Remote Access Solutions for Businesses?

thajeavis asks: "We are in the process of replacing our existing remote access system for IT staff and other faculty/staff. Previously, we were using a Bay Networks (Nortel) Remote Access Concentrator with an ISDN circuit. The equipment failed and the cost of the ISDN PRI is too high based on the low usage. We are presently testing a VPN solution using the employee's own dialup or broadband connection (Cable/DSL). The issue has also come up over who is to pay for the dialup/broadband connection, the employee or the college since it will be used to work from home. I am most interested in what type of solution your institution has in place for remote access for IT staff and who pays for that access. We also are interested in what type of access, if any is available for other faculty/staff. Any insight on this issue will be greatly appreciated."

IC Company

[shaka999]

I work for a integrated circuits manufacturing company.

Our solution for remote connection is two fold. First we contract with AT&T to allow remote dial up from a number of locations. This is free for the employee (except for the required phone line of course).

VPN is also an offered as an option but there is no official policy on who pays for the employees connection. This is a smart policy IMHO. It usually requires the employee to prove they will do useful work at home before the company signs up to pay for a broadband connection.

Netscreen

[Gothmolly]

Makes firewalls which handle 10-10,000 users. Buy a smallish one (model 25 or 50), get your 4 10/100 interfaces, stateful inspection, ability to scan viruses, etc. etc. and terminate tunnels. Buy some new (pricey) or used ($250) Netscreen-5 units for the employees with broadband. The Netscreen-5 does 4 MBps at 3DES, 10MBit unencrypted, stateful inspection, all the goodies. They handle DHCP, static or PPPoE interfaces, so it should work with any ISP.
I've rolled out many "home->corporate" VPNs this way, it works like a charm.

What we use and how we handle it.

[Neck_of_the_Woods]

VPN with a CA unix gauntlet firewall/vpn setup. The client is very esay to set up and use for anyone, and the GUI is close enough to the NT gaunlet to get your NT techs over the difference.

Everyone pretty much has cable or dsl, and the company will pay for 1/2 as both parties know that the other would have a dailup at the very least no matter what. This way both sides feel like they are getting a good deal. We also use Citrix on the back end and keep track of the time that the techs are logged into the system. The citrix server will log them off after 10 minutes of idle time so the company has a track record of who was busy with what, and when.

Good luck.

What is your satisfaction level?

[FreeLinux]

What is your satisfaction level with the Bay Networks product? These products has matured into the Nortel Contivity product line which are the best that I have used, bar none. Just for the record, I have used comprable products from Cisco, Checkpoint, Sonic Wall, Netsceen, 3Com and *many* more.

Of all the products that I have tried, the Nortel Contivity was the easiest to setup while at the same time, offering the most configuration options. The performance has been equal to or greater than all of the other products. There is also a broad array of options for connection interfaces including ISDN, Frame-Relay, Ethernet, Dial-up and I think(not sure) that they even have a Contivity blade for their Passport 8600 switch.

One important feature that the Nortel offering has over the likes of Cisco is licensing cost. A seperate client software license is needed for the Cisco system and many of the others. But, Nortel gives the client software away for free. They offer client solutions for multiple platforms and even officially support Linux using FreeSWAN.

My company pays

[crow]

My company uses VPN for home access, and they pay for my connection. They used to provide an ISDN line to my home, and I never saw a bill. A few years ago, they switched to using VPN, and now we can file expense reports for our home Internet access (up to some dollar limit). Most people get cable or DSL.

Of course, the employees who qualify to expense their connections are the same ones that are given pagers and are expected to deal with urgent problems promptly during off hours. (They also provide company computers for home use.)

