Remote Access Solutions for Businesses?

thajeavis asks: "We are in the process of replacing our existing remote access system for IT staff and other faculty/staff. Previously, we were using a Bay Networks (Nortel) Remote Access Concentrator with an ISDN circuit. The equipment failed and the cost of the ISDN PRI is too high based on the low usage. We are presently testing a VPN solution using the employee's own dialup or broadband connection (Cable/DSL). The issue has also come up over who is to pay for the dialup/broadband connection, the employee or the college since it will be used to work from home. I am most interested in what type of solution your institution has in place for remote access for IT staff and who pays for that access. We also are interested in what type of access, if any is available for other faculty/staff. Any insight on this issue will be greatly appreciated."

IC Company

[shaka999]

I work for a integrated circuits manufacturing company.

Our solution for remote connection is two fold. First we contract with AT&T to allow remote dial up from a number of locations. This is free for the employee (except for the required phone line of course).

VPN is also an offered as an option but there is no official policy on who pays for the employees connection. This is a smart policy IMHO. It usually requires the employee to prove they will do useful work at home before the company signs up to pay for a broadband connection.

Software Company

[Glonoinha]

I am a programmer for a software company and occasionally hack from home. We have a VPN in but the employee is generally responsible for his home connection.

High speed at home is only $50 a month, plus or minus, which is maybe $30 a month over a decent dial up account. Anybody that is gainfully employed and won't pony up an additional $30 a month for high speed access doesn't consider themselves high enough up the tech food chain / doesn't respect themselves enough as techies to deserve to work from home.

Tech food chain :
High Tech (this would be you and I)
Low Tech
Aztek (mouth breathing end users)

Anybody that wouldn't get high speed if they were paying for it doesn't need it bad enough for the company to pay for it. How about anybody that has had it for over a year can start expensing it ... this will clearly show you who 'needs' it and who doesn't.

Re:Software Company

[biglig2]

I think a lot depends on whether working from home is considered part of your job as to who should pay for it.

We pay for people to connect into our network from home as we consider that getting people to work from home is worth the relatively small ammount of money. We offer a mixture of services to suit different people; direct RAS, VPN, whatever.

I think your argument that if you aren't prepared to pay for something for work use yourself you don't need it sounds a little off-set. If, for example, my boss determined that I needed a laptop for my job but then expected me to pay for it, he would get short shrift!

I'd probably go for cheap broadband myself if possible, true, but I haven't and again; if my boss thinks I need it (and he does) then he should sign off on paying for it (which he will once budget gets signed off)

Disclaimer: I work for a hardware manufacturer who amongst other things makes products that do remote access.

cost of working and expectations

[zogger]

--there's a previous model of "cost of working" that is well established. Usually an employee who must physically travel into work pays for this travel out of their own pocket, auto, gas, etc, normal commuter expenses. That is usally more than a broadband connection cost. I would think anyone lucky and skilled enough to work from home would gladly pay a nominal fee such as this for their job access. In sales where travel costs are deductable, it usually doesn't apply until after the first 50 miles daily (IIRC), again, much higher than a monthly broadband account most places. In other words it's such a good deal for the employee compared to the alternative they should just pony it up. If your employer wants to pay it, well, that's cool too but expecting them to pay for your physical or electronic travel just to "get to work" everyday is not usually a normal expense most employers pay.

As to related expenses, not sure in the white collar IT world but in the blue collar world most jobs I have had require that I personally own and pay for "tools" which cost a lot more in aggregate than most laptops. If it was me I would just assume before even applying anywhere that an IT job would require me to have and own a laptop,and I would already own one being an "IT" guy, although if I worked inside a cube exclusively I would expect the employer to have the workstation. This is just normal, when I've had factory jobs I didn't pay for the lathe or bandsaw I was running, but on construction sites 90%+ of the tools I used were my own. I paid for my own specialised work clothing, blue collar, I paid for my own steel toed boots, rugged clothing and hard hat and gloves, white collar sales jobs I have had, I paid for my own suits and shiny shoes, and etc. I never even considered that the employer pay for this clothing.

I would think in today's economy that both employers and employees in IT would just "get real" on pay scales, corporate profits, expectations, and costs of doing business. A little of give and take both ways might result in this IT company actually staying in business and everyone concerned remaining employed. I mean, diidn't we just go through this dotbomb phenomenon? Was there nothing to learn from this?

