Remote Access Solutions for Businesses? 45
thajeavis asks: "We are in the process of replacing our existing remote access system for IT staff and other faculty/staff. Previously, we were using a Bay Networks (Nortel) Remote Access Concentrator with an ISDN circuit. The equipment failed and the cost of the ISDN PRI is too high based on the low usage. We are presently testing a VPN solution using the employee's own dialup or broadband connection (Cable/DSL). The issue has also come up over who is to pay for the dialup/broadband connection, the employee or the college since it will be used to work from home. I am most interested in what type of solution your institution has in place for remote access for IT staff and who pays for that access. We also are interested in what type of access, if any is available for other faculty/staff. Any insight on this issue will be greatly appreciated."
IC Company (Score:3, Interesting)
Our solution for remote connection is two fold. First we contract with AT&T to allow remote dial up from a number of locations. This is free for the employee (except for the required phone line of course).
VPN is also an offered as an option but there is no official policy on who pays for the employees connection. This is a smart policy IMHO. It usually requires the employee to prove they will do useful work at home before the company signs up to pay for a broadband connection.
Software Company (Score:2)
High speed at home is only $50 a month, plus or minus, which is maybe $30 a month over a decent dial up account. Anybody that is gainfully employed and won't pony up an additional $30 a month for high speed access doesn't consider themselves high enough up the tech food chain / doesn't respect themselves enough as techies to deserve to work from home.
Tech food chain
High Tech (this would be you and I)
Low Tech
Aztek (mouth breathing end users)
Anybody that wouldn't get high speed if they were paying for it doesn't need it bad enough for the company to pay for it. How about anybody that has had it for over a year can start expensing it
Re:Software Company (Score:2)
We pay for people to connect into our network from home as we consider that getting people to work from home is worth the relatively small ammount of money. We offer a mixture of services to suit different people; direct RAS, VPN, whatever.
I think your argument that if you aren't prepared to pay for something for work use yourself you don't need it sounds a little off-set. If, for example, my boss determined that I needed a laptop for my job but then expected me to pay for it, he would get short shrift!
I'd probably go for cheap broadband myself if possible, true, but I haven't and again; if my boss thinks I need it (and he does) then he should sign off on paying for it (which he will once budget gets signed off)
Disclaimer: I work for a hardware manufacturer who amongst other things makes products that do remote access.
cost of working and expectations (Score:2, Insightful)
As to related expenses, not sure in the white collar IT world but in the blue collar world most jobs I have had require that I personally own and pay for "tools" which cost a lot more in aggregate than most laptops. If it was me I would just assume before even applying anywhere that an IT job would require me to have and own a laptop,and I would already own one being an "IT" guy, although if I worked inside a cube exclusively I would expect the employer to have the workstation. This is just normal, when I've had factory jobs I didn't pay for the lathe or bandsaw I was running, but on construction sites 90%+ of the tools I used were my own. I paid for my own specialised work clothing, blue collar, I paid for my own steel toed boots, rugged clothing and hard hat and gloves, white collar sales jobs I have had, I paid for my own suits and shiny shoes, and etc. I never even considered that the employer pay for this clothing.
I would think in today's economy that both employers and employees in IT would just "get real" on pay scales, corporate profits, expectations, and costs of doing business. A little of give and take both ways might result in this IT company actually staying in business and everyone concerned remaining employed. I mean, diidn't we just go through this dotbomb phenomenon? Was there nothing to learn from this?
I am reminded of the lessons of eastern airlines, an old, established, profitable enterprise that tanked swiftly once the 'stupidity and greed' factor became part of the mindset there, and was shared across the board up and down and sideways throught their organization. Where a combination of white collar mismanagement and arrogance and severe over compensation, combined with completely unrealistic blue collar union demands and expectations of compensation, resulted in *no one* at eastern airlines having "a job" after a short time frame of this attitude being adopted.
