Remote Access Solutions for Businesses?

thajeavis asks: "We are in the process of replacing our existing remote access system for IT staff and other faculty/staff. Previously, we were using a Bay Networks (Nortel) Remote Access Concentrator with an ISDN circuit. The equipment failed and the cost of the ISDN PRI is too high based on the low usage. We are presently testing a VPN solution using the employee's own dialup or broadband connection (Cable/DSL). The issue has also come up over who is to pay for the dialup/broadband connection, the employee or the college since it will be used to work from home. I am most interested in what type of solution your institution has in place for remote access for IT staff and who pays for that access. We also are interested in what type of access, if any is available for other faculty/staff. Any insight on this issue will be greatly appreciated."

Netscreen

[Gothmolly]

Makes firewalls which handle 10-10,000 users. Buy a smallish one (model 25 or 50), get your 4 10/100 interfaces, stateful inspection, ability to scan viruses, etc. etc. and terminate tunnels. Buy some new (pricey) or used ($250) Netscreen-5 units for the employees with broadband. The Netscreen-5 does 4 MBps at 3DES, 10MBit unencrypted, stateful inspection, all the goodies. They handle DHCP, static or PPPoE interfaces, so it should work with any ISP.
I've rolled out many "home->corporate" VPNs this way, it works like a charm.

Employee pays

I work for a company that is one of thw USA's largest suppliers of DSL. We can get VPN access, but we have to pay for the DSL (we get an enployee discount). The company only supplies the VPN software, and that is tightly controlled.

That policy is mostly for cost cutting reasons. The idea is that it's a priviledge to be allowed to work at home (and they don't want to hear about off-hours work) so the employee should pay. They're constantly threatening to kill work at home entirely so we take the deal.

Yeah, I know... but the job market ain't so good these days.

What we use and how we handle it.

[Neck_of_the_Woods]

VPN with a CA unix gauntlet firewall/vpn setup. The client is very esay to set up and use for anyone, and the GUI is close enough to the NT gaunlet to get your NT techs over the difference.

Everyone pretty much has cable or dsl, and the company will pay for 1/2 as both parties know that the other would have a dailup at the very least no matter what. This way both sides feel like they are getting a good deal. We also use Citrix on the back end and keep track of the time that the techs are logged into the system. The citrix server will log them off after 10 minutes of idle time so the company has a track record of who was busy with what, and when.

Good luck.

What is your satisfaction level?

[FreeLinux]

What is your satisfaction level with the Bay Networks product? These products has matured into the Nortel Contivity product line which are the best that I have used, bar none. Just for the record, I have used comprable products from Cisco, Checkpoint, Sonic Wall, Netsceen, 3Com and *many* more.

Of all the products that I have tried, the Nortel Contivity was the easiest to setup while at the same time, offering the most configuration options. The performance has been equal to or greater than all of the other products. There is also a broad array of options for connection interfaces including ISDN, Frame-Relay, Ethernet, Dial-up and I think(not sure) that they even have a Contivity blade for their Passport 8600 switch.

One important feature that the Nortel offering has over the likes of Cisco is licensing cost. A seperate client software license is needed for the Cisco system and many of the others. But, Nortel gives the client software away for free. They offer client solutions for multiple platforms and even officially support Linux using FreeSWAN.

two solutions

[Tesseract]

We use two solutions depending on the client side hardware. On company-owned hardware (laptops mostly), they are allowed to use cisco VPN. Since the VPN is 1>slow, 2> a pita to set up, and 3>flakey we require an SSH/Remote Administrator combo on user-owned hardware. SSH to a gateway server handles most of the mainframe needs, and allows us to eliminate telnet connections directly from the outside while tunneling Tunneling Radmin allows them secured access to their desktops. Remote Admin is much faster than VNC (although not as fast as Terminal Server), and can be configured for NT authentication

Isuues

[macemoneta]

Our company offered to pay for the broadband (cable or DSL) connection. However, if the company paid, the connection was restricted to business use, and the terms of the corporate code of conduct. Browse porn or use P2P and you could be fired. Most employees opted to pay for the connection themselves, to be free of the restrictions.

Nortel VPN was used. However, in subsequent jobs, SSH was more flexible and lower cost (using non-standard ports to make port scans more time consuming). I preferred SSH, since a client wasn't even needed (you can use a web browser with a SSL protected Java client, like JavaSSH. I was able to securely access from the road by logging in from a public library. That's something that is difficult or impossible to do with a VPN. No dongles or SecurIDs to lose or manage either.

Cisco

[NetJunkie]

We use Cisco VPN. The concentrator is a 3005 and everyone just uses the Cisco VPN Client software. It works great. If you have a need to work from home the company pays your broadband fee. If not, you can pay it.

It's about the simplest solution I could hope for. I rarely ever need to even touch the 3005. For people that can't get broadband we have a dial-in access router with a PRI line.