Planning your Remote Access Strategy

Many years ago, remote access was available only to a privileged few. It was commonly implemented and used by network engineers and systems administrators for the sole purpose of providing remote administration and support. Today, remote access is a vital and essential component of a modern network implementation. With our increasingly mobile workforce and the proliferation of devices that can access and consume data, providing secure remote access is essential to maintain productivity for information workers.

Developing a remote access strategy isn’t entirely simple, however. Not all users and/or all devices will require the same level of access. To ensure the highest level of security for the solution, a variety of remote access technologies should be employed to deliver the best experience for each scenario. For managed clients, full network-layer access can be provided. This can be delivered with DirectAccess or client-based VPN. For non-managed clients, client-based VPN can be deployed but in most cases a conditional access method such as application publishing is more appropriate. In some scenarios, granting secure remote access to a virtual desktop is desirable. Finally, enabling cross-premises network connectivity to hosted public cloud providers is necessary to realize the value and potential of the hybrid cloud.

To meet all of these diverse remote access needs, Celestix has developed the E-Series Cloud Edge Security Solution. Built on Windows Server 2012 R2, it delivers secure remote access to on-premises data and applications, while also providing application and desktop publishing services along with cloud network connectivity. In addition, the E-Series also supports secure data access and synchronization for mobile devices.

In a single solution, Celestix can provide secure remote access for all of the following scenarios:

Managed clients – These are Windows-based desktop and laptop computers that are provisioned by central IT and are managed and maintained by corporate administrators. These systems are joined to the organization’s Active Directory and users log in with their corporate credentials. These are highly trusted devices that are closely monitored for compliance. Here, the best solution for remote access is DirectAccess. DirectAccess is an always-on, bi-directional remote access solution that is seamless and transparent to the user. The DirectAccess client has access to the corporate network any time there is an active connection to the public Internet.

Non-managed clients – This is a broad category that includes both traditional Windows-based systems such as desktop PCs, laptops, tablets, and phones as well as non-Windows systems like Mac, iOS (iPad and iPhone), Android (tablets and phones), and Linux-based systems. All of these platforms provide support for client-based VPN and the E-Series appliance can accommodate those using VPN protocols such as PPTP, L2TP/IPsec, SSTP, and IKEv2.

Application publishing – As an alternative to granting full network-level access to remote clients, managed or un-managed, many security administrators prefer to provide access only to applications. Historically this was provided by Forefront Unified Access Gateway (UAG) 2010, a product that Microsoft recently announced would be discontinued. The Web Application Proxy can be configured as a reverse web proxy with optional pre-authentication for secure remote access to internal web applications like Exchange Outlook Web App, SharePoint, Dynamics CRM, and many other third-party and line-of-business applications.

Virtual Desktop Infrastructure (VDI) – Many remote workers can be more productive by accessing their full corporate desktop. By presenting users with a virtual desktop hosted on the internal private network and having access to necessary on-premises applications and data, information workers can perform tasks and interact with data and information that, perhaps due to strict regulatory and compliance reasons, cannot leave the corporate network in any way. The Remote Desktop Gateway can be deployed to simplify remote access to VDI and provide ubiquitous, firewall friendly access to this critical infrastructure.

Public cloud connectivity – Many organizations are taking advantage of the maturing hosted public cloud ecosystem by implement new or moving existing workloads to providers such as Microsoft Azure and Amazon Web Services. The challenge to administrators moving services to public cloud providers that these services often require access to on-premises resources for the purposes of authenticating users or accessing data too sensitive to be migrated to the cloud provider. Here the site-to-site VPN gateway can be configured to enable cross-premises connectivity to public cloud providers. The site-to-site VPN gateway can also be used to enable secure branch office connectivity and collaboration with business partners.

There is no single access method that can provide the appropriate type and level of access for all clients and device types. The best approach is to selectively choose the best access method for each scenario. For trusted devices, low-level network access might be acceptable. For untrusted devices, application publishing might make more sense. For access to highly sensitive information, desktop publishing is likely the best choice. Regardless which model fits best, the Celestix E-Series Cloud Edge Security solution can meet your needs.