Re:cost of working and expectations (Score:2)
I would agree with that as far as it goes. My situation is rather different. My employer often expects me to perform work on his systems during evening and weekend hours, He also does not provide me with a keycard or other measns to access the workplace because he does not want anyone except his most senior employees to have access to the workplace. It seems to me that providing access to perform my job IS part of what he should be paying for.
Re:cost of working and expectations (Score:2)
Re:Software Company (Score:1)
i dunno about you, but i've seen plenty of techies in this mode when they're deep into coding or hacking.
Re:Software Company (Score:1)
On business phone calls, my long distance vendor allow putting in an accounting code after dialing. In fact, it is set up to require the accounting code. So I have one code for work and one code for everything else. The monthly bill is organized around the accounting codes and so it is easy to know what to bill back.
There is an office about 45 minutes away. Currently I go in twice a month to pick up my paycheck and have meetings. The boss comes in about every six weeks but he has to fly. He has some hot cell phone that gives him the internet on his laptop, so he can keep in touch even when on the road.
The product we work on is an internet enabled accounting package and mostly we just use a thin client over the internet. The thin client has a programmer's workbench in it, so we get along okay. It can print locally too.
Hope this is useful to someone.
Oh, shameless plug. We have a product that is sort of a web based employee information product that tells us who is available and contact information and lets us enter our time and expense cards. You could get a full featured copy for a month for free and try it. It cuts down on the paper work part of this virtual thing pretty well. You can look at TOM Software [tom-software.com]
Netscreen (Score:5, Informative)
I've rolled out many "home->corporate" VPNs this way, it works like a charm.
Cisco VPN (Score:2)
Employee pays (Score:1, Informative)
That policy is mostly for cost cutting reasons. The idea is that it's a priviledge to be allowed to work at home (and they don't want to hear about off-hours work) so the employee should pay. They're constantly threatening to kill work at home entirely so we take the deal.
Yeah, I know... but the job market ain't so good these days.
What we use and how we handle it. (Score:3, Informative)
Everyone pretty much has cable or dsl, and the company will pay for 1/2 as both parties know that the other would have a dailup at the very least no matter what. This way both sides feel like they are getting a good deal. We also use Citrix on the back end and keep track of the time that the techs are logged into the system. The citrix server will log them off after 10 minutes of idle time so the company has a track record of who was busy with what, and when.
Good luck.
What is your satisfaction level? (Score:4, Informative)
Of all the products that I have tried, the Nortel Contivity was the easiest to setup while at the same time, offering the most configuration options. The performance has been equal to or greater than all of the other products. There is also a broad array of options for connection interfaces including ISDN, Frame-Relay, Ethernet, Dial-up and I think(not sure) that they even have a Contivity blade for their Passport 8600 switch.
One important feature that the Nortel offering has over the likes of Cisco is licensing cost. A seperate client software license is needed for the Cisco system and many of the others. But, Nortel gives the client software away for free. They offer client solutions for multiple platforms and even officially support Linux using FreeSWAN.
Re:What is your satisfaction level? (Score:2)
This is why I let my Windows users do the Contivity thing, and my Linux users connect to a FreeS/WAN box. Netlock makes a Linux Contivity client, but it's an extra $100-150 US per client, which makes it out most people's price range, especially since FreeS/WAN is, well, Free
My company pays (Score:5, Insightful)
Of course, the employees who qualify to expense their connections are the same ones that are given pagers and are expected to deal with urgent problems promptly during off hours. (They also provide company computers for home use.)
Remember, one big difference between an employee and a contractor is that the company provides the tools necessary to do the job for employees. If VPN access from home is necessary for employees to do their jobs, then the company should pay for it. If it's an optional thing, then the employee can pay for it if he wants to.
