Secure Remote Access Options for SMB

A big chunk of the customer base I deal with at itgroove are small offices that have single or dual server infrastructures.  In many cases they want to allow their staff to remotely access systems and resources at the office.  There are two very good tools available to this SMB space to control and secure this type of access.

The first option is to use the remote access tools built into Windows Small Business Server.  SBS has shipped with decent remote access tools since SBS2003 but I’ll focus on SBS2008 and SBS2011 in this post.

SBS2008 offers Remote Web Workplace or RWW as the remote tool of choice.  RWW is a webpage hosted by the SBS machine that is published out to the public Internet and which offers secured, controlled access to published internal resources on the SBS host as well as on the internal LAN.  SBS2011 renames this to Remote Web Access or RWA and it expands upon the features offered by RWW.  In either case, resources on the SBS host and/or LAN are made available to authenticated users and the resources presented are controlled by options assigned to the user’s Windows account.







RWW presents this webpage and presents a standard Windows authentication challenge.  Once proper credentials are presented the following screen is presented:


From here an authenticated user can access Outlook Web Access (Check Email), connect via RDP to desktop machines on the LAN (Connect to a Computer), connect to the internal SharePoint site (Internal Website), Connect to the SBS Server (Connect to Server) and access other resources as published to the webpage.  The resources that the user sees on this page are the resources they are allowed to use, if a user is not allowed access to desktop machines, for example, then the “Connect to Computer” link is not displayed.

SBS2011 expands the connection types to also allow for access to shared folders on the SBS server.  This allows authenticated user to access shared files on the server directly from the RWA webpage and is a feature that users have asked for for a number of years.

RWW/RWA relies on standard Windows authentication mechanisms as well as SSL for security.  For those who desire more there are add-ons available from third parties that add additional security with tools like two-factor authentication.

For those that do not have SBS (or those who do but that don’t want to use RWW/RWA) there is a great option available in the Sonicwall Virtual Office.  Sonicwall embeds an SSL VPN server and remote access tools in all of their UTM firewall products starting with the entry-level TZ100.  The SSL-VPN server and Virtual Office remote access tool are configured within the standard Sonicwall management interface.  The Sonicwall can integrate with Active Directory for user authentication or a standalone user database can be created within the Sonicwall and used for authentication.  Either way, users can be identified and access rights granted.  Authenticated users can then login to the Virtual Office webpage and access resources they are allowed to use.

The nice thing about the Virtual Office is that access to internal resources, specifically RDP access, can be controlled user by user as Virtual Office has a “publishing” feature that allows an administrator to publish RDP access tailored by user.  A sample Virtual Office looks something like this:


The “bookmarks” are the published links, in this case the link is published to the same machine using two different protocols – one specific to IE and the other that will work with almost any browser on machines running Windows, Mac and even Linux.  The links presented here are specific to one particular user, other users might see other links.  For those companies out there that use Windows Server 2008 Foundation, Sonicwall Virtual Office can provide the RDP access to internal systems that is not shipped as part of the O/S a la SBS.

Both SBS and Sonicwall offer “traditional” VPN options, as well; SBS sets up a Windows VPN connection that users can use (form Windows machines only) while Sonicwall offers an SSLVPN client (NetExtender) that works with multiple browsers and also runs from Mac OSX.

In summary, there are lots of options available for SMB’s looking for ways to provide controlled, secure remote access to resources on their internal networks with SBS and Sonicwall offering two very good options.