When I work from home I’ve been connecting to my office computer with VPN and then start up Remote Desktop Connection. This morning I could not log on. I called the office and was told that they’d tightened security and that VPN will no longer be used. I need to connect directly with RDC. Before, there was an IP address in the Computer box of RDC. Now I’m told that it will be [me].[domain].org. It’s not set up yet and I get the message ‘The Mac cannot connect because the Window-based computer cannot be found.’ They’re working on it.
I did not know that RDC could connect without initiating a VPN connection first, but apparently this is (supposed to be) the case. Can someone explain to me how all this works?
The real question is: how can this be described as “tightening” security? You can use Remote Desktop Protocol over the big bad Internet, you just need the IP or name of computer that has that port open to the world. I’m guessing that this new hostname they gave you will resolve to the IP address of a router that will, based on the hostname, forward network traffic to the correct internal PC. Generally, an IT department would have the new setup ready before they turned off the old one, but hey, whatever works.
The RDC session is just a connection to the server that you want to control. There is no inherent reason why a VPN would be necessary for an RDC session. As long as you can see the server and it allows you to RDC into it, you’re fine.
Typically you wouldn’t be able to see the server directly from the internet, it would be safely tucked away inside a secured network. You would use a VPN session to connect into this network from the internet.
I also do not see how this is “tightening security”. A VPN link is typically encrypted, so not only does it prevent unauthorized access it also prevents other people from seeing your data as you interact through the RDC session. I don’t see where that fits in with their proposed solution, so this seems like a step backwards to me.
I can’t speak for the OP’s IT Security department, but in my experience (4.5 years with a bank, front line tech support and server admin but worked with security folks pretty regularly) sometimes when IT security people say they’re “tightening” security it’s kind of shorthand for “we suspect we’ve had a breech and need to change the way we do things for a while to deal with it.”
I wish someone would have said something so that I could take my PowerBook into the office to test it first. I have a reputation of being something of a ‘workaholic’. I have a stack of work I want to get through and it’s bugging me that I can’t do it.
Just got off the phone with our IT person. She gave me another address. I tried it and was able to get to the Windows logon screen. But someone else was using that address. (Possibly she didn’t log off correctly.) I tried the IT person’s address and I got the same message as in the OP. Her address and mine were set up at the same time. She’s perplexed, as setting up an address usually only takes a few minutes. (This sort of thing is actually handled by an outside IT company.) She suggested I wait half an hour and try again.
Re: security. Apparently we’re getting a ‘terminal server’. Our in-house IT person agrees that RDC without VPN is less secure, but it’s only temporary.
2008 Server Terminal Services Gateway can use RDP over HTTPS instead of a VPN. It allows connection to terminal servers on the private network and has more granular control of access to resources. It can also implement Network Access Protection which can check and enforce that connecting machines are properly updated and running anti-virus and firewall software. So 2008 RDP without VPN can be more secure than 2003 with it.
I agree that the removal of the VPN seems to be a retrograde step (loss of encryption, exposure of not fully secured systems to the internet, etc), but they may be addressing a more fundamental issue.
If the remote end-point system of the VPN is not a secured, controlled system, then it may itself be the risk to the security of the network. I’ve seen environments where VPN access was granted to a number of users personal systems, that then proceeded to infect and contaminate the entire network :smack:
So the VPN shut off for security claim may not be spurious. And it sounds like Johnny L.As. IT dept has decided that allowing remote connections to office workstations is a bad idea and a waste of resources, and is setting up a Terminal Server that will share a single system between a number of users accessing it remotely (which seems like a pretty good idea to me. I would be still using a controlled VPN for access or connections via SSL, though).
