Buyers (and non-buyers) guide to secure remote access

FREE

Become An Insider

Sign up now and get free access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content from the best tech brands on the Internet: CIO, CITEworld, CSO, Computerworld, InfoWorld, ITworld and Network World. Learn more.

From free tools to scalable services and network solutions, businesses have numerous options for keeping mobile and remote workers connected

It always seems to happen. You finally take a couple of days off from work and head to the beach for some sun and sand. Inevitably, someone needs a piece of information only you can provide, and it's locked away on your office PC. Is it time to pack up the cooler and head back to the car?

Not if your office computer is set up for remote access. With a remote access solution, you can easily access your PC (or Mac) and answer the urgent question, all while sipping a drink with your toes in the sand.

Sound too good to be true? It isn't. There are a number of different solutions available to help make this a reality. In this guide, I'll cover the different types of remote access solutions, their advantages and disadvantages, their technical requirements, and what you can expect as far as usability.

[ The best free remote access tools combine firewall friendliness with easy remote access and an amazing array of features. See "InfoWorld review: Free remote access tools for Windows and Mac." ]

Let's get one thing straight right off the bat -- accessing your computer from outside the physical building is not something only Fortune 500 companies are capable of doing. There are many options available, from free and low cost to moderately expensive, that will allow you to access your PC from a remote location. All of them provide you with a way to connect to your office computer, run programs, and work with your files and data -- no more copying files to a USB drive to work on at home, and no more feeling cut off from the office while on vacation. Secure remote access is something that every business, big or small, should be doing to be more productive.

Free and low-cost remote access utilities
The adage "you get what you pay for" doesn't necessarily hold true when it comes to free and low-cost remote access solutions. There are quite a few utilities available that provide better than adequate performance and capabilities for little or no cost. Microsoft has provided its Remote Desktop Connection tool for years, and a number of other utilities, most notably the VNC-based programs, are available for download and installation on your office PC or Mac.

For Remote Desktop Connection, the remote component is built into versions of Windows from Windows XP through Windows 7, and users of Windows as far back as Windows 95 can download the client direct from Microsoft to add that functionality to the older systems. Unfortunately, only the Professional editions of Windows XP, Vista, and Windows 7 are capable of being remotely controlled; the service isn't available for any other versions.

VNC-based utilities, such as UltraVNC and TightVNC, include both server and client components that can be installed on a wide range of Windows operating systems. For users of Mac OS X 10.5 or 10.6 (i.e., Leopard and Snow Leopard), VNC is built into the operating system.

As mentioned earlier, setup for these types of remote access tools requires changes to your firewall/router to forward specific TCP/IP ports to the computer you want to control. Thus, this type of remote access solution doesn't scale very well beyond a single user. It is possible to use additional ports to control other computers, but juggling multiple port forwarding settings can quickly become an administrative nightmare.

Security isn't much of an issue with these utilities as long as good password policies are in place, but any time you open up ports in the firewall, you are exposing a device to the Internet. In addition to using strong passwords, make sure that each PC set up for remote access has up-to-date antivirus installed on it, too.

Commercial remote access tools
In the same category as Remote Desktop and VNC are commercial remote access programs. Like the free tools, these also combine a server/host component and a client that must be installed on the remote system. Among commercial remote access packages, Symantec's pcAnywhere is one of the oldest and most popular. It goes beyond simple remote access to provide additional features such as multimonitor support, better logging to meet compliance requirements, and the ability to connect to a variety of operating systems, including Windows, Mac, and Linux.

Another program that has been around for years is Laplink Gold. It provides many of the same features as pcAnywhere and can even connect two PCs via USB cable for file synchronization and transfer.

While the commercial packages have nice extras you won't find in free tools, they share the same firewall issues noted above. You still have to open up specific ports on your firewall to allow a connection, and the port forwarding requirement means they don't scale well. Nevertheless, the cost of these packages is a mild trade-off for the additional features and the ability to call technical support should the need arise.

You'll also find that these programs are very easy to use. Each one has built-in technology that improves screen transfers and reduces the latency and delays inherent in an Internet connection. This makes the remote control experience seem more like you are sitting at the computer and helps to reduce the irritation that comes when you have to wait for the other system to catch up.

Cloud-based remote access services
One remote access option that's growing in popularity is the hosted solution. A hosted remote access solution is an online service that acts as a gateway between you and your office computer. It requires a small program to be installed on both the host and remote computers. The program on the office PC establishes a connection through the firewall to the Web-based service. When you want to connect to your PC, you simply log into the Web-based service, and the Website brokers the connection.

Popular services that fall into this category are GoToMyPC, LogMeIn Pro, and TeamViewer. Each of these programs has both a Windows and Mac version, and all but TeamViewer allow connections from a Web browser.

One great advantage to cloud-based remote access services is that they don't require any changes to your firewall -- no open ports forwarded in to your computers. This also means they scale well and don't have the administrative overhead that the likes of VNC, Remote Desktop, and pcAnywhere require. Even though they use a small program to "call out" to the hosting Website, the installed portion typically has a very small footprint and doesn't consume any resources when idle.

