[unisog] Remote Access to Staff Desktops

[Alexander Clouter]

* Tim Lane <tlane at scu.edu.au> [Wed, 18 Feb 2009 15:29:31 +1100]:
>
> We are receiving an increasing number of requests from staff to remotely
> access their desktops, for a variety of reasons.
>
> I would be interested in hearing if any other Universities allow this, and
> if so how you are providing secure access, or if you have any
> thoughts/comments on the matter.
>
We are forcing everyone to go dynamically assigned IP so the first 
hurdle is to give them a DDNS entry that tracks their workstation.  
After that we mention that out network is IPsec 'transparent' so they 
can even use preshared key'd IPsec to get to their workstation however 
they please and from where-ever.

If people are NAT'ed then they need to be able to work out how to do SSH 
port forwarding off a box that *we* control (accessible via public key 
and/or OTP), however I also have a functional IPsec+LT2P server setup 
that seems to work nicely too for those 'unprepared' to learn the magic 
of SSH :) If you go for IPsec+L2TP, look into using DHCP static 
classless routes so you do not have to set your organisations network as 
a default route for your roaming userbase.

The *last* thing you want to do is poke holes in firewalls for each 
workstation, with IPsec you get host based firewalls for free and it's 
reasonably straight forward for them to do.

One thing worth doing, block the IP ranges used by those "Log Me 
In"-esque services so users do not provision such services themselves.

Cheers

-- 
Alexander Clouter
.sigmonster says: Another megabytes the dust.