I am reminded of the lessons of eastern airlines, an old, established, profitable enterprise that tanked swiftly once the 'stupidity and greed' factor became part of the mindset there, and was shared across the board up and down and sideways throught their organization. Where a combination of white collar mismanagement and arrogance and severe over compensation, combined with completely unrealistic blue collar union demands and expectations of compensation, resulted in *no one* at eastern airlines having "a job" after a short time frame of this attitude being adopted.

Re:cost of working and expectations

[the eric conspiracy]

I would think anyone lucky and skilled enough to work from home would gladly pay a nominal fee such as this for their job access.

I would agree with that as far as it goes. My situation is rather different. My employer often expects me to perform work on his systems during evening and weekend hours, He also does not provide me with a keycard or other measns to access the workplace because he does not want anyone except his most senior employees to have access to the workplace. It seems to me that providing access to perform my job IS part of what he should be paying for.

Re:cost of working and expectations

[zogger]

--I am sure there are any number of different formulas and work descriptions that could apply to this discussion. And that makes it hard to really talk about it except in very general terms. In your case I guess you have to look at the old boring way of a cost/benefit analysis, are you getting paid more for this extra work at night and is it acceptable to pay the additional expenses from your pocket? Or were you told upfront this might happen, and now that it did it just sucks and you are stuck with it. If it really doesn't make you any money, where the cost of getting access to work is almost the same as what you get paid to do for those hours, or a significant part of it, then that's a no brainer, you just say no, or ask for more money and show the reasons why. I've been in the position as well of being just about forced to work for free, when the boss starts adding on more and more tasks that don't jibe with the original job description. I've seen it a lot too, the worst I ever get is contracting small building jobs when the homeowner or building owner just every day walks over and asks you to do "just the little one thing more" that takes them one sentence or two to ask in time or effort, but requires you to once again go to the store for more materials, do more work, slows you down on the original project etc, and they expect the contract to not change! Going through it exactly right now in fact. It's a tough call to make, when exactly do you get in an employer's face and tell them to eithercut some more money or STFU and do this new task themselves. I guess that's why we have contracts and lawyers, and it's a shame we have to go that route sometimes. My basic nature is I will give people the benefit of the doubt on being honest and rational until a pattern of irrationality and greed and dishonesty show up, if I know little about them when I first start working for them. If they show themselves to have a bent towards untrustworthiness, I stop working for them as soon as I can find a different job. It's cost me "money" sometimes, sometimes a lot of money, but I detest crooks, petty or otherwise. And some times the petty ones are just so smarmy about it, my favorite trick they do is to have what I call "selective memory", it's almost like you have to follow them around and tape record every conversation you have with them.

Re:Software Company

[jon doh!]

Aztek (mouth breathing end users)

i dunno about you, but i've seen plenty of techies in this mode when they're deep into coding or hacking. :-)

Re:Software Company

[astar]

I work for a small software company too. It is sort of a virtual corporation, as for example, my boss telecommutes from the east coast to the west coast. The company will pick up the cost of DSL, up to $130/month. And business releated phone calls.

On business phone calls, my long distance vendor allow putting in an accounting code after dialing. In fact, it is set up to require the accounting code. So I have one code for work and one code for everything else. The monthly bill is organized around the accounting codes and so it is easy to know what to bill back.

There is an office about 45 minutes away. Currently I go in twice a month to pick up my paycheck and have meetings. The boss comes in about every six weeks but he has to fly. He has some hot cell phone that gives him the internet on his laptop, so he can keep in touch even when on the road.

The product we work on is an internet enabled accounting package and mostly we just use a thin client over the internet. The thin client has a programmer's workbench in it, so we get along okay. It can print locally too.

Hope this is useful to someone.

Oh, shameless plug. We have a product that is sort of a web based employee information product that tells us who is available and contact information and lets us enter our time and expense cards. You could get a full featured copy for a month for free and try it. It cuts down on the paper work part of this virtual thing pretty well. You can look at TOM Software [tom-software.com]

Netscreen

[Gothmolly]

Makes firewalls which handle 10-10,000 users. Buy a smallish one (model 25 or 50), get your 4 10/100 interfaces, stateful inspection, ability to scan viruses, etc. etc. and terminate tunnels. Buy some new (pricey) or used ($250) Netscreen-5 units for the employees with broadband. The Netscreen-5 does 4 MBps at 3DES, 10MBit unencrypted, stateful inspection, all the goodies. They handle DHCP, static or PPPoE interfaces, so it should work with any ISP.
I've rolled out many "home->corporate" VPNs this way, it works like a charm.

