TR Forums

We have a vendor that wants ongoing remote access to our server, or a pc on our network, so they can periodically check their software's performance. Giving them unfettered access to our network is unacceptable, so how would I go about limiting remote access? Ideally they would have to phone up and someone would manually grant their access. Is there any simple way to do this... say for example with a hardware firewall, if so which one would you recommend?

The business in question has no IT department and is a small rest home/ hospital. Keeping it simple stupid would be great.

Dirge wrote:

We have a vendor that wants ongoing remote access to our server, or a pc on our network, so they can periodically check their software's performance. Giving them unfettered access to our network is unacceptable, so how would I go about limiting remote access? Ideally they would have to phone up and someone would manually grant their access. Is there any simple way to do this... say for example with a hardware firewall, if so which one would you recommend?

The business in question has no IT department and is a small rest home/ hospital. Keeping it simple stupid would be great.

Will the vendor VPN into your network, and is it Windows-based? Assuming this, you could dedicate a cheap consumer router like the Asus RT-N16 just for their use. Forward ports or DMZ the "vendor's router" off an existing router, and let an office manager decide when to enable its PPTP server upon request. This is a quick-and-dirty way to allow network access without reconfiguring existing PCs. To do this properly with rules-based access control and higher security you will need dedicated hardware and/or enterprise-level firewalls or proxies, which won't be as cheap or as simple administratively. You might want to check with the vendor to see if the software has a module for remote support which can schedule access according to user and time profiles.

If the system in question is running Windows, I would forward a high-numbered port from the firewall to port 3389 (RDP port) on the system(s) they need to access.

Then, if the permissions of their login are limited enough and/or you trust them enough to allow them access to that machine at will, just enable Remote Desktop. Otherwise, enable Remote Assistance and use that to manually invite them to take control of the system when they want to check on things.

Enabling Remote Assistance is a good way to go. That way the access must be acknowledged each time it is granted.

If that's too much then you can also set Active, Idle, and Disconnected session limits. That way, if they tell you we only need 10 minutes to check on things, set the Active limit for them to something reasonable (15 minutes) and then idle and disconnected limts low (maybe 1-2 minutes for idle and 2-5 minutes for disconnected).

If you are using AD, you can limit their logon hours as well. That way you can setup when they can connect and limit them to short or specific periods.

I also would grant them logon rights to the PC only, no admin rights.

Hi guys, thanks for your replies thus far. Currently the ADSL router is set up to ford a port for RDP on the server. This is a consumer level router and doesn't provide VPN. Am I correct in thinking Remote Assistance would be a quick and easy way to allow remote administration with no changes needed to our current network. I have never used it myself, but like the fact that remote access must be acknowledged by someone onsite.

On a side note, I understand having the ability to RDP into the server without the use of a VPN is probably asking for trouble. Replacing our current router with one that can provide VPN access is on my wish list. Brace yourselves for a newbie question, but do VPNs require capable hardware on one end with some sort of VPN software on the connecting side?

Dirge wrote:

Hi guys, thanks for your replies thus far. Currently the ADSL router is set up to ford a port for RDP on the server. This is a consumer level router and doesn't provide VPN. Am I correct in thinking Remote Assistance would be a quick and easy way to allow remote administration with no changes needed to our current network. I have never used it myself, but like the fact that remote access must be acknowledged by someone onsite...

Setup Remote Assistance as others have mentioned and it should be the easy solution for your case, but do it over a PPTP VPN at least.

...On a side note, I understand having the ability to RDP into the server without the use of a VPN is probably asking for trouble. Replacing our current router with one that can provide VPN access is on my wish list. Brace yourselves for a newbie question, but do VPNs require capable hardware on one end with some sort of VPN software on the connecting side?

Most simple setups involve a VPN software client establishing a channel terminating at a hardware VPN server, which could be a dedicated box or all-in-one consumer router like the Asus I mentioned.

Windows versions since XP Pro have built-in VPN clients which connect to popular types of VPN hardware servers as well as commercial services. I use Windows 8's version to connect to the PPTP Server of an Asus RT-N16 (official firmware 3.004.260) at one of our offices. It's been reliable so far over consumer ADSL with RDP and shares, although file transfers driven by old industrial apps sometimes drop intermittently. I did reconfigure IPs to match the router's 192.168.10.x LAN addressing, to quickly ensure compatibility with any embedded routing scripts. One nice thing about Asus routers is that they come with an automated subscription to Asus's DDNS service. This allowed me to fix its url pain-free as the ADSL service of the site wasn't already on static IP.

Other VPN protocols like IPSEC are more secure but usually involve costly hardware. These may also require proprietary software clients for best performance (e.g. Cisco). I've been told that more expensive VPN stuff generally performs faster crypto for faster throughput, but this should concern you only if you're enjoying 10Mbps or faster connections.