Understanding VPN, TS or both

[Guest compsosinc@gmail.com]

We are setting up a remote location that will connect to our main

office for the purpose of running our accounting application. At the

main office, the application is client-server based, so it is

currently installed locally on the (15) XP desktops and they access

the Pervasice-SQL database that is located on a shared drive on the

Windows 2003 Server that is also the Domain Controller (DC).We will be

running (10) XP Pro desktops at the remote location, and there is not

a server there. The desktops will print to network-based printers.

 

Both locations have cable-internet with Static IPs with 3Mb download/

768Kb upload. The remotes will be using the Internet.

 

Obviously, we want the most secure & speedy setup we can get. Our

accounting software vendor says a terminal server (TS) is not

necessary but a VPN would probably be too slow.

 

Confusion: So what would be the other choice??

 

Here is what we are considering:

 

1. Purchase another server to be the TS, install the accounting app on

it just like it is a workstaion, and physically set it up at the main

office next to the DC. Remotes would login to the TS and run the app

from it.

 

Our questions/confusion is the following:

 

Option 1: Do we purchase (2) VPN-capable routers, such as Linksys

RV082s, and establish a tunnel for the TS session to run through? If

so, can anyone recommend different routers -such as something from

Cisco and point out the pros/cons (security, IT maintenance, setup,

reliability) of this approach.

 

or:

 

Option 2: We connect to the TS without a VPN. First off, how do we

connect to the TS without a VPN -what hardware (routers) etc do we

need. Please state pros/cons here too.

 

or:

 

Option 3: Do not purchase a TS, but directly VPN to the DC. How

unsecure is it, etc. What are the advantages of a TS vs. connecting to

the DC. What hardware would we buy.

 

Note: Assume cost is not a factor as we think we need to spend what

gives us the best setup for reliability, speed, security. Though we

don't want to overkill the router hardware, but not convinced we

should just buy the SOHO devices.

 

Thanks!

[Guest TP]

Re: Understanding VPN, TS or both

 

Comments inline...

 

compsosinc@gmail.com wrote:

> We are setting up a remote location that will connect to our main

> office for the purpose of running our accounting application. At the

> main office, the application is client-server based, so it is

> currently installed locally on the (15) XP desktops and they access

> the Pervasice-SQL database that is located on a shared drive on the

> Windows 2003 Server that is also the Domain Controller (DC).We will be

> running (10) XP Pro desktops at the remote location, and there is not

> a server there. The desktops will print to network-based printers.

>

> Both locations have cable-internet with Static IPs with 3Mb download/

> 768Kb upload. The remotes will be using the Internet.

>

> Obviously, we want the most secure & speedy setup we can get. Our

> accounting software vendor says a terminal server (TS) is not

> necessary but a VPN would probably be too slow.

 

Unless their software is specifically optimized for use over

low bandwidth links it is likely that it will perform poorly [if not

run via TS]. I have seen client-server SQL apps that run fine

over as low as modem speeds, but they were designed with

that in mind.

 

Sadly many (most?) assume that there is a high speed link

between the client and server and make common scalability

mistakes such as pulling large amounts of data down to the

client unnecessarily.

 

Factor in that you will be running 10 machines concurrently

over a link that (at best) will be 768Kbps and it is not surprising

the vendor said it would probably be too slow.

>

> Confusion: So what would be the other choice??

>

> Here is what we are considering:

>

> 1. Purchase another server to be the TS, install the accounting app on

> it just like it is a workstaion, and physically set it up at the main

> office next to the DC. Remotes would login to the TS and run the app

> from it.

 

This sounds good. You still need to make sure that

you will have enough outgoing bandwidth at the primary

location to meet your needs and that the new TS server

has enough RAM and CPU for the load. For example, you

need to consider how much printing will occur, what other

purposes the bandwidth is used for (sending email attachments,

etc.), how much bandwidth your accounting app uses under TS.

 

Pilot tests where you measure bandwidth/RAM/CPU used

under normal conditions are essential. You may need to

use a universal printer driver solution to minimize printing

bandwidth and set connection color depth to 8-bit (256 colors).

>

> Our questions/confusion is the following:

>

> Option 1: Do we purchase (2) VPN-capable routers, such as Linksys

> RV082s, and establish a tunnel for the TS session to run through? If

> so, can anyone recommend different routers -such as something from

> Cisco and point out the pros/cons (security, IT maintenance, setup,

> reliability) of this approach.

 

Pro:

- Extra layer of security

 

Cons:

- More complex to set up

- VPN will sometimes go down under slightly poor network

conditions

- Equipment cost is a little higher

>

> or:

>

> Option 2: We connect to the TS without a VPN. First off, how do we

> connect to the TS without a VPN -what hardware (routers) etc do we

> need. Please state pros/cons here too.

 

For this you simply forward the incoming TS port on your

primary location's router to the terminal server's internal

address. Users at the remote location connect to the

external ip address of the primary location.

 

Pros:

- Easy to set up

- Existing router will probably work

- Connections are less likely to go down during slightly poor

network conditions

 

Cons:

- Slightly less secure than VPN, this can be mitigated by

using ipsec/router rule to only allow TS connections from the

remote office's public ip (remember, TS connections are

already encrypted)

>

> or:

>

> Option 3: Do not purchase a TS, but directly VPN to the DC. How

> unsecure is it, etc. What are the advantages of a TS vs. connecting to

> the DC. What hardware would we buy.

 

Not really an option because of poor performance. If you could get

a faster outgoing speed (3-6Mbps or higher) at the primary location

then it *may* work fine. Depends on your application; first test, measure,

and test again to be certain before rolling this out.

>

> Note: Assume cost is not a factor as we think we need to spend what

> gives us the best setup for reliability, speed, security. Though we

> don't want to overkill the router hardware, but not convinced we

> should just buy the SOHO devices.

>

> Thanks!

 

You are welcome.

 

What you are contemplating has the *potential* to run very

well with your existing Internet connections and a new TS

server, however, you need to do your testing and analysis before

you know for sure.

 

-TP