Cisco VPN

[haplo21112]

We use cisco vpn, and except for a very few rare cases the employee pays for the broadband connection.

Employee pays

[Anonymous Coward]

I work for a company that is one of thw USA's largest suppliers of DSL. We can get VPN access, but we have to pay for the DSL (we get an enployee discount). The company only supplies the VPN software, and that is tightly controlled.

That policy is mostly for cost cutting reasons. The idea is that it's a priviledge to be allowed to work at home (and they don't want to hear about off-hours work) so the employee should pay. They're constantly threatening to kill work at home entirely so we take the deal.

Yeah, I know... but the job market ain't so good these days.

What we use and how we handle it.

[Neck_of_the_Woods]

VPN with a CA unix gauntlet firewall/vpn setup. The client is very esay to set up and use for anyone, and the GUI is close enough to the NT gaunlet to get your NT techs over the difference.

Everyone pretty much has cable or dsl, and the company will pay for 1/2 as both parties know that the other would have a dailup at the very least no matter what. This way both sides feel like they are getting a good deal. We also use Citrix on the back end and keep track of the time that the techs are logged into the system. The citrix server will log them off after 10 minutes of idle time so the company has a track record of who was busy with what, and when.

Good luck.

What is your satisfaction level?

[FreeLinux]

What is your satisfaction level with the Bay Networks product? These products has matured into the Nortel Contivity product line which are the best that I have used, bar none. Just for the record, I have used comprable products from Cisco, Checkpoint, Sonic Wall, Netsceen, 3Com and *many* more.

Of all the products that I have tried, the Nortel Contivity was the easiest to setup while at the same time, offering the most configuration options. The performance has been equal to or greater than all of the other products. There is also a broad array of options for connection interfaces including ISDN, Frame-Relay, Ethernet, Dial-up and I think(not sure) that they even have a Contivity blade for their Passport 8600 switch.

One important feature that the Nortel offering has over the likes of Cisco is licensing cost. A seperate client software license is needed for the Cisco system and many of the others. But, Nortel gives the client software away for free. They offer client solutions for multiple platforms and even officially support Linux using FreeSWAN.

Re:What is your satisfaction level?

[velkro]

"even officially support Linux using FreeS/WAN" is a bit of a crock. The support it as a branch-office style connection, when you need a static IP address on the FreeS/WAN side. Most end-users don't have this.

This is why I let my Windows users do the Contivity thing, and my Linux users connect to a FreeS/WAN box. Netlock makes a Linux Contivity client, but it's an extra $100-150 US per client, which makes it out most people's price range, especially since FreeS/WAN is, well, Free :)

My company pays

[crow]

My company uses VPN for home access, and they pay for my connection. They used to provide an ISDN line to my home, and I never saw a bill. A few years ago, they switched to using VPN, and now we can file expense reports for our home Internet access (up to some dollar limit). Most people get cable or DSL.

Of course, the employees who qualify to expense their connections are the same ones that are given pagers and are expected to deal with urgent problems promptly during off hours. (They also provide company computers for home use.)

Remember, one big difference between an employee and a contractor is that the company provides the tools necessary to do the job for employees. If VPN access from home is necessary for employees to do their jobs, then the company should pay for it. If it's an optional thing, then the employee can pay for it if he wants to.

Nortel Contivity

[moonboy]

It sounds as though you had a bad experience with another Nortel prodcut. I'm not familiar with their Concentrator. However, I have a had a lot of experience with the Nortel Contivity Extranet Switch (CES) particularly the 600, 1500 and 4500) and I think they are good, stable, relatively cheap solutions that provide firewall, VPN, dialup, etc. (Just in case you're thinking it, no, I don't work for Nortel.) I've worked with these devices for a couple of years installing and providing support for them with a few govt. agencies. Look for them on Ebay.

