What can you do with Virtual Private Networks?

One of our clients is looking at setting up a number of satelite branch offices for staff to work remotely.

- What can you do with a windows server 2003/sbs 2003 VPN and a basic broadband connection?

- With a VPN are you restricted to just basic file transfer and printing?

Our client would want the remote staff to be able to access accounts software, contact management databases etc all of which are stored on the central office server. Obviously it's easy enough to configure a vpn and map a drive but what about accessing databases and software all stored on the server?


If you are restriced to file transfer and printing how do large organisations deal with remote offices?

 

A VPN basically tunnels communication between two secure networks, through an unsecured network (e.g. the internet). The technology can also be used to connect a single host to secure network via an unsecured network. That's it.

VPN do not inherently block services. You can do anything through a VPN link that you can do through a direct network to network connection. However, VPN often connect via firewalls, and firewall rules assigned to the VPN tunnels can and often are used to restrict access.

VPN connection limitations tend to be more to do with the fact that they run over the internet rather than the VPN technology itself. The processing involved in authenticating and encrypting communication packets passing over the VPN does add a load to the system, but the following are much more of a problem:

• Internet connections are almost always slower than direct network to network connections. For example, internet connections are commonly less than 10Mb/s whereas direct network connection are rarely less than 100Mb/s.
• One end of the VPN connection is always uploading and therefore upload speed is almost always the critical limitation. Many internet connections have poor upload speed. For example, a standard U.K. ADSL connection can have download speeds of 8Mb/s but typically the upload speeds is only 256 or 512kb/s. Therefore if you connect from one ADSL to another in the U.K, the maximum transfer speed is unlikely to exceed 512kb/s.
• Internet connections are shared and the internet's performance can vary depending on how many people (or bots) are using it at any one time, or be reduced because of a problem somewhere.

Therefore, VPN are very useful, but you have to always bear in mind the very low bandwidth - especially if you are connecting via ADSL as you describe.

Here are my suggestions for getting the best out of VPN

• Where ever possible, use services that only need narrow bandwidth. Applications hosted via web servers, FTP, e-mail, remote desktop.
• Avoid services that rely on a lot of background traffic to maintain them. The obvious one here is mapping network drives. Actively avoid mapping drives over a VPN. Same applies to sharing printers. Microsoft file and print sharing relies on a lot of keep alive and look ahead traffic that is insignificant on a standard network connection, but can hamstring a VPN.
• If you can use a separate internet connection for your VPN hub to that used for your main internet - that will stop the already narrow bandwidth being further impacted by normal internet traffic. That is, at the main office where all the VPN services come in, use two internet connections. One for the main office internet, and another for the VPN.
• Personally, I find hardware VPN solutions much easier to set up and maintain than software ones. Personally, I would recommend you invest in a decent small hardware firewall with VPN support rather than using the VPN system built into Windows 2003. Such firewalls are available from companies like Cisco, Watchguard and SonicWall. If you are on a tight budget some of the Netgear firewalls are worth a look at, but they are not as solid as those from the dedicated players IMO.

In your example, remotely accessing an application via a mapped drive is going to run like a dog and be extremely problematic. Instead, I recommend you host the applications on a terminal server and then use remote desktop/terminal services to connect to those applications over the VPN. That will perform reasonably well and be much easier to maintain.

 

I thought my response covered those issues, but for clarity:

• Can you run applications on the server through a vpn. Yes, but performance will vary greatly depending on the application. A web application served through a web server (e.g MS Exchange's Web Outlook interface) will work fine. In my experience such applications that use a lot of AJAX/Javascript are significantly slower over VPN than normal, but are still workable. Applications designed to work over a network via a proper TCP/IP connection are often OK (e.g. Subversion SVNServe, or MySQL Management GUI) - but it depends on the application and how efficiently it uses the network connection. Applications that aren't really network application, and you kid the system they are local to your PC by running them from a mapped drive (a common system that is shoddy and always prone to problems) will almost always be a problem over VPN. It appears to me that markjrees is considering the latter and I am sure this will be a problem (but there is an alternative).
• Can you just transfer files? Yes, but there can be a cost. If you occasionally access a remote server over the VPN via a full URL (e.g. \\server\share\file.txt) then not a problem. As soon as you look to map a drive and start sharing files that way you hit a problem - due to the background traffic MS file and print sharing generates. A few systems with mapped connections over the VPN will rapidly use up your bandwidth. The best way to share files over an VPN in my experiences is via FTP, which requires no constant maintenance traffic, and only limits bandwidth while files are being manipulated and transferred.
• Can you print on remote printers? Yes, but see previous note regarding MS File and Print. You can remotely print via MS File and Print sharing but it gobbles up bandwidth and therefore should be avoided. However, some network printers support "Internet Printing" where you can send files to be printed via a web interface served by the printer. This should work fine over VPN as long as the files aren't too big.
• Can you open a remote file in your local Office program, edit it, save it back to server?Yes, but it will be incredibly slow, and prone to errors and lock ups. Avoid this like the plague. Instead, copy the file you want from the server (via a direct URL or better FTP) to you local PC; then open it in Office on your local PC and edit it; and then copy it back to the server.
• Can the remote user control a desktop at the office via vpn?Yes, this works very well over VPN and is the system I would recommend markjrees uses. However, rather than having a group of individual PCs providing individual desktops, I would recommend that a terminal server is used instead. A terminal server provides multiple desktops from a single server, and/or can be used to provide individual applications via the same system. MS terminal services is one option. Citrix solutions is another. There are many more.

e.g. What kind of productivity can the remote user get done?VPN in combination with an intranet of web applications and/or terminal services can be just as productive as a worker on a main network. This system works very well and as an example allow me to work as efficiently from home as I do at my desk in work.

However, fail to take into account the bandwidth limitations that VPN network tend to have, and the connection will run very slowly, it will be unreliable and it will be a continual headache for you.

VPN have allowed me to operate a small business network (< 50 users) spread
over four sites in four different cities and provide remote access for home workers, as though it were a single network. It means the business works as a single unit rather than four separate small businesses. However, to manage this, I manage the traffic going over the VPN, and rely heavily on an active Intranet of web applications.

 

Excellent post Reggie!

I run a 90 site VPN with all applications and files held locally at the head office and what you have stated is exactly the experiences we have seen.

However instead of Terminal Services we use Citrix as it makes out lives a little easier to manage although it is expensive.

 

I've not used Citrix myself, and my only direct experience is on other people's networks. However, I have only heard good reports of it. Citrix have a very good reputation - the people I know who use it, swear by it. I'll add you to the list

 

security
connect groups - share folders , databases etc
connect groups securely in a network over distances , or different locations and/or networks
connect through firewalls if you need remote access of computers either for working on them or repairs

A service called Hamachi is zero configuration , fast and safe

https://secure.logmein.com/products/hamachi/vpn.asp?lang=en

Hamachi was bought by a company
has free versions and commercial versions with more users and admin controls

http://en.wikipedia.org/wiki/Hamachi

Gamers use hamachi to get around ports blocked by their isp for online gamins as well