Understanding VPN, TS or both

  • Thread starter Thread starter compsosinc@gmail.com
  • Start date Start date
C

compsosinc@gmail.com

Guest
We are setting up a remote location that will connect to our main
office for the purpose of running our accounting application. At the
main office, the application is client-server based, so it is
currently installed locally on the (15) XP desktops and they access
the Pervasice-SQL database that is located on a shared drive on the
Windows 2003 Server that is also the Domain Controller (DC).We will be
running (10) XP Pro desktops at the remote location, and there is not
a server there. The desktops will print to network-based printers.

Both locations have cable-internet with Static IPs with 3Mb download/
768Kb upload. The remotes will be using the Internet.

Obviously, we want the most secure & speedy setup we can get. Our
accounting software vendor says a terminal server (TS) is not
necessary but a VPN would probably be too slow.

Confusion: So what would be the other choice??

Here is what we are considering:

1. Purchase another server to be the TS, install the accounting app on
it just like it is a workstaion, and physically set it up at the main
office next to the DC. Remotes would login to the TS and run the app
from it.

Our questions/confusion is the following:

Option 1: Do we purchase (2) VPN-capable routers, such as Linksys
RV082s, and establish a tunnel for the TS session to run through? If
so, can anyone recommend different routers -such as something from
Cisco and point out the pros/cons (security, IT maintenance, setup,
reliability) of this approach.

or:

Option 2: We connect to the TS without a VPN. First off, how do we
connect to the TS without a VPN -what hardware (routers) etc do we
need. Please state pros/cons here too.

or:

Option 3: Do not purchase a TS, but directly VPN to the DC. How
unsecure is it, etc. What are the advantages of a TS vs. connecting to
the DC. What hardware would we buy.

Note: Assume cost is not a factor as we think we need to spend what
gives us the best setup for reliability, speed, security. Though we
don't want to overkill the router hardware, but not convinced we
should just buy the SOHO devices.

Thanks!
 
Re: Understanding VPN, TS or both

Comments inline...

compsosinc@gmail.com wrote:
> We are setting up a remote location that will connect to our main
> office for the purpose of running our accounting application. At the
> main office, the application is client-server based, so it is
> currently installed locally on the (15) XP desktops and they access
> the Pervasice-SQL database that is located on a shared drive on the
> Windows 2003 Server that is also the Domain Controller (DC).We will be
> running (10) XP Pro desktops at the remote location, and there is not
> a server there. The desktops will print to network-based printers.
>
> Both locations have cable-internet with Static IPs with 3Mb download/
> 768Kb upload. The remotes will be using the Internet.
>
> Obviously, we want the most secure & speedy setup we can get. Our
> accounting software vendor says a terminal server (TS) is not
> necessary but a VPN would probably be too slow.

Unless their software is specifically optimized for use over
low bandwidth links it is likely that it will perform poorly [if not
run via TS]. I have seen client-server SQL apps that run fine
over as low as modem speeds, but they were designed with
that in mind.

Sadly many (most?) assume that there is a high speed link
between the client and server and make common scalability
mistakes such as pulling large amounts of data down to the
client unnecessarily.

Factor in that you will be running 10 machines concurrently
over a link that (at best) will be 768Kbps and it is not surprising
the vendor said it would probably be too slow.

>
> Confusion: So what would be the other choice??
>
> Here is what we are considering:
>
> 1. Purchase another server to be the TS, install the accounting app on
> it just like it is a workstaion, and physically set it up at the main
> office next to the DC. Remotes would login to the TS and run the app
> from it.

This sounds good. You still need to make sure that
you will have enough outgoing bandwidth at the primary
location to meet your needs and that the new TS server
has enough RAM and CPU for the load. For example, you
need to consider how much printing will occur, what other
purposes the bandwidth is used for (sending email attachments,
etc.), how much bandwidth your accounting app uses under TS.

Pilot tests where you measure bandwidth/RAM/CPU used
under normal conditions are essential. You may need to
use a universal printer driver solution to minimize printing
bandwidth and set connection color depth to 8-bit (256 colors).

>
> Our questions/confusion is the following:
>
> Option 1: Do we purchase (2) VPN-capable routers, such as Linksys
> RV082s, and establish a tunnel for the TS session to run through? If
> so, can anyone recommend different routers -such as something from
> Cisco and point out the pros/cons (security, IT maintenance, setup,
> reliability) of this approach.

Pro:
- Extra layer of security

Cons:
- More complex to set up
- VPN will sometimes go down under slightly poor network
conditions
- Equipment cost is a little higher

>
> or:
>
> Option 2: We connect to the TS without a VPN. First off, how do we
> connect to the TS without a VPN -what hardware (routers) etc do we
> need. Please state pros/cons here too.

For this you simply forward the incoming TS port on your
primary location's router to the terminal server's internal
address. Users at the remote location connect to the
external ip address of the primary location.

Pros:
- Easy to set up
- Existing router will probably work
- Connections are less likely to go down during slightly poor
network conditions

Cons:
- Slightly less secure than VPN, this can be mitigated by
using ipsec/router rule to only allow TS connections from the
remote office's public ip (remember, TS connections are
already encrypted)

>
> or:
>
> Option 3: Do not purchase a TS, but directly VPN to the DC. How
> unsecure is it, etc. What are the advantages of a TS vs. connecting to
> the DC. What hardware would we buy.

Not really an option because of poor performance. If you could get
a faster outgoing speed (3-6Mbps or higher) at the primary location
then it *may* work fine. Depends on your application; first test, measure,
and test again to be certain before rolling this out.

>
> Note: Assume cost is not a factor as we think we need to spend what
> gives us the best setup for reliability, speed, security. Though we
> don't want to overkill the router hardware, but not convinced we
> should just buy the SOHO devices.
>
> Thanks!

You are welcome.

What you are contemplating has the *potential* to run very
well with your existing Internet connections and a new TS
server, however, you need to do your testing and analysis before
you know for sure.

-TP
 
Back
Top