Just my 2 cents ;-)

two solutions

[Tesseract]

We use two solutions depending on the client side hardware. On company-owned hardware (laptops mostly), they are allowed to use cisco VPN. Since the VPN is 1>slow, 2> a pita to set up, and 3>flakey we require an SSH/Remote Administrator combo on user-owned hardware. SSH to a gateway server handles most of the mainframe needs, and allows us to eliminate telnet connections directly from the outside while tunneling Tunneling Radmin allows them secured access to their desktops. Remote Admin [famatech.com] is much faster than VNC (although not as fast as Terminal Server), and can be configured for NT authentication

Re:two solutions

[Pii]

I'm somewhat concerned about your description of the Cisco VPN solution. You claim it's:

1. Slow
2. A pain-in-the-ass to set up, and
3. flakey

In my experience (Which is considerable, as I have deployed the Cisco VPN solution for literally dozens of clients (I work for a Cisco Silver Partner)), it is none of those things.

You can get into the Cisco 3005 VPN concentrator for under $3000, which provides software 3DES encryption for up to 100 simultaneous clients.

For a little more, you can get hardware based encryption (In the 3015 model) for those 100 clients, and can be further scaled up to support 10,000 simultaneous connections.

The Cisco VPN client is among the easiest to install and deploy of any I have seen, and can be distributed with the configuration file, so that the end user need not even configure his connection information (Reducing the procedure to "Install & Connect").

Administration of the concentrator itself couldn't be much easier. It's configuration is entirely web-based, and the user database can be configured in one of 4 ways:

1. Internal (Users stored on the concentrator locally)
2. NT Domain (Bounce user authentication off the NT/2000 domain controllers)
3. RADIUS
4. TACACS+

You can even use multiple user databases, configured on a user-by-user basis, or by groups (each group can be authenticated using it's own individual resources).

What are you talking about?

Almost forgot...

[Pii]

And another thing!

No client license costs. Download as many as you need, free of charge.

Re:two solutions

[Tesseract]

To explain a bit more fully:
1. Slow - our vpn is hosted at a remote office which means my users have the added latency of traversing the private circuits between the two offices to access resources in my datacenters. This leads to user complaints about speed, even though utilization on these lines is usually only 5-10%.
2. PITA to setup - I've seen the 13 page (printout, not terminal pages) configuration for the PIX at our other office. While that's not all VPN, a considerable amount is the nat/vpn setup. This may very well be excessive, but I'm glad it's not my PIX to manage.
3. flakey - I have users that constantly complain about lost connections, poor performance, and instability. This may be the configuration, as I do not manage that PIX.
My only vpn tunnel is to a vendor via a 515 dedicated for the connection, and has been stable for about a year now with no intervention whatsoever. However, that connection uses a very small nat pool through a private network to a high-availability connection on the vendor's side and is only accessible to a very small number of servers on our side.

Now the preferred solution in my datacenter is ssh/radmin because:
1. Performance - I am able to access anything I require either directly from a shell on the gateway or via a tunnelled remote desktop. I have users that do spreadsheets from home and we receive very few complaints about screen refresh problem (which we had with vnc) or perceived "slowness".
2. ease of use - We've compiled a package of putty (freely available) and Remote Admin ($700 site license). It takes about 3 minutes to setup, including adding the user account to the gateway which authenticates off the domain, i.e., no user management on my side other than creating the initial account (I could automate it, but prefer the extra step).
3. stability - I have rock solid connections with good performance and the same choice of using remote software that I would at work (Win TS or RAdmin) all of which fits on a tiny flash disk or a couple of floppies. Of the 40 people using ssh/radmin, I receive fewer complaints than the 10 people that use the vpn. Most of my users only require telnet access to our alphas, so I created a limited shell which allows them telnet access from the inside of the gateway (on our private network) instead of setting up Reflections to use the vpn. I have created a limited shell which only allows certain commands from their login. The interface is easy to use and completely reliable from anywhere with any ssh client.

Additionally, I have some real concerns regarding the wide open connection that a vpn provides to our internal network. For this reason, we only allow vpn connections from company-owned and -administered machines. This allows us to guarantee that the remote machine is running up-to-date virus scanners and are not running unacceptable software. In the spirit of "only the access that the user needs", ssh/remote desktop works well, provides the users with what they need, and requires really minimal management and troubleshooting. The only real problem we've run into is trying to run this combo with WinXP Home, as it appears that M$ has broken something internally. WinXP Pro works fine, but Home simply refuses to run the remote software over the tunnel (heresay from workstation, I have no access to WinXP Home to troubleshoot).

