4

Problem

We support hundreds of clients and have access to many of their servers via VPN/RDP (SSL VPN, Cisco VPN, MS VPN, etc.). The other kicker to this is we have to be able to let support employees in other departments of the company use these connections as needed for various projects, so there has to be some sort of interface to manage all the connections.

We were doing this through the use of a very dated version of VMWare Server (no longer available and unsupported) and an individual XP virtual machine for each client of ours. They send us their VPN installer and information (or .PCF file, etc.) and we setup a new VM with the needed VPN software and RDP shortcuts. Each user that needs access gets the old VMWare Server Console client installed on their machine and they view and work on the remote servers via this console.

There are too many issues with this method to list, but the most recent is XP/IE 8 VPN Support for these XP machines being phased out.

Attempts at Solving Problem

We've looked into numerous options that would allow us to manage many remote connections WITHOUT VPNs (Team Viewer, Citrix GoToAssist Unattended Access, etc.), but many clients still insist on their particular brand of security/VPN/Etc. and we don't try to dictate it.

We looked at trying to just move to a newer Hypervisor and use Win7 VMs instead of XP, but the cost for the licensing was high and the overhead to run the number of individual VMs we need is also too high (and thus, also cost-prohibitive).

We looked into VDI in a box that would allow us to maintain "master" images of desktop VMs that have numerous VPNs installed (obviously only VPNs that can play nicely while installed along side one another). Our thinking was that this would require less licensing and maintenance (IE no individual VM for every client), but this would likely also require some investment in hardware/software we don't have. Again, this could get expensive.

We discussed talking to our Sales/Administration about limiting our client connection options in our licensing agreement/software contract, but they don't want to add anything that could be a barrier to a potential sale... I really feel like this is our best option, but it probably won't ever happen.

Summary/TLDR

We need to be able to connect remotely to a lot of servers and use a lot of different VPNs at the same time

Our current solution was working, but was never ideal. Now it's failing fast and we need something else in its place.

We have considered lots of things, but a lot of them are expensive or we aren't sure if they are the best solutions available.

We're looking to find out what kinds of tools others use to manage this kind of rat's nest of server connections and we're trying to do it in a cost-effective way, or at least in a way that has enough longevity to provide return on investment.

Thanks in advance for your help,

Aaron

Zoredache
  • 130,897
  • 41
  • 276
  • 420
Aaron
  • 301
  • 2
  • 12
  • I hope anyone who reaches the flag button has read the question, and realizes it goes beyond simple tool recommendation and is likely on-topic. – Reaces Mar 12 '15 at 20:54
  • I know you don't want to restrict the clients used at all, but can you see how many of these VPNs could be connected to by a Linux-based client? If you could terminate most of your connections on a Linux client, then you could manage the whole set of them with a configuration management tool. Have you considered putting a device of your own within their network? A small raspberry pi sized device could create a connection to your network maybe? – Zoredache Mar 12 '15 at 21:43
  • @Zoredache Thanks for your reply. We actually tried this and we did make some headway. Unfortunately we have a lot of Cisco and MS VPNs and none of them work on Linux without some tinkering. Almost all of the web-based connections were fine, however. We also have to train some folks who aren't super tech-savvy how to use these VMs and Linux is a whole other can of worms to them. – Aaron Mar 13 '15 at 15:59

1 Answers1

5

That's quite a unique problem to be solved.

Your old solution sounded like it worked for you, so there's got to be a cheaper way continuing what you were doing.

A free thing would be to replace VMWare Server with VMWare ESXi (Or Hyper-V, see below) and then import your old VMWare Server VMs to get onto a supported platform.

Windows Server Datacenter edition has the advantage of allowing unlimited virtualisation rights if you have licensed the correct number of sockets (or is it cores these days?) for the hosts that they VMs will be running on. Assuming you can fit them all in a single dual-socket host, your Windows licensing costs could be around $6,000 (or whatever it costs in your area of the world).

The only other thing I can think of right now is to connect as many of the VPNs as you can with a router. Something cheap but powerful like a Mikrotik RB2011UiAS-RM supports L2TP, PPTP, IPSec and OVPN connections. You could just connect them server-side and then do routing rules to get the traffic to the correct destinations, and your users can just work off their existing PCs. You would need to NAT into the VPNs as I'm guessing they are server-client VPNs and not site-to-site VPNs that you're being provided with. But this won't help with SSL based VPNs, AnyConnect VPNs, or any other proprietary VPN formats.

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
  • `Server Datacenter edition has the advantage of allowing unlimited virtualisation rights` - That is only for Windows Server VMs right? I didn't think you could use a Workstation edition of Windows without additional licenses. – Zoredache Mar 12 '15 at 21:31
  • For the Routing suggestion were you thinking one router per client? If not you would almost certainly have to deal with some seriously complex configurations. Having a wide variety of clients almost certainly means you will have a large number of clients with overlapping private address space, trying to manage that all with a single router, and get the ACLs right so you don't build tunnels between clients would be extremely complex. – Zoredache Mar 12 '15 at 21:36
  • Not sure of the specifics, but a Windows Server VM per customer should serve the author the same as a Windows XP/7 per customer would. – Cosmic Ossifrage Mar 12 '15 at 21:39
  • @Zoredache Correct, only for server VMs. I'm thinking that instead of deploying a Windows 7 VM, just deploy a Server 2012 R2 VM. As per the routers, well a single router per client would not be too expensive. The real issues are going to be customers that have overlapping address space (of which there will be a lot, I'm guessing). I haven't really thought it through, but yeah multiple routers would be required. There are cheaper Mikrotiks that are not rack mounted that might be another option. Maybe have one configured for each client, and plug the users PC into it as required? Dunno. – Mark Henderson Mar 12 '15 at 22:11
  • @MarkHenderson Thank you for the reply. I greatly appreciate it. I think we're going to end up doing exactly what you describe, we're also going to make the push to limit remote access options for support. Right now we're just trying to minimize the number of active VMs we need running to support these connections so we can hopefully have a few default images. Although I was hoping to hear "Oh, this is a common problem for those who provide remote support, just buy XYZ.", it's helpful to have our existing home-brewed option validated as our only real choice. – Aaron Mar 13 '15 at 15:55