). It should in effect operate like the security controls of a private bank - if you are not on the list, you’re not allowed in the door.
Once inside, you should still segment your internal network and servers with relevant security controls so that each operational area is itself secure.
You choice of vendor or technology type should then be immaterial as long as your security standard and policy requirements are met.
Depends on what they need to access really. Overall, I don’t like VPN unless it’s router to router because I don’t like solutions that the user needs to intervene with. When it comes to solving the mobility issue an SDWAN type of approach is my preferred approach as I can do all kinds of hybrid cloud/on-site/remote user solutions and it self adapts so if you take that laptop from outside the network inside it, the SDWAN layer will adapt from using the WAN IP to the LAN IP and vice versa so I just have to work with that SDWAN layer. Zerotier works okay for that. Otherwise, I know some other guys in the MSP space that have gone to cloud based workstations for their clients (paperspace, amazon, citrix on azure, RDS farms, etc.) and that is becoming increasingly popular.
Splashtop. Highly reliable, simple interface, non-profit pricing, charge per user instead of device, multi-platform access. Works extremely well for the “technologically challenged” folks we have.
2 Likes
The current setup which was done by our prior IT vendor is just an rdp url off of our exchange server wide open to the world. The IT vendor suggested terminal server/rds and purchasing cals. I feel there’s got to be a better way. Offsite users typically just need file access more or less because more and more of our systems are going cloud based.
In that case, Sharepoint/OneDrive on O365 would probably take care of it. You really should close up the RDP access off the exchange server, leaving that open to the world is a can of worms. Actually, I’d ditch that exchange server and migrate to O365 for email as well. I don’t see much point in having one on-site if Microsoft will happily host and manage my exchange server in their datacenter for free.
Yes that’s my goal to use 365 as well. But some push back 
Chance, I’d echo Isaac’s suggestion about O365 and Sharepoint, as well as shutting down RDP and Exchange. I’d push hard on the security risks of the current setup, as well as the ongoing maintenance and costs. If security is the big concern with moving to the cloud, I’d remind them that Microsoft has entire teams of people working to secure your data, vs just you. Also, with on premises Exchange, if your Internet connection goes down, so does email, files, etc. With O365 and Sharepoint, people can fail over to using hotspots and/or phones, or work from home or a coffee shop. If Microsoft goes down, you can also bet there are whole teams of people on call 24/7 until that’s resolved, too.
Jeremy you are right to pick up on the O365, Sharepoint, RDP, Exchange issues, etc. The difficulty with all Microsoft services is they are highly proprietary. This means you are completely dependent on them to fix any issues. There are some serious problems with most of Microsoft’s Cloud services (and many others vendors) and many of their proprietary applications with regard to security. I therefore operate a policy of not using them, unless there is no alternative, and if I have to use them, they are bolted down to the floor by other security measures to compensate. A lot depends on how sensitive is the information your IT systems hold (in our case, some data is very sensitive), so you have to measure your security response to the level of the sensitivity of the data you store &/or process. The bigger you are as a church, the greater risks you carry, but hopefully the more your leadership should understand the need to secure information properly.
If you are comfortable with Microsoft handling your security for you and you don’t hold any sensitive data, then by all means use them.
I mean, if we are going to don our tinfoil infosec hats, we do have O365/Azure HYOK to mitigate the scenario in which Microsoft suddenly became a bad actor and we had something that really needed to be protected from that unlikely scenario:
Chance, we use Cisco ASA’s and use install Cisco AnyConnect Secure Mobility Client to give users VPN access to our network.
WE created two different AD security groups, one titled VPN Full Access which gives IT and other key groups full access to the network. Another security group, VPN basic access allows the user to login and access file servers and printers only.
We use RDP with a gateway, requiring SSL. Users enter their Active Directory creds. We have account lockout policies in place to prevent brute force attacks (good thing we did, because someone tried to brute force our System Administrator’s account a while back, repeatedly for a period of a couple weeks).
We found we really don’t have a requirement for it.
- Our Accounting, ChMS, and event scheduling and asset management software is cloud-based
- I’ve got cloud-based dashboards for managing virtually everything on our network
- Similarly, HVAC and security systems have cloud-based management
- Setting up cloud-based file store for sharing data between congregants and staff
We use on premise R-HUB remote support servers for all our users remote support needs. We prefer it because it is easy to use and works without any hassles. Plus works on all platforms viz Windows, MAC, Android, iOS etc.