Now, all that said, I am a huge fan of Cisco, having just dropped better than a quarter mil on new equipment for our new facility. Part of the new configuration will be a PIX 515EUR/FO bundle for testing site-site vpn to replace our costly long-haul private lines between offices (along with a 6513 and a couple of 7204s, I'm pretty psyced =).

That makes more sense...

[Pii]

Creating/Managing user VPNs on a PIX is something of a nightmare, although, as PDM is maturing nicely (PIX Device Manager), it's a lot easier than it used to be.

Even with the improvement, it doesn't come close to using the VPN Concentrators. The issues you describe are all addressed by the Concentrators, including your concerns about the "wide open" nature of the VPN connections. (I guess it doesn't really address the speed of your WAN, but there's not much that could.)

It has a very rich suite of policy management features, so that you can restrict the corporate resources available to a given class of user. These policies can be administered on a user, or group basis.

For example, you can set the accounting group in such a manner as they are only able to access the Accounting Servers, and you can limit the ports/protocols that they can use to reach those servers.

If you're already spending a quarter million, you should be able to get Cisco to allow you to demo a 3005 VPN concentrator. My company has arranged for several of our customers to borrow 3005s for a 30 day trial, and each of them has gone on to purchase the unit, or one of it's larger, more capable cousins.

That said, I too am a big fan of SSH, and it's port forwarding capabilities. It's a very effective, secure, poor-man's VPN.

PuTTY is a pretty good client... I only wish it had Serial capabilities, so I could use it to jump on router and switch consoles. As it stands, I have to keep TeraTerm around for console access. It's not too bad, and there are crypto libs available to make TeraTerm a decent SSH client as well, but it doesn't do quite as good a job with terminal emulation as PuTTY does.

Re:That makes more sense...

[Tesseract]

Hook a linux box up to the serial port and use minicom. Falling a bit more off-topic, we have some multi-port serial cards that the VMS guy has hooked up in a Windows pc and attached to all of his console ports. He can then remote into the one pc from anywhere, and have all of his console ports available. I need to find out if there's linux support for these cards, because I've become quite addicted to minicom for running my console sessions.

Re:That makes more sense...

[Pii]

I know that the Cyclades cards are definately supported. I think it's in the kernel, and that Cyclades actually wrote the code.

I know of at least one other vendor that is supported as well, but the name escapes me, and I'm too lazy to google it myself.

I have actually used the Cyclades, though, and they work great. (This was at least 3 years ago.)

Isuues

[macemoneta]

Our company offered to pay for the broadband (cable or DSL) connection. However, if the company paid, the connection was restricted to business use, and the terms of the corporate code of conduct. Browse porn or use P2P and you could be fired. Most employees opted to pay for the connection themselves, to be free of the restrictions.

Nortel VPN was used. However, in subsequent jobs, SSH was more flexible and lower cost (using non-standard ports to make port scans more time consuming). I preferred SSH, since a client wasn't even needed (you can use a web browser with a SSL protected Java client, like JavaSSH [javassh.org]. I was able to securely access from the road by logging in from a public library. That's something that is difficult or impossible to do with a VPN. No dongles or SecurIDs to lose or manage either.

Re:Isuues

[Anonymous Coward]

Our company offered to pay for the broadband (cable or DSL) connection. However, if the company paid, the connection was restricted to business use, and the terms of the corporate code of conduct. Browse porn or use P2P and you could be fired.

Wow, how magnanimous of them-- "We'll pay, if you agree to these ridiculous restrictions designed to deter most people from accepting the offer." What next, will the RIAA offer free CDs to the deaf?

My company kicks in $50/month

Cisco

[NetJunkie]

We use Cisco VPN. The concentrator is a 3005 and everyone just uses the Cisco VPN Client software. It works great. If you have a need to work from home the company pays your broadband fee. If not, you can pay it.

It's about the simplest solution I could hope for. I rarely ever need to even touch the 3005. For people that can't get broadband we have a dial-in access router with a PRI line.

OS? # users?

[kwerle]

It would have been nice to know what OS[es] - client and server - you are using, as well as things like the number of clients you expect.

