# Question about access to a Windows 2008 server



## tomdkat (May 6, 2006)

Last week, I did work at a clinic on their Windows 2008 server. Apparently, this server serves as their:

File server
Symantec Anti-Virus update server
QuickBooks server
(Who knows what else) server
I don't believe it's a domain controller or anything, but it might be. Anyway, while working on this server, to troubleshoot a Symantec anti-virus update issue, I noticed two people logged in from remote locations using Remote Desktop. I didn't think this was kosher, given one of the remote users was running Firefox to access some website at the time I was running a Java JRE update and the running Firefox browser blocked the JRE update. The reason I opposed the Remote Desktop connection was this allowed remote users to login to and run applications on the server ITSELF. If one of those applications causes a server problem, the entire server could go down. 

So, I was thinking a VPN connection would be more appropriate. The reason they used a Remote Desktop connection was to provide them access with some special software they needed access to remotely. Since they don't already have a VPN connection to the main office, they would login to the server remotely and run the application(s) they needed directly on the server. I'm thinking with a VPN connection, they could run this software on their laptops and connect server resources just like others do in the office. So, when someone runs this special software in the office, it connects to a server resource over the LAN. Without a VPN connection, there isn't a remote LAN connection so this software won't run on a laptop at a remote location. If a VPN connection existed, the remote user could run this software on their laptop and access server resources over the "LAN" just as if they were in the office.

So, I'm now embarked on a research project to determine what would be needed to establish a VPN connection to their Windows 2008 server. I found this article:

http://technet.microsoft.com/en-us/library/cc753616(v=ws.10).aspx

which is proving to be useful but it sounds like setting up the VPN connection on the Windows 2008 server, itself, would limit the number of inbound VPN connections to just one. Right now, at least two remote users can connect to the Windows 2008 server using Remote Desktop so at least two remote VPN connections would be needed. Does this mean I would need to setup a "Routing and Remote Access" server? Would it be safe to enable this functionality in the Windows 2008 server they currently have or would a secondary, and dedicated VPN server be a better solution?

I've never configured a Windows server before, so this is all new to me. 

I'm sure I'll have more questions but this is a starting point. 

I'm also thinking a IPSec VPN would be better than a PPTP VPN, since the IPSec VPN connection establishes a secure connection with the VPN server before any login credentials are sent to the server. Is this correct?

Thanks!

Peace...


----------



## ETech7 (Aug 30, 2012)

HI,

- IPSec is more secure, but PPTP is the simplest one. Also, if you have XP clients, PPTP maybe the only option for them (someone correct me if I'm wrong).

- If you don't want to install "Network Policy and Access Services" Role on server in question, you can get a VPN device, it does not have to be another server. Usually business grade firewalls/routers have that feature. 

- Number of simultaneous VPN connections can be configured, but it is definitely more than one by default.

- Security-wise, less ports you have open on your server is better, but I think this is a bit more complex matter.


----------



## mtkya (Dec 7, 2012)

If they plan to only use one server. you can just purchase the terminal server license and activate the terminal server on this server. This will allow multiple user to connect and use the server, however I highly recommend to restrict functionality and access for remote users to prevent problems and security issue.


----------



## tomdkat (May 6, 2006)

Thanks for the info. My primary concern is one of the remote users would do something on the server, which would cause it to crash and cause problems for the other users on the network.

It seems they use a remote desktop connection to their server out of convenience, more than anything else. I was also thinking they could use a different computer, a workstation, for remote desktop access purposes and leave the server alone. Using a VPN connection sounded like a great solution, to me, because all the remote users *really* need is access to the LAN so they can run their medical software and a VPN connection would facilitate that. Hence, my starting this thread. 

Would using a terminal server license to support the remote connections be any better or worse than setting up a VPN connection?

Thanks!

Peace...


----------



## mtkya (Dec 7, 2012)

Hi Tomdkat, 
Personally I think the performance of the terminal service is faster than vpn for application especially when working with large files. Terminal server 2008 now comes with remoteapp : 

RemoteApp programs are programs that are accessed remotely through Terminal Services and appear as if they are running on the end user's local computer. Instead of being presented to the user in the desktop of the remote terminal server, the RemoteApp program is integrated with the client's desktop, running in its own resizable window with its own entry in the taskbar. Users can run RemoteApp programs side-by-side with their local programs. If a user is running more than one RemoteApp program on the same terminal server, the RemoteApp programs will share the same Terminal Services session.

However in term of security there are still alot of work need to be done in the group policy to prevent user from messing up the server


----------