Nortel Contivity (Score:2)
It sounds as though you had a bad experience with another Nortel prodcut. I'm not familiar with their Concentrator. However, I have a had a lot of experience with the Nortel Contivity Extranet Switch (CES) particularly the 600, 1500 and 4500) and I think they are good, stable, relatively cheap solutions that provide firewall, VPN, dialup, etc. (Just in case you're thinking it, no, I don't work for Nortel.) I've worked with these devices for a couple of years installing and providing support for them with a few govt. agencies. Look for them on Ebay.
Just my 2 cents
two solutions (Score:2, Informative)
Re:two solutions (Score:2)
In my experience (Which is considerable, as I have deployed the Cisco VPN solution for literally dozens of clients (I work for a Cisco Silver Partner)), it is none of those things.
You can get into the Cisco 3005 VPN concentrator for under $3000, which provides software 3DES encryption for up to 100 simultaneous clients.
For a little more, you can get hardware based encryption (In the 3015 model) for those 100 clients, and can be further scaled up to support 10,000 simultaneous connections.
The Cisco VPN client is among the easiest to install and deploy of any I have seen, and can be distributed with the configuration file, so that the end user need not even configure his connection information (Reducing the procedure to "Install & Connect").
Administration of the concentrator itself couldn't be much easier. It's configuration is entirely web-based, and the user database can be configured in one of 4 ways:
You can even use multiple user databases, configured on a user-by-user basis, or by groups (each group can be authenticated using it's own individual resources).
What are you talking about?
Almost forgot... (Score:2)
No client license costs. Download as many as you need, free of charge.
Re:two solutions (Score:1)
1. Slow - our vpn is hosted at a remote office which means my users have the added latency of traversing the private circuits between the two offices to access resources in my datacenters. This leads to user complaints about speed, even though utilization on these lines is usually only 5-10%.
2. PITA to setup - I've seen the 13 page (printout, not terminal pages) configuration for the PIX at our other office. While that's not all VPN, a considerable amount is the nat/vpn setup. This may very well be excessive, but I'm glad it's not my PIX to manage.
3. flakey - I have users that constantly complain about lost connections, poor performance, and instability. This may be the configuration, as I do not manage that PIX.
My only vpn tunnel is to a vendor via a 515 dedicated for the connection, and has been stable for about a year now with no intervention whatsoever. However, that connection uses a very small nat pool through a private network to a high-availability connection on the vendor's side and is only accessible to a very small number of servers on our side.
Now the preferred solution in my datacenter is ssh/radmin because:
1. Performance - I am able to access anything I require either directly from a shell on the gateway or via a tunnelled remote desktop. I have users that do spreadsheets from home and we receive very few complaints about screen refresh problem (which we had with vnc) or perceived "slowness".
2. ease of use - We've compiled a package of putty (freely available) and Remote Admin ($700 site license). It takes about 3 minutes to setup, including adding the user account to the gateway which authenticates off the domain, i.e., no user management on my side other than creating the initial account (I could automate it, but prefer the extra step).
3. stability - I have rock solid connections with good performance and the same choice of using remote software that I would at work (Win TS or RAdmin) all of which fits on a tiny flash disk or a couple of floppies. Of the 40 people using ssh/radmin, I receive fewer complaints than the 10 people that use the vpn. Most of my users only require telnet access to our alphas, so I created a limited shell which allows them telnet access from the inside of the gateway (on our private network) instead of setting up Reflections to use the vpn. I have created a limited shell which only allows certain commands from their login. The interface is easy to use and completely reliable from anywhere with any ssh client.
Additionally, I have some real concerns regarding the wide open connection that a vpn provides to our internal network. For this reason, we only allow vpn connections from company-owned and -administered machines. This allows us to guarantee that the remote machine is running up-to-date virus scanners and are not running unacceptable software. In the spirit of "only the access that the user needs", ssh/remote desktop works well, provides the users with what they need, and requires really minimal management and troubleshooting. The only real problem we've run into is trying to run this combo with WinXP Home, as it appears that M$ has broken something internally. WinXP Pro works fine, but Home simply refuses to run the remote software over the tunnel (heresay from workstation, I have no access to WinXP Home to troubleshoot).