We use Cisco VPN /SecurID

[ihistand]

I am a lowly user, but my company uses Cisco VPN solutions. [cisco.com]

They have linux , windows, and mac clients, and our implementation uses SecurID [rsasecurity.com] for authentication, so at least it seems secure. (not being a security expert I have no idea if it actually is.)

Three approaches: VPN, terminal services & HTT

[balamw]

I work for a small (

My wife's Fortune 500 company however provides two tiers of access. Terminal services (Citrix) to access your Outlook remotely from any machine or a company issues laptop with full VPN access apparently usingthe built in Win2K IPSec. She has the terminal services option, which requires a SecurID fob. Terminal services is strange 'cause it doesn't let you do anything useful, such as print documents or access your network drives. So, you have to forward any documents you need to actually work on to an external address and back again.

Where I am we are also providing basic connectivity over HTTPS using Outlook Web Access (OWA/SSL) and have been experimenting with various CIFS to HTTP products to provide access to network shares. This takes care of 90% of users in a relatively easy and secure way.

Balam

OOPS! Three approaches, second try.

[balamw]

Oops, forgot to escape the less than symbol.

I work for a small (<250 FTEs) high tech telecommunications equipment manufacturer. We provide IPSec VPN access through a Cisco 5001 VPN concentrator (formerly Compatible Systems) using the employee's own 'net connection. If the employee is predominantly out in the field (such as a remote sales person) the company picks up their 'net access, otherwide the employee does.

My wife's Fortune 500 company however provides two tiers of access. Terminal services (Citrix) to access your Outlook remotely from any machine or a company issues laptop with full VPN access apparently usingthe built in Win2K IPSec. She has the terminal services option, which requires a SecurID fob. Terminal services is strange 'cause it doesn't let you do anything useful, such as print documents or access your network drives. So, you have to forward any documents you need to actually work on to an external address and back again.

Where I am we are also providing basic connectivity over HTTPS using Outlook Web Access (OWA/SSL) and have been experimenting with various CIFS to HTTP products to provide access to network shares. This takes care of 90% of users in a relatively easy and secure way.

Balam

ssh

[bluGill]

ssh was my prefered solution for when I could work at home. With X forwarding and DSL, being at home was exactly the same as at the office. (I had a NCD on my desk, not a full computer) It worked, and is cheap. It didn't work for windows, but many people didn't have windows at home. Those that did have windows used some other solution.

I love my Nortel

[xrayspx]

My company, 80 users, uses a Nortel Contivity 1700, which provides up to 5000 end user tunnels. We've got a couple of Branch Office tunnels set up, and they also work great. It was in the area of $3700, and it's easy to administer and install.

Bummer parts, I've not really been able to test the Unix/MacOS client, but it costs money. Only the Windows clients are included with the device. You can use FreeSWAN, but AFAIK, you have to make a Branch Office Tunnel for each FreeSWAN connection, which would suck. I haven't bothered for myself quite yet.

My company does not pay for net access for our users (not even IT staff :-(), I wouldn't expect it though, we're still too small a company.

Overall, I'd say stick with the Nortel. The client is good, 2k Domains work great, and most importantly, it's easy for users without much (any) technical skill to install and get running, or you can make packages for them with custom client distributions.

Citrix

[odyrithm]

At the college I work we allow for staff to connect to school over there excisting internet account to one of the citrix boxs at school, students can do this to.. some students also have a dedicated box donated by the school running a cut down redhat install running a citrix client directly in x.

simple.

It's simple

[neilsly]

when you work 'in the office' do you ask your employer to pay for the cost of commuting to work (gas, vehicle maintance, and or subway/bus/public transit fare)? No.. of course not - it's expected that you get yourself to work on your own.

The same applies to 'tele-commuting' you're reponsible for the cost of the 'commute' to work - in this case some type of broadband or other internet access.

Sure I know if I had the ability to push off the cost of my cable modem to the company I'd do it.. but quite frankly I'd rather not. If they pay for it, it becomes their 'property' and technically anything I did on it would have to abide by their rules (no porn, no mp3s, no instant messaging) and really when you cut that out what's left of the internet?

