So how do you manage remote users? • The Register

Name: Trevor Pott

Job Title: Systems Administrator

Roaming users have requirements for offline data, as they get only infrequent chances to access the internet and thus connect to the corporate network. Unfortunately, many networks to which your users may gain access block all traffic except HTTP and SSL. Fortunately, in many cases supporting the secure synchronisation of data is possible relatively securely without the hassle of a VPN.

Outlook Anywhere (as one example) works fine over an SSL connection, and so does WebDAV. Numerous other technologies exist to solve the problem of getting information into the users’ hands with varying levels of security. Another consideration is that a significant amount of information required offline is something that can be synced to a smart phone. Some smart phones (such as Blackberries) integrate very well with corporate networks, can be easily secured and even remotely wiped in case the device is lost while containing sensitive data.

If your users have more than very sporadic access to the internet, I heartily recommend embracing Virtual Desktop infrastructure (VDI).

Sensitive information never has to leave the network, and virtual desktops can be managed far easier than (for example) a roaming user’s notebook. With the myriad of solutions available to access a given desktop over HTTP or SSL, VDI is also a solution that frequently works where VPNs are blocked. If your users can function with VDI and a secured smart phone you do not have to spend time trying to police what users can and can not do with their notebooks.

As for the question of usability; depending on bandwidth availability, RDP enhancements from companies like Wyse can do some amazing things. If you search El Reg’s back articles, you’ll find several relating to companies that are offering VDI/RDP enhancements; and IBM is even jumping in and trying to make a profit from this very concept hosted on a large scale. Internet access is ubiquitous, and you don’t need a very big pipe for a basic RDP session.

VDI certainly doesn’t solve every remote access usage scenario; but it certainly simplifies things when and where it can be applied. Start with VDI in mind and ask yourself what information your roving users require that can’t be adequately served by a remote session. The more information you must remove from the network, the more you must lock down devices that can access that information. Depending on your situation, the cost of an Air Card and contract might be far less than the hassle of offline synchronization.

Name: Jon Collins

Job Title: Managing Director, Freeform Dynamics

Managing mobile or home-working desktop users can be difficult for a number of reasons, not just the lack of proximity but also (for example) that it is harder to control what is being used: external drives, printers, broadband networking can all add to the mix.

As well as remote management capabilities in the hardware we have talked previously about in relation to power, we would recommend considering two options. The first is remote desktop control software, from the likes of Citrix (GoToMyPC). With such tools you can actually use the remote desktop as though it was your own, speeding up fault diagnosis considerably – it also becomes easier to see if anything untoward has been installed.

Second, be sure that your remote management toolsets and policies tie in with your security strategy. Depending on your configuration, you may have a combination of technologies including virtual private networking (VPN), which will influence how you manage users remotely.

And speaking of security, virtualisation and thin client approaches offer a number of options when it comes to remote desktops, enabling (for example) home workers to use a locked-down virtual desktop from the likes of Becrypt. Some approaches allow for virtual machines to be “checked out” when good enough bandwidth is available, such as when visiting HQ or when working in a branch office, to ensure that the latest version is available. As a final point however, it is well worth reviewing all of the features that are available in modern operating systems and hardware platforms. A number of remote management features are available ‘out of the box’ or can be easily augmented with third-party products.

If you think you can do better, head over to the comments and let us know how you think remote workers should be managed.

Customer Success Testimonial: Recovery is Everything

COMMENTS

House Rules Send Corrections

All Reader Comments (9)

Highly Rated

Posted Monday 19th October 2009 19:02 GMT

The Original Steve

Simples

@AC

Great idea, have the data hosted somewhere where internet access is required at all time (no offline working), reliant on a 3rd party (security, downtime...?) and then pay for it too. Google and Danger/Microsoft both showed that the cloud has it's place, but not for day-to-day business work as the main source.

Anyway.....

Laptop:

Locked down hardware and websites that can be accessed (as well as a few other restrictions) via LOCAL Group Policy. Machine runs Vista with auto updates turned on, AV gets DAT's from the internet at 3pm daily and is encrypted with TrueCrypt.

Had Word, PowerPoint and Excel installed locally.

Head Office:

Juniper SA series device for SSL VPN. However we don't use the VPN side of it, just use it as a Citrix, WebDAV and web proxy. Authenticates users with RSA tokens against AD and checks for keylogging viruses, scans to ensure AV DAT's are up to date and has recent Windows patches.

Once logged in, if the user is running the site from our company hardware (check's AV and a reg key) then they can download files/folders via WebDAV, access internal and external websites (via a proxy of course!) and can fire up a full Citrix desktop (or just the odd app). Provides ability to download files for offline working (only if it's our laptop though) and end users can even print to their local printer from Citrix. No VPN used and it's all over SSL.

Remote support:

Once a user is in Citrix we can shadow, but if they can't get that far we use a "Secure Meeting" (think WebEx but hosted on the Juniper SA appliance) and the users have a shortcut to the URL from their desktop.

Security:

All done via SSL. We lock down the hardware that can be plugged into the laptop, and disabled CD/DVD burning too via GPO's. AV updates daily, and Windows Updates are automatic. Full drive encryption. Gateway requires RSA token for authentication. We block all sites other than a couple for testing, the gateway and the big-name wifi-providers that have a payment page by putting in a fake proxy in IE and lock it down. Users can only download data to the local machine if they have the right registry keys and are using our AV. Gateway check for AV version, independantly checks for keyloggers and also has a cache cleaner too.

Mobility:

Users can access the remote site from any Windows PC that has either Java or they have admin rights too. Therefore should they have a problem with their PC they can use any other internet enabled Windows PC to get to a full Citrix session. Can also print to any local printer...!

Users also have encrypted work mobile phone that has push-email enabled.

Posted Monday 19th October 2009 15:52 GMT

Trevor Pott o_O

@AC 14:44

The cloud poses its own problems. The biggest of the issues is the lack of control over your own data. I agree with you that many of the applications becoming available from "utility computing" vendors will eventually find business uses. What is remote computing except tapping into the "corporate cloud" to accomplish work?

The issue at hand is one not only of information control, but of legal liability. At current, cloud vendors disclaim all legal liability for loss or theft of data, security breeches, and downtime. While you may feel that us regular IT Joes have "over inflated wages" (as compared to who?) the reality is that we exist to support corporate infrastructure that itself exists for legitimate business reasons. Like it or not, business owners, managers, and other people who (in theory) have to accept the responsibility for failures do very much so enjoy having "someone to flog" when the excreta meets the rotating air circulation mechanism.

If you control your infrastructure and your geeks, then you have a much better chance of controlling the information you want kept private, and of ensuring those systems are available and operational when you need them.

The third-party cloud will remain a non-core component of business computing until vendors can meet two qualifications. The first, and most important is that vendors must become legally liable (for downtime, data loss, security breeches, theft etc.) They must also offer a method by which customers can reach out and taser a geek when thing go boom. (“No new information” posts, or sitting on hold for hours at a time is something most businesses would view as unacceptable for mission-critical computing.)

So until that day arrives, I guess you, and the rest of the world is stuck with us “over inflated wage” numpties. (Really? Over inflated? John Q Random couldn’t do my job, and I sure as heck don’t take in the Corporate American Executive Screw-The-Little-Guy remuneration package. Please do detail your issues with the pathetic wages we IT folk get paid, and why you feel it is unjust.)

Posted Tuesday 20th October 2009 00:20 GMT

Anonymous Coward