The biggest downside to hosted remote access solutions is that you often have to pay for them. For noncommercial users, TeamViewer and LogMeIn offer free accounts (which I've reviewed for InfoWorld), but for commercial use, such as in a small business, you can expect to pay a small monthly or yearly fee. For many, the fee is a small price to pay (no pun intended) for not having to worry about firewall rules and management.

Remote access over VPN
With this type of remote access, we start to move beyond what a typical small business either can afford to deploy or has the technical experience to support. Before I get into the pros and cons of remote access over VPN, let me briefly explain what a virtual private network (VPN) is.

All networked computers and network devices have an Internet Protocol (IP) address assigned to them. Each network has a unique IP address range, and because each network is usually protected by a firewall, computers on one network typically don't have direct access to another.

A VPN allows you to bridge these segregated networks. To create a VPN, you must have a VPN-capable firewall on one end and a VPN software client, usually based on IPsec, on the other. By establishing a VPN connection from your laptop on the beach to your office network in St. Louis, your laptop appears to be part of the office network and not really a thousand miles away. Think of it as a network cable stretched from the office to the beach. Your laptop appears to be physically connected to the network but is actually tunneling through the Internet.

The VPN connection eliminates the port forwarding issues in the free and commercial remote access packages. Now you can remotely connect to any computer on the office network, instead of being limited to one or two. You can also access printers and other resources because the VPN makes your laptop a full-fledged member of the network.

Any remote control program will work over an IPsec VPN connection. Remote Desktop, VNC, pcAnywhere, Laplink -- they all work the same over the VPN. Plus, because traffic over the VPN is encrypted, remote access becomes even more secure. Not only is your remote PC protected behind a firewall and locked down via user names and strong passwords, but the very connection into the network itself is safe from potentially prying eyes.

Remote access via SSL VPN
The SSL VPN takes the virtual private network concept a little further. This is a form of remote access that uses your Web browser to establish a secure connection to your office without requiring additional software on your laptop. However, it does require a very specialized appliance on your office network that brokers your connection to the various network resources.

An SSL VPN appliance provides connectivity to network resources by proxying, or relaying, your requests through the appliance to the appropriate resource. SSL VPNs allow direct access to Web servers and email, as well as to Windows- and Web-based applications. Some can also provide direct "IPsec style" network-level access to servers and desktops.

An SSL VPN is superior to an IPSec VPN in many ways. First, it gives the network administrator a fine level of control over who can access what resource. Second, because the secure connection is based on SSL (encryption built into every Web browser), no additional software client must be installed or maintained. Third, the current crop of SSL VPN appliances can all do some manner of integrity check on the client to make sure they don't pose a security risk to the network. This integrity check can take the form of a scan to make sure the laptop's antivirus is enabled and its signatures are up to date, that it has the proper operating system patches installed, and even that the connecting computer has a particular Registry entry (a form of secret key).

The big drawback to using an SSL VPN is cost. A typical SSL VPN can run anywhere from a few hundred dollars to tens of thousands of dollars. The benefits are huge when compared to the amount and type of access they provide, but the payoff is typically reserved for companies who need to connect many remote users with many network resources. An SSL VPN is going to be overkill for all but the deepest of small-business pockets.

Microsoft Small Business Server's Remote Web Workplace
For smaller businesses, one compelling form of secure remote access comes with Microsoft Small Business Server 2003 and 2008. SBS is a bundle of Microsoft technologies specifically addressing offices with less than 75 users. It includes file and print services, Exchange email and calendar, and SharePoint Services collaboration and document sharing. It also comes with Remote Web Workplace, a Web-based portal to the server and PCs on the network. Much like an SSL VPN, you would connect to the SBS server using your Web browser. Once logged in, you can access your Exchange email through Outlook Web Access and connect to a client PC such as your office computer.

Remote Web Workplace bridges your connection from the beach in through the firewall and over to your office desktop, all without any additional software on your laptop. It does, however, require a little initial setup in the form of open ports in the firewall and the SBS server's SSL certificate installed on your laptop. Setup is a lot like standard Remote Desktop Connection, but the end result is more like an SSL VPN. All you need is Internet Explorer on the remote system, and then you can access any PC or server on your office network.

[ The ultimate remote access: Inmarsat's satellite data service and the highly portable Thrane & Thrane Explorer 500 can connect you wherever you happen to be, or not be. See "Test Center adventure: Phone and data off the grid." ]

The downside to using SBS is that it has to be the "first" server on your network -- that is, SBS can't be added to an existing Microsoft Active Directory domain. If you've already built a network on Microsoft servers, then SBS probably isn't for you. If you don't have a network, or at least not one with Active Directory installed, SBS is a great way to get a lot of very useful technology for a great price.

As you can see, there are many ways to skin the proverbial cat when it comes to remote access. I've used every form of remote access discussed here at one time or another, and there isn't a day that I don't fire up at least one of them to either work from my home office or provide remote assistance to one of my clients. For me, remote access is an indispensible tool. If you're looking to spend more time with the family or at the beach -- and still get some work done -- it could be an indispensible tool for you too.

To continue reading, please begin the free registration process or sign in to your Insider account by entering your email address:
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies