Remote Access Question

[Aaron]

I've been using Logmein for a while now for emergency re-plates and issues from home, but my performance has always been a bit slow. I can get what I need done but the screen refreshing is slow for me and I was wondering if it had anything to do with the fact that I'm using an older PC at home and logging into an Intel MAC at work.

Our CSR's use Logmein and I watched them use it and it sure seemed to move faster than what I was experiencing and they are logging into a PC from a PC.

Anyone using a PC to log into a MAC? I'm hoping to get a MAC for home soon (been saving my pennies since 1977 to afford one) and wanted to know the best way to remote access my work MAC. Was thinking ARD would be faster than logmein but I have no idea.

[Joe]

I used ARD and was always unhappy with the speed. The only way I could get anything done was to reduce the colors all the way down to black and white. I connect now with either LogMeIn, but it seems it crashes a lot if I use Firefox (Safari doesn't seem to crash as much), or I use Chicken of the VNC (which is harder to configure as you have to open ports in the firewall). I connect Mac to Mac most times but I also connect Mac to PC and for that I use Microsoft Remote Desktop which is the best of all of them. It too requires opening ports on the firewall.

[Aaron]

Thanks Joe. What about the screen share I hear about with iChat. Ever tried that?

[Joe]

Nope, Never used it.

[mattbeals]

Maybe drop the color depth and screen size...

[Aaron]

I've tried that. Just not great performance.

How does the speed of a VNC compare to a VPN? I've wanted to setup a VPN in the past but haven't been able to spend the money or the router.

[mattbeals]

It must be Apples implementation of VNC then. Generally I've had pretty good luck working on my servers remotely with VNC. Now though, I use a VPN and Remote Desktop to access my Windows boxes.

As far as speed differences go there are some things to consider.
VNC is fast for viewing workstations/servers but is basically completely insecure. A VPN is very secure and only provides IP access to the remote network. As to how fast a VPN is is dependent on several factors such as your connection speed, your servers connection speed, how fast the VPN server is and how strong of encryption you are using. If you have a dedicated VPN appliance then speeds should be pretty good if you've got a good and fast connection. There's also the encryption algorithm itself and how fast it can be processed.

Depending on these factors you can get good speeds for remote desktop viewing (whether it be Terminal Services, Citrix or VNC). But if you are not getting satisfactory results with VNC/ARD then a VPN will not help anything. If anything the VPN connection will be a bit slower because of the encryption. I never copy files to and from using a VPN, I use FTP. On that note, part of setting up the VPN connection is do you want to route all network traffic over the VPN connection or not. If you do then the VPN connection will slow down more because all network activity will be passed through the VPN.

If you really want to use VNC for remote console access then you really should be doing so through a VPN. Services like LogMeIn use 256bit AES encryption, which is pretty darn good considering  your bank only uses 128bit encryption. You may want to see what other parameters you can set in Chicken Of the VNC to see if they can help speed things up. You should be able to define connection settings like "LAN", "Ultra fast" or "MediuM". On Windows using UltraVNC "Medium" is up to 256KB/sec and 256 colors. If you're just re-plating that should be plenty.

VPN's are necessary for remote access if you want to keep people from listening in casually or intentionally (unless they're using a "man in the middle attack" in which case you're screwed from the start).

Someone had asked about archiving emails for legal purposes. Rackspace Mail hosting has such a feature where everything sent and received is automatically BCC'ed to a storage email box. Rackspace can take your .mbox files (Apple/Thunderbird/Eudora, and others) and import them into your BCC mailbox. It's a great way to comply with retention policies and is pretty affordable. Best of all it's off-site and secure and crazy cheap. http://www.rackspace.com/email_hosting/archiving

[Aaron]

Thanks for the info Matt. I am trying to determine the most effective route for remote access to our network. Having a kid in about 6 months and plan on working from home every once in a while. Hoping to have a MacBook by then with software loaded and ready to rock.

[mattbeals]

Got to get a VPN then. It's not "easy" but it isn't difficult. Windows Server 2003 and 2008 have built in VPN servers that work just fine with any platform. Depending on your level of security you can use certificate to authenticate or simple user name/password authentication. You can also restrict access times and remote locations. All sorts of options depending on the level of paranoia/security de jour.

[Farabomb]

I've used Logmein countless times since I heard about it here. PC laptop to my Intel Mac and I really don't see any slow huge slowdowns. It's not like I'm sitting at work but I have done some minor revisions while at home without issue.

[Aaron]

Windows Server 2003 and 2008 have built in VPN servers that work just fine with any platform.

But I would still need a VPN router correct?

[mattbeals]

LogMeIn has performed pretty well for me except that the bit depth is so low that for some purposes it is unusable. Other considerations for a VPN is what all needs to be accessed? Do you have needs for remote computer management, out-of-band management, hardware management? Xserves have a remote management feature where you can remote boot, shutdown, restart servers using one of the NIC's. The other big server vendors have some sort of lights out management that gives you console access to the BIOS through a web browser. All of those kinds of needs require a VPN. If you have need to punch in and out via an electronic time clock or other similar business functions a VPN makes the most sense.

LogMeIn is a great "low tech" way to get into the idea of remote access. But I think you will quickly hit a wall with your functional needs and what LogMeIn can provide.

To put a VPN in place you do not need a VPN router or anything special. You can simply forward the TCP/UDP ports for LT2P or PPTP (different VPN technologies) to a Windows Server running Remote Access services. Then that Remote Access server hands out IP addresses to the remotely connected computer and makes the computer appear either on the "ususal" subnet or on a different subnet entirely.

Ideally you'd have a VPN server sitting somewhere on the public internet with a private connection of some sort into your network. A VPN appliance (such as a router with VPN services) is handy to have but not necessary. As long as you can forward the ports to a static IP address you can get in.

[Aaron]

I think I understand (although my brain is bleeding through my ears a little). I do have an extra Windows Server 2001 DELL box just sitting collecting dust at the moment (old Insite Server). Is there any documentation for setting it up as you described? I am a novice when it comes to networks. Know basics but not sure I can do everything you described.

Thanks for all your help Matt!

[mattbeals]

I don't know that you want to use Windows Server 2000, rather 2003 or 2008. Ideally you would use ISA Server 2006 or its next version (don't recall the name, Forefront Access?). As to the documentation, there is documentation out there but it's sketchy.

What server is handing out DHCP address, DNS and WINS? What is the router address? Can you set up your firewall to forward PPTP (port 1723) or LT2P (ports 500 and 1701) to the server  you want to use for VPN access? Are you using domain/active directory authentication?

Depending on the answers to these questions you may want to bring someone in to do it. It takes some trial and error to get it right. And it may make more sense to buy an appliance that handles this and sits out at the front of your network, just behind the router and in front of the rest of the network.

[Aaron]

Yeah, I have to lay down now.  :azn:

 I know the router address and that's about it. Our Prinergy and Insite boxes are Win Server 2003. But you say I shouldn't really use those. The owner is probably not going to let me buy anything right now so if I don't have what it take I'm probably SOL.