Good morning,
My coworker and I are debating a heated topic. We have a client that currently uses 3 virtuals for their Remote Desktop setup. RD Gateway is on one VM, the terminal server is on another, and their file server is on the third. They were impacted by the VMWare buyout as the VMs are on the free ESXI license. The initial thought is to export VMs and convert them to Hyper-V. Well, the RD Gateway VM isn’t launching properly in Hyper-V and we are looking at redoing the whole shebang. Our debate is whether to continue using an RD Gateway for users to have direct access or use the VPN provided by her Unifi system. Current speeds are 1Gbps/50Mbps. The client has 3-4 users at most that will possibly be on concurrently. He feels that the VPN will significantly impact the users experience. I feel that the VPN is the more viable and secure option, and with so little number of users on the VPN, they won’t see a performance hit. Which would you use if you had to set it up in your environment?
You didn’t say what the client’s line of business is: if it’s legal or healthcare, the security separation of Remote Desktop is valuable to prevent local data exfiltration. (versus providing a tunnel client where a user’s BYOD device can be compromised and grant access to the business network)
If you are running real time apps for collaboration, VPN also may not be the most performant choice. You’ll be forced to use split tunneling, which arguably is not that secure, and is subject to the same issue above.
Also, I’d consider implementing multi-factor authentication on the RD Gateway.
In most cases we have forgone RD Gateway for VPN, without supporting services that a very small business might not have you are prone to AD Account lockouts once the bots figure out you have an RD Gateway Server. We used a third party software to shun IPs after so many failed Auth’s, but still ran into the problem when they used blocks of IPs.
VPN connections will change the way your client network traffic flows as well. Its quite possible that you will end up with a full tunnel configuration. With RDP gateway your not exposing your full network to the client or backhauling there internet traffic.
Fast, thin and light is RD Gateway. Supported by multiple os’s with out vpn requirements at the client level.
The other way, full stack infra with services to support. If you have the resouces and/or want to generate more hours for an MSP billing go full stack but thats not my recommendation.
Thanks for the response. They are in the accounting field. The RDP is used mostly for them to access Quickbooks that is installed on the terminal server.
Understood. VPN seemed to be the faster and more expedient solution, but I see where you are coming from and can see what you are referring to. Thank you for your input.
Quickbooks works significantly better on a VM and rather poorly over a VPN. Its one of those few applications where a VPN is a sub-par choice.