Now, all that said, I am a huge fan of Cisco, having just dropped better than a quarter mil on new equipment for our new facility. Part of the new configuration will be a PIX 515EUR/FO bundle for testing site-site vpn to replace our costly long-haul private lines between offices (along with a 6513 and a couple of 7204s, I'm pretty psyced =).
That makes more sense... (Score:2)
Even with the improvement, it doesn't come close to using the VPN Concentrators. The issues you describe are all addressed by the Concentrators, including your concerns about the "wide open" nature of the VPN connections. (I guess it doesn't really address the speed of your WAN, but there's not much that could.)
It has a very rich suite of policy management features, so that you can restrict the corporate resources available to a given class of user. These policies can be administered on a user, or group basis.
For example, you can set the accounting group in such a manner as they are only able to access the Accounting Servers, and you can limit the ports/protocols that they can use to reach those servers.
If you're already spending a quarter million, you should be able to get Cisco to allow you to demo a 3005 VPN concentrator. My company has arranged for several of our customers to borrow 3005s for a 30 day trial, and each of them has gone on to purchase the unit, or one of it's larger, more capable cousins.
That said, I too am a big fan of SSH, and it's port forwarding capabilities. It's a very effective, secure, poor-man's VPN.
PuTTY is a pretty good client... I only wish it had Serial capabilities, so I could use it to jump on router and switch consoles. As it stands, I have to keep TeraTerm around for console access. It's not too bad, and there are crypto libs available to make TeraTerm a decent SSH client as well, but it doesn't do quite as good a job with terminal emulation as PuTTY does.
Re:That makes more sense... (Score:1)
Re:That makes more sense... (Score:2)
I know of at least one other vendor that is supported as well, but the name escapes me, and I'm too lazy to google it myself.
I have actually used the Cyclades, though, and they work great. (This was at least 3 years ago.)
Isuues (Score:3, Informative)
Nortel VPN was used. However, in subsequent jobs, SSH was more flexible and lower cost (using non-standard ports to make port scans more time consuming). I preferred SSH, since a client wasn't even needed (you can use a web browser with a SSL protected Java client, like JavaSSH [javassh.org]. I was able to securely access from the road by logging in from a public library. That's something that is difficult or impossible to do with a VPN. No dongles or SecurIDs to lose or manage either.
Re:Isuues (Score:1, Insightful)
Wow, how magnanimous of them-- "We'll pay, if you agree to these ridiculous restrictions designed to deter most people from accepting the offer." What next, will the RIAA offer free CDs to the deaf?
My company kicks in $50/month
Cisco (Score:4, Informative)
It's about the simplest solution I could hope for. I rarely ever need to even touch the 3005. For people that can't get broadband we have a dial-in access router with a PRI line.
OS? # users? (Score:2)
We use Cisco VPN /SecurID (Score:2, Insightful)
They have linux , windows, and mac clients, and our implementation uses SecurID [rsasecurity.com] for authentication, so at least it seems secure. (not being a security expert I have no idea if it actually is.)
Three approaches: VPN, terminal services & HTT (Score:1)
I work for a small (
My wife's Fortune 500 company however provides two tiers of access. Terminal services (Citrix) to access your Outlook remotely from any machine or a company issues laptop with full VPN access apparently usingthe built in Win2K IPSec. She has the terminal services option, which requires a SecurID fob. Terminal services is strange 'cause it doesn't let you do anything useful, such as print documents or access your network drives. So, you have to forward any documents you need to actually work on to an external address and back again.
Where I am we are also providing basic connectivity over HTTPS using Outlook Web Access (OWA/SSL) and have been experimenting with various CIFS to HTTP products to provide access to network shares. This takes care of 90% of users in a relatively easy and secure way.
