Registered users    
MembershipMembership:
Latest New UserLatest:Randy Walker
New TodayNew Today:1
New YesterdayNew Yesterday:5
User CountOverall:23338
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12903
Marina Roos12523
Eriq Neale2114
Stan Guinn1914
Michael Patrick1913
Robert Pearman1771
Nick Pieters1425
Stewart Brown617
william warren603
Kevin D.579
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Small Business Server 2003 & 2000 > Workstations
Subject: Discuss 'The alternative for RWW from a Mac'
Prev Next
You are not authorized to post a reply.

Author Messages
Mariette Knap User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12903
5/02/2005 08:55 AM  
Mariëtte Knap Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
Ross Manning User is Offline
Sydney, Australia
Member since
5/20/2005

Registered Users
Posts: 3
5/21/2005 06:19 AM  
I'm intrigued about the reasons to not forward port 3389 from the Internet firewall to the workstation.
 
I would contend that a VPN is a far more dangerous security threat than a single port forward. In effect, the VPN allows the workstation to act as a conduit between the Internet and the corporate network. By edfinition, the VPN system is connected to two networks at the same time (the Internet and the corporate LAN). Unless workstation security is extremely well configred this workstation can act as a conduit for malware into the corporate network, or in some cases I have seen, even acts as a ROUTER between the corparate network & the Internet!!

Most home users do not have adequate security on their systems, many even using direct attached broadband - no firewall. Unless the workstation is fully protected, you have a potentailly compromised machine INSIDE the corporte environment. I do not want any machine sitting inside may network unless I fully control its settings. Of course, many up market VPN authentication systems now allow a full policy audit of workstation settings before authorising the connection. These are outside the reach of most SMBs.
 
By contrast, RDP to the desktop only allows a single controlled protocol, and could be further tightened if need be by restricting the source IP to known addresses. The only machine inside the network are the ones we configure.
 
VPNs are a major threat unless people FULLY understand the implications of their use and have proper security controls in place. Allowing a home PC into the company network is madness.
Marina Roos User is Offline
The Netherlands
Member since
3/24/2005

Microsoft MVP
Posts: 12523
5/21/2005 02:24 PM  
Hi Ross,
 
I rather want to use 3389 for ts-ing into my server. Also, the client would have to have a static IP if you would use the 3389 for that client.
Keep in mind that I have full control over remote workstations that are allowed to vpn into my networks. They have the corporate antivirus, they get checked regularly by me personally and uptil now I have never had a bad experience with that. I have rejected home machines for VPN however, because of crap installed on it like Kazaa and what else. I refuse those machines to try to get on my network.
Now that SBS SP1 has come out with ISA 2004, I really have to investigate that quarantine VPN thingy more, because that definitely has a lot of potential to make VPN more safe.
Marina Roos Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
Ross Manning User is Offline
Sydney, Australia
Member since
5/20/2005

Registered Users
Posts: 3
5/21/2005 04:02 PM  
Hi Maina
The way I have this set up for my clients who need Macintosh access is this:
Use the Mac RDP client and allocate them a unique port for RDP use. Port forward the unique port to the internal machine at 2289 using firewall.

The MSTSC client has a little known ability to specify the RDP session using ANY port number, so by using port forwarding there is no need to allocate additional IPs
eg Mac client types into the RDP client address box the following address:

server.client.com:10001
Firewall has a port forward rule as follows:
WAN TCP 10001 -> LAN 192.168.100.34 TCP 3389
Thus only one IP address needed, your 3389 port is still free for TS, no VPN needed & no need to keep a track of troublesome users and their uncontrolable home machines. I feel this is a much better strategy than encouraging sysadmins to allow VPNs. It is also easier to implement than your method on a Mac as there is no VPN setup needed and the RDP client is a simply file copy - no installer.

This method works equally for PC users, however the RDP proxy built into SBS RWW is a far easier option!

As stated, VPNs have many security issues and I don't believe it is possible to properly control external systems without significant resources. Even most of my large corporate clients don't do this well!