Remember, one big difference between an employee and a contractor is that the company provides the tools necessary to do the job for employees. If VPN access from home is necessary for employees to do their jobs, then the company should pay for it. If it's an optional thing, then the employee can pay for it if he wants to.

two solutions

[Tesseract]

We use two solutions depending on the client side hardware. On company-owned hardware (laptops mostly), they are allowed to use cisco VPN. Since the VPN is 1>slow, 2> a pita to set up, and 3>flakey we require an SSH/Remote Administrator combo on user-owned hardware. SSH to a gateway server handles most of the mainframe needs, and allows us to eliminate telnet connections directly from the outside while tunneling Tunneling Radmin allows them secured access to their desktops. Remote Admin is much faster than VNC (although not as fast as Terminal Server), and can be configured for NT authentication

Isuues

[macemoneta]

Our company offered to pay for the broadband (cable or DSL) connection. However, if the company paid, the connection was restricted to business use, and the terms of the corporate code of conduct. Browse porn or use P2P and you could be fired. Most employees opted to pay for the connection themselves, to be free of the restrictions.

Nortel VPN was used. However, in subsequent jobs, SSH was more flexible and lower cost (using non-standard ports to make port scans more time consuming). I preferred SSH, since a client wasn't even needed (you can use a web browser with a SSL protected Java client, like JavaSSH. I was able to securely access from the road by logging in from a public library. That's something that is difficult or impossible to do with a VPN. No dongles or SecurIDs to lose or manage either.

Cisco

[NetJunkie]

We use Cisco VPN. The concentrator is a 3005 and everyone just uses the Cisco VPN Client software. It works great. If you have a need to work from home the company pays your broadband fee. If not, you can pay it.

It's about the simplest solution I could hope for. I rarely ever need to even touch the 3005. For people that can't get broadband we have a dial-in access router with a PRI line.

We use Cisco VPN /SecurID

[ihistand]

I am a lowly user, but my company uses Cisco VPN solutions.

They have linux , windows, and mac clients, and our implementation uses SecurID for authentication, so at least it seems secure. (not being a security expert I have no idea if it actually is.)

cost of working and expectations

[zogger]

--there's a previous model of "cost of working" that is well established. Usually an employee who must physically travel into work pays for this travel out of their own pocket, auto, gas, etc, normal commuter expenses. That is usally more than a broadband connection cost. I would think anyone lucky and skilled enough to work from home would gladly pay a nominal fee such as this for their job access. In sales where travel costs are deductable, it usually doesn't apply until after the first 50 miles daily (IIRC), again, much higher than a monthly broadband account most places. In other words it's such a good deal for the employee compared to the alternative they should just pony it up. If your employer wants to pay it, well, that's cool too but expecting them to pay for your physical or electronic travel just to "get to work" everyday is not usually a normal expense most employers pay.

As to related expenses, not sure in the white collar IT world but in the blue collar world most jobs I have had require that I personally own and pay for "tools" which cost a lot more in aggregate than most laptops. If it was me I would just assume before even applying anywhere that an IT job would require me to have and own a laptop,and I would already own one being an "IT" guy, although if I worked inside a cube exclusively I would expect the employer to have the workstation. This is just normal, when I've had factory jobs I didn't pay for the lathe or bandsaw I was running, but on construction sites 90%+ of the tools I used were my own. I paid for my own specialised work clothing, blue collar, I paid for my own steel toed boots, rugged clothing and hard hat and gloves, white collar sales jobs I have had, I paid for my own suits and shiny shoes, and etc. I never even considered that the employer pay for this clothing.

I would think in today's economy that both employers and employees in IT would just "get real" on pay scales, corporate profits, expectations, and costs of doing business. A little of give and take both ways might result in this IT company actually staying in business and everyone concerned remaining employed. I mean, diidn't we just go through this dotbomb phenomenon? Was there nothing to learn from this?

I am reminded of the lessons of eastern airlines, an old, established, profitable enterprise that tanked swiftly once the 'stupidity and greed' factor became part of the mindset there, and was shared across the board up and down and sideways throught their organization. Where a combination of white collar mismanagement and arrogance and severe over compensation, combined with completely unrealistic blue collar union demands and expectations of compensation, resulted in *no one* at eastern airlines having "a job" after a short time frame of this attitude being adopted.