BalamOOPS! Three approaches, second try. (Score:1)
I work for a small (<250 FTEs) high tech telecommunications equipment manufacturer. We provide IPSec VPN access through a Cisco 5001 VPN concentrator (formerly Compatible Systems) using the employee's own 'net connection. If the employee is predominantly out in the field (such as a remote sales person) the company picks up their 'net access, otherwide the employee does.
My wife's Fortune 500 company however provides two tiers of access. Terminal services (Citrix) to access your Outlook remotely from any machine or a company issues laptop with full VPN access apparently usingthe built in Win2K IPSec. She has the terminal services option, which requires a SecurID fob. Terminal services is strange 'cause it doesn't let you do anything useful, such as print documents or access your network drives. So, you have to forward any documents you need to actually work on to an external address and back again.
Where I am we are also providing basic connectivity over HTTPS using Outlook Web Access (OWA/SSL) and have been experimenting with various CIFS to HTTP products to provide access to network shares. This takes care of 90% of users in a relatively easy and secure way.
Balamssh (Score:2)
ssh was my prefered solution for when I could work at home. With X forwarding and DSL, being at home was exactly the same as at the office. (I had a NCD on my desk, not a full computer) It worked, and is cheap. It didn't work for windows, but many people didn't have windows at home. Those that did have windows used some other solution.
I love my Nortel (Score:2)
Bummer parts, I've not really been able to test the Unix/MacOS client, but it costs money. Only the Windows clients are included with the device. You can use FreeSWAN, but AFAIK, you have to make a Branch Office Tunnel for each FreeSWAN connection, which would suck. I haven't bothered for myself quite yet.
My company does not pay for net access for our users (not even IT staff
Overall, I'd say stick with the Nortel. The client is good, 2k Domains work great, and most importantly, it's easy for users without much (any) technical skill to install and get running, or you can make packages for them with custom client distributions.
Citrix (Score:1)
simple.
It's simple (Score:1)
The same applies to 'tele-commuting' you're reponsible for the cost of the 'commute' to work - in this case some type of broadband or other internet access.
Sure I know if I had the ability to push off the cost of my cable modem to the company I'd do it.. but quite frankly I'd rather not. If they pay for it, it becomes their 'property' and technically anything I did on it would have to abide by their rules (no porn, no mp3s, no instant messaging) and really when you cut that out what's left of the internet?
Some thoughts (Score:1)
Re:Some thoughts (Score:1)
Where I work, a multi-tiered solution... (Score:2)
We found that we had serious security concerns with remote access.
We started using RSA [rsasecurity.com] SecurID tokens [rsasecurity.com] for authentication (and a tie to a database for authorization). That worked well to secure remote access from company owned equiptment (where we could control the security, set standards for antivirus, etc), but left a major exposure:
Specifically, with a VPN we could secure the transmission, but couldn't verify the security of the end point. And a big value of remote access is the ability to let people work from home on their own gear (and the inherrent cost savings to the company).
So we have a multi-tier solution as follows:
All authorized users can use web services. We make available access to the email system, 3270 access to a mainframe, and some internal applications available to authorized and authenicated users over the internet (HTTPS). These web services have the advantage of being very low cost... almost zero incremental cost per user assuming they are not bandwidth intensive.
People with company-owned equiptment (laptops) can use dial-in services, which we provide through Cisco AS-5300's, with strong authentication provided by RSA SecurID. Costs a little to invest in the Cisco gear, and costs a little to support in house.
For those wanting VPN access, we found a company that could address our security concerns... a managed VPN provider called Positive Networks [positivenetworks.net]. Positive addresses our security concerns by providing the ability to enforce security policy on the end computer (such as X-brand Antivirus must be installed and running with up-to-date pattern files), as well as providing a managed service at a reasonable cost (its been more effective for us to outsource this big chunk of remote access, rather than staffing for supporting it internally).
I would strongly recommend Positive Networks as a remote access solution.
No affiliation other than a satisfied user (and I'm primarily responsible for our company selecting their product).