Workstation to LAN VPNs are an under-recognised threat. Most sysadmins would not dream of allowing a user to bring in a home PC & plug it into the LAN. But by allowing VPNs from home PCs (or from corporate laptops where users have local admin rights!!) they are doing the same thing. Macs are in some ways even worse. With the advent of OSX we essentaly have a bunch of users logging into a Unix box with root priviliges and potentialy misconfigured! 

In the interests of more secure networks I hope you can promote this method rather than VPNs.

Cheers,

Ross
 
BTW, for some of my larger clients I have set up a special DMZ for quarrantine access. The VPN sessionterminates in the quarrantime DMZ. The internal firewall allows very limited protocol access from the DMZ to the corporate network - in most cases just 3389. However this is overkill for most small businesses.
Eriq Neale User is Offline
Texas, USA
Member since
5/3/2005

Microsoft MVP
Posts: 2114
5/22/2005 03:03 PM  
Hey Ross.

You bring up completely valid points about VPN access, and on the PC side of the world, I completely agree. I would never set up one of my clients to allow home PCs to connect into their company network via VPN without a huge number of resrictions placed on them, including but not limited to anti-virus and anti-spyware protection. The threat is just too great. And while it's not as great, there is still a risk with doing the same for the Mac.

The alternatives you present are also valid, but make a few assumptions:

  1. Workstations have a fixed IP and not a dynamic IP.
  2. The firewall/router connecting to the internet is capable of routing to a different port on the destination machine.
  3. The SBS box is not being used as a gateway.

Where your solution breaks immediately is on a network where SBS Standard (no ISA) is configured with two NICs behnind a firewall/router. In this configuration, it's not possible to do what you suggest because the firewall/router does not speak directly to the internal network and the RRAS service on teh SBS server cannot do the type of port forwarding you recommend. This may not be the case with ISA 2004, but I haven't had a chance to really dig deep into that yet.

The reality is that the solution in this article is a compromise. The Connect to Remote Computer interface in RWW gets around all the connectivity issues you describe, but since MS opted to use an ActiveX component for the solution, it will never work on the Mac. So, we compromise. If all the workstations on the internal network have a static IP and connect directly to a hardware firewall/router that does port translation, great, use that solution. If the customer doesn't want to replace their existing firewall/route with one that supports port translation, we compromise. If the customer is routing all their internal traffic through their SBS box (which is a best practice configuration as far as I'm concerned) an is no running ISA and doesn't want to pay for ISA, we compromise. If the customer doesn't want to use static IPs for their internal PCs, we compromise.

In the ideal situation, which one of my consulting clients uses, port 3389 doesn't go to the SBS server, it goes to a Terminal Server on the internal network. No messy routing, no VPN, controlled environment on the TS, dynamic IPs on the workstations, it just works. Oh, there is the small matter of the additional cost of the TS and TS licenses, which many small shops won't want to incur unless they have a strong business reason to run a TS box, adn the convenience of connecting to their workstation from off-site isn't one of those, especially if they're running SBS and RWW.

Is the solution we've put forward in this article the best one? No. The absolute best solution would be for the Connect to Remote Computer process to use a technology other than ActiveX to work. This would open the door not only for the Mac but for other OSes out there that don't do ActiveX technology. Until that happens, this solution is one that works with just about every SBS installation out there. And as far as network security risk, opening up VPN access to Mac clients is far less of a risk than many other risks that SBS administrators implement every day - hosting FTP on SBS, opening up POP2 to the SBS server, running a web site on port 80 on the server, etc.

-Eriq
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Lead Author of Windows Small Business Server 2008 Unleashed
In bookstores December 10, available for pre-order now
Listen to eOnCall at AIRtunZ or visit www.eoncall.com.
Ross Manning User is Offline
Sydney, Australia
Member since
5/20/2005

Registered Users
Posts: 3
5/23/2005 11:46 PM  
Hi Eriq,
 
I fully understand that RWW gets around all the connectivity issues I describe (which is why I would rather see as close a possible method for mac clients) & I agree that the ideal would be for RWW to work on other than an ActiveX base, allowing ease of access by platforms such as Mac & Linux. However I guess MS will want to keep as many compelling advantages for Windows clients as possible. Technology & marketing don't always make for the best solutions :-)  I agree that TS also works well here, but like you I have a hard time convincing SMEs about the ROI for this unless there are other business drivers.
 
