So, I tossed this question out in this subreddit last week, asking for your thoughts and suggestions on ‘Remote access without VPN.’ I gotta say, I took a quick nap after posting and woke up to a whopping 500+ comments! It took me a whole day just to go through every single comment. Now, here I am, not knowing where to start with replies. Well, I guess this post is my shot at tackling that!
First of all, Sorry for leaving you guys hanging with “certain constraints and considerations.” Here’s a bit more about it: Our organization is shifting towards cloud-based and hybrid environments, and I guess VPNs may not be as well-suited for cloud-based architectures. We’re trying to move to ZTNA as it’s specifically designed for cloud environments, offering secure access to cloud resources. Another reason is the complexity of VPN management. I found managing VPNs a bit challenging, particularly for our organizations with a substantial number of remote workers, due to the significant infrastructure and configuration they demand. Also, VPNs grant users access to the entire network, which can increase the attack surface and potential risk. ZTNA, on the other hand, grants users access only to the specific resources they need.
I see most of you guys suggesting RD gateway + MFA. It looks really promising. I have gone through all your comments, and it’s really amazing to get all your views on it.
Well, I told my manager that we could look into RD gateway coupled with MFA for accessing resources remotely and securely and also look into an MDM solution, or I guess it’s called UEM now (Hexnode looks quite promising) to manage devices securely by pushing security policies, control device configurations, and ensure compliance with security standards. I’d like to know your thoughts. Is it too much or not at all good?
Also consider the cost of licensing if you’re destination clients are windows, you will need separate licence per user for remote access to desktops or VDI. It’s quite expensive too.
Many get around this with a trick using Server licences or a RDS farm etc.
The is the licence guide but I pity anyone reading this stuff let alone implementing it:
Solutions from other providers like VMware Horizon View or Citrix all still require the Windows licensing additionally.
Depending on your use case you might be worth considering cloud solutions like AVD (previously WVD). Again these options are not cheap, but a pay as you use model might work out more practical than on site hardware solutions.
Our organization is shifting towards cloud-based and hybrid environments, and I guess VPNs may not be as well-suited for cloud-based architectures
I don’t know which cloud environment you are working in, but I would talk to your provider and get expertise here since you clearly don’t have it… there is absolutely no reason hybridizing your environment, or having a cloud environment should make VPN non viable… You might need to upgrade some of your on prem networking hardware for a seamless environment if its like two decades old… but if its that old it probably needed an upgrade anyways…
We use RDGW between the entire Internet and our infrastructure. Some customers use mfa as well on their servers, we internally are forced to use it. We’re also not allowed to use anything other than regular users off-site, and need to change to our admin users when we are on the inside.
As mfa we use Duo Security. Works well.
Reading your post it seems like you’d be fine with an SSL VPN with the only allowed connection is the user to their normal desktop in the office or a terminal server.
That combined with MFA would be almost just like having them in the office and once it is set up there isn’t a bunch to manage. I had to do this when Covid hit and it’s been adopted by many clients of ours today due to simplicity to manage as well.
Well the decision of VPN/ZTNA versus Remote Desktop is usually a question of bandwidth and latency for the apps in question. Apps that require low latency and/or high bandwidth will need a Remote Desktop solution. Also, there is nothing wrong with using VPN/ZTNA and Remote Desktop together to solve your problem.
For example, I support a couple apps that can only run on the internal network. Performance is too bad otherwise, so the only real option is a Remote Desktop solution for those apps. We deploy an always-on VPN that has developed ZTNA features as the product matured over time. It is used to control offsite access to all business resources (cloud or internal). It is also used for IT staff to remotely manage client systems. Our Remote Desktop implementation is behind this solution, so we have never had to expose it directly to the Internet. The solution is secure for our needs and flexible for the future, as we can control and report on all aspects of the remote client’s network access.
Honestly, using Pulse VPN and SAML Auth with Microsoft Conditional Access worked for us. A CA policy checks that the device is compliant, i.e. a corporate device and let’s them login.
We have rules setup so some accounts can only access some servers.
I have looked at ZTNA clients which are a bit easier to setup but VPNs aren’t all bad if setup correctly
Check out SureMDM! It suits your requirements and provides good device management, security policies, and compliance features. It also complements MFA for remote access.
SSH tunneling/gateway.
This would shift the VPN management towards SSH key rotation/management.
Can experiment with VNC as well
There are quite a lot (old but robust if done right) techniques to provide secure access but they come at a price - sometimes rather hefty, that revolves around management, user training, maintenance, support - all in-house.
At the end it is a tradeoff. Citrix/Fortinet/F5/Imperva/IBM Datapower/Riverbed - all nice (and remember, never, ever go with anything provided by Broadcom - EVER!!!). All great, all have plenty of exploits (history wise) and all that is expected given their market penetration and ubiquity.
Many of our customers enjoy enhanced security using our fully managed DaaS solution (Apporto). We do least privilege access to internal resources and some customers even put their VPN client on our desktops (belt & suspenders.) Might be worth a look!