[unisog] Remote Access to Staff Desktops
alex at digriz.org.uk
Thu Feb 19 14:19:55 GMT 2009
* Tim Lane <tlane at scu.edu.au> [Wed, 18 Feb 2009 15:29:31 +1100]:
> We are receiving an increasing number of requests from staff to remotely
> access their desktops, for a variety of reasons.
> I would be interested in hearing if any other Universities allow this, and
> if so how you are providing secure access, or if you have any
> thoughts/comments on the matter.
We are forcing everyone to go dynamically assigned IP so the first
hurdle is to give them a DDNS entry that tracks their workstation.
After that we mention that out network is IPsec 'transparent' so they
can even use preshared key'd IPsec to get to their workstation however
they please and from where-ever.
If people are NAT'ed then they need to be able to work out how to do SSH
port forwarding off a box that *we* control (accessible via public key
and/or OTP), however I also have a functional IPsec+LT2P server setup
that seems to work nicely too for those 'unprepared' to learn the magic
of SSH :) If you go for IPsec+L2TP, look into using DHCP static
classless routes so you do not have to set your organisations network as
a default route for your roaming userbase.
The *last* thing you want to do is poke holes in firewalls for each
workstation, with IPsec you get host based firewalls for free and it's
reasonably straight forward for them to do.
One thing worth doing, block the IP ranges used by those "Log Me
In"-esque services so users do not provision such services themselves.
.sigmonster says: Another megabytes the dust.
More information about the unisog