A few points re your comments: 
  1. Fixed IPs are a simple to set up & a small price to pay for allowing Macs access to the company facilities. This is only for the systems that the Mac client needs to access - in my experience ususlly only a small number. Not all the workstations need to be set up as static IPs. Not much of a compromise here. 
  2. Even the cheapest hardware firewalls allow port forwarding. If the customer has one that does not they should be encouraged to upgrade as I would not trust an Internet connection device so old it does not haev this capability. Prices start from $US40. If the business isn't prepared to pay this trfling amount then they certainly are not serious about their IT systems, let alone security. In reality any client I have dealt with would readily pay a small sum to increase security once it was explained properly.
  3. It does not matter if the SBS box is being used as a gateway, and my solution does not break down at this point. Sheesh - basic networking!!  Here is how to do it:

    1. In SBS, open the Routing and Remote Access MMC from Administrative Tools.
    2. Expand your server, Ip Routing and select NAT/Basic Firewall.
    3. On the right panel select your external network connection and open the properties.
    4. Go to the Services and Ports tab, click Add, provide a name, select theprotocol, the incoming port (say 10001), the IP address of the workstation behind SBS and the outgoing port (3389).
    5. Ok the changes.

      This should allow the RDP on 10001 to come into the workstation through the SBS server.

  4. I agree the "double NAT" approach using SBS as the gateway and a hardware firewall beyond is a best practice. I would not want to rely on just the basic firewall in Windows - the MS protocol stack is not hardened and traffic has to traverse this prior to getting to the firewall services. Similarly I would be reluctant to rely on just a low ent firewall/router as I have seen these fail while  leaving the network exposed.
  5. Macs are just as vulnerable as other boxes - security by obscurity is no defense!
  6. I empahtically dispute that a VPN on ANY uncontrolled box (Mac or otherwise) is "safer" than the other practices you mention. In fact the potential for damage is far higher (I have seen the results!) These other practices also need addressing, but I don't belive that adding another potrential security hole helps.

Please don't take this the wrong way - it's just that I would prefer to see best practice promoted and I don't belive that there are any real compromises to be made in what I propose. I also believe that there has been too much vendor hype pushing VPN solutions and not enough education on the risks of not doing it properly.

Cheers,
Ross
Jared Griego User is Offline
Denver, CO
Member since
8/25/2005

Registered Users
Posts: 117
11/08/2005 09:34 AM  
I had a situation recently that required RWW and Sharepoint functionality on MAC OS9 and OSX. I used the latest edition of Firefox's browser. It worked great for everything including OWA. the only limiation was hat you can't upload multiple documents into Sharepoint. Oh well because I used the WEBDAV functionaliy of Sharepoint and a 3rd party MAC app that supports WEBDAV like an SMB share to overcome the limitations of that module. Also I only had to open the RWW port and forward it, for all of it to work from outside the network. But as reguards the remote access to an XP workstation RDP worked good as an alternative to other remote softwares.
Microsoft Small Business Specialist
Network+ Certified
Microsoft MCP
Microsoft OEM Preinstallation Specialist
http://www.cmitsolutions.com
Richi Watts User is Offline
Sweden
Member since
3/28/2005

Registered Users
Posts: 51
6/07/2008 01:34 PM  
SBS 2003 standard, 2 nic
IMAC 10,5

Ross - I tried to follow your instructions but I don't have (On the right panel select your external network connection and open the properties)

For the others - I can only connect to my computer at work using local IP address once connected via VPN. I have entered the local IP of the server under the NS section but as soon as I connect via VPN it automatically uses the serve's DNS

Rich
You are not authorized to post a reply.
Forums > Microsoft Small Business Server 2003 & 2000 > Workstations > Discuss 'The alternative for RWW from a Mac'


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.3437522 seconds.   :   Terms Of Use   :   Privacy Statement