Some thoughts

[dzeanah]

I've set up a number of clients with VPN solutions, and I use the same setup to monitor their networks remotely (Nagios rocks). I'd say the following are issues you need to keep in mind:

• VPNs can be a great solution, depending on what kind of network applications you're trying to access. Broadband feels fast, but it's shockingly slow when compared to a 100 megabit switched network. If you're going to transfer many files across the network or are using fat database clients that need access to a network share, it's going to crawl.
• Citrix is a great option if you're wanting to provide a "virtual desktop" sort of environment. Windows 2000's Terminal Services is cheaper (assuming you're already purchased Win2k Server and everyone's connection from a Win2k Pro/XP Pro box), but it makes less efficient use of bandwidth and doesn't offer nearly the same amount of flexibility as Citrix. Think Linux, Mac, Java clients here -- Citrix can hook you up, but Terminal Services is a Windows-only solution. Odds are you'll want a dedicated multiprocessor box for this.
• I love firewall appliances -- they're easy to set up, require low maintenance, and offer better reliability (no moving parts!) than something running on PC hardware. Most vendors have good options for VPN access as well. Something like a SonicWALL Pro300 [sonicguard.com] costs $2,200, passes 3DES traffic at 45Mb/s, comes with 50 VPN client licenses (supports up to 1,000 on the single box), can be set up as a pair for high-availability, now supports Microsoft's PPTP in case you feel like you need to enable it, etc. I love Cisco solutions, but they might not be the best choice unless you've got someone on staff who's gone to the effort to understand how to make them do what you want. There's a lot to be said for a good web-based interface. Or paying someone to do it for you.
• Linux can be set up to do this for less money (depending on what hardware you've got lying around) and with more configurability, but there's a cost involved. Have someone set it up who understands what they're doing. Use a hardware-based RAID array. Make sure you set things up so that the installation process for client machines can be explained in easy to understand language on one piece of paper. That's front-only, not both sides. Anything else and this can turn into a support nightmare. As a general rule, I'd say that a firewall appliance is the best solution unless you can clearly state why you want to use something different.
  
• If you're going to use something like Citrix, you can have the client implement encryption and just pass that traffic through your firewall. Not as good a solution as implementing a VPN, but the support costs will likely be lower to support one applicaion (Citrix client) than two (Citrix plus your VPN software of choice).

That's all for now. Hope this helps.

Re:Some thoughts

[rwarrenr]

I've set up Sonicwall, but it's a totally hit or miss scenario. Users connected directly to the Internet with a public IP address work fine. But for those with NAT configurations - it's kinda of a nightmare. I've tested some of the common home routers (Netgear, Linksys, Dlink) and on the Linksys and Dlink routers I have to log on to the router and forward port 500 to the appropriate router. Do you know if there are any configurations on the firewall side to avoid configuration on the home routers?

Where I work, a multi-tiered solution...

[jedinite]

I work for a financial institution, so security is paramount.

We found that we had serious security concerns with remote access.

We started using RSA [rsasecurity.com] SecurID tokens [rsasecurity.com] for authentication (and a tie to a database for authorization). That worked well to secure remote access from company owned equiptment (where we could control the security, set standards for antivirus, etc), but left a major exposure:

Specifically, with a VPN we could secure the transmission, but couldn't verify the security of the end point. And a big value of remote access is the ability to let people work from home on their own gear (and the inherrent cost savings to the company).

So we have a multi-tier solution as follows:

All authorized users can use web services. We make available access to the email system, 3270 access to a mainframe, and some internal applications available to authorized and authenicated users over the internet (HTTPS). These web services have the advantage of being very low cost... almost zero incremental cost per user assuming they are not bandwidth intensive.

People with company-owned equiptment (laptops) can use dial-in services, which we provide through Cisco AS-5300's, with strong authentication provided by RSA SecurID. Costs a little to invest in the Cisco gear, and costs a little to support in house.

For those wanting VPN access, we found a company that could address our security concerns... a managed VPN provider called Positive Networks [positivenetworks.net]. Positive addresses our security concerns by providing the ability to enforce security policy on the end computer (such as X-brand Antivirus must be installed and running with up-to-date pattern files), as well as providing a managed service at a reasonable cost (its been more effective for us to outsource this big chunk of remote access, rather than staffing for supporting it internally).

I would strongly recommend Positive Networks as a remote access solution.

No affiliation other than a satisfied user (and I'm primarily responsible for our company selecting their product).