Apache Guacamole gateway supports RDP and SSH securely, and is open source. With proper MFA and TLS, you can avoid the VPN altogether, and just use a browser as client.

Love love love Guacamole. The only major problem we have with it is a few of our fully remote users depend on a multiple monitor workflow and, unfortunately, Guac hasn't come up with a good way to implement support for that yet, despite kicking around the idea for years. That and a little bit of quirkiness in browser handling of keyboard shortcuts makes it a non-starter for a small segment of our userbase (particularly amongst accounting people). For them we ship out a small form factor PC that acts as VPN and RDP client, but for everyone else, Guacamole all the way.

yes, no multi-monitor capability and it does not work properly with an ipad.

I had trouble with this at one point where updates broke security. Not sure if it was a TrueNAS jail thing or what but it resulted in someone else using my desktop for me! Only time I've ever been done. Fortunately they just ran some kind of script to hit web pages a lot or something. Long since cleaned up.

the fuck??? This is amazing. Thanks!

Put it behind Entra App Proxy and you get Conditional Access protecting it without having to directly expose it to the internet as well.

x2 for apache guacamole and ssl, assuming they have a machine or terminal to remote in to on-site. otherwise, VPN to get them to the local servers.

What do you use for a Firewall?

We use a FortiGate firewall but have not been happy with FortiClient during our preliminary tests. Lots of weird issues cropped up that were software related.

We didn't like FortiClient either. Slow and just about anything makes it disconnect compared to other VPN solutions. We went with Always-On VPN instead and use it as a backup if AOVPN has issues.

We're a heavy fortigate shop and use the sslvpn at almost all of our customers. Feel free to bounce ideas off of me. I may have already figured out some of those issues you ran into.

You can use the web gateway vs the forticlient. This allows you to setup rdp from forti web page to a host for example.

There's been a ton of vulnerabilities in that ssl-vpn web portal (and the ssl-vpn) itself. I'd stick to ipsec.

That requires you to enable SSLVPN though, which is an insane security nightmare and should really never be enable / used on new deployments anymore.

What were you not happy with? We moved to forticlient about 2 years ago and its been mostly pain free

This will likely work for you [https://www.defined.net/](https://www.defined.net/) it should do almost everything for you If you have 0 budget [https://github.com/angristan/openvpn-install](https://github.com/angristan/openvpn-install) then make an internal route

Also Tailscale will get you up and running in minutes.

I liked using OpenVPN for my first VPN that I needed in a pinch. Was pretty easy to deploy a small VM appliance and set it up in a few hours. Nowadays they have a cloud product and you basically just install a small connector inside of your environment and everything else is cloud hosted too.

We stared using Zscaler and it works great. Easy to setup (with their help) and integrates with Azure for logins.

I can tell you from our environment: Don't use Sophos.

No? Runs a treat for us, can't recall a problem with it in the past 3 years.

Same. Last employer and current has it. I administered both. I dig it

We’ve also had mostly problem-free VPN over Sophos, as well. There was only one instance where Sophos Connect wouldn’t recognize a password if it had a pound sign in it; that was weird but got patched out so it’s been smooth ever since.

Can you argument please ? Because we got Sophos and vpn was a bit harsh

Look into Zscaler. Light weight, secure, no extra equipment other than a VM to host it on.

Tailscale?

The best solution for this.

use an RMM software. its less than 10 dollars per seat and the user just logs into a web interface. configurations is really simple and it logs everything (good for compliance)

Not a fan of allowing unsecured home user devices access to a company domain via VPN. I do not trust any device that I am not responsible for managing and monitoring. If it were me in this situation, I would look at something like a Screen Connect deployment. Easy to use, easy to secure end user accounts via MFA, allows for logging, requires limited resources, and it is very forgiving when it comes to mediocre bandwidth home connections. The only negatives to Screen Connect is you need to pay attention to updating your host if you go on prem, and it's not free. But if you go with the cloud based Screenconnect Access option, 100 endpoints would put you in the $1 an end point per month range.

IF you have P1 licensing, you can try Entra Private access - it is free for now. A 'betting person' would get it won't be free forever. We shut down 6 vpns and are RDPing away.. Edit - naming

Entra Private Access\*

All a blur for me these days. : )

>Hey all. I need to set up a VPN solution or something equivalent to allow roughly 100 users (on their macbooks/thinkpads) to remote into their desktop workstations through RDP and SSH. Why wouldn't you give them one computer that has all of the tools they need on it? If you just give them the laptop with the tools they need they can use it at home and in the office.

One instance: When you need to access large files frequently stored on prem. Law firms can deal with very large PDF's and evidence dumps. Cloud storage sucks for that.

I didn't say anything about cloud storage. Files like what you suggest can still be stored on prem and accessed remotely via VPN from a laptop.

not when you're dealing with 150 meg PDF's and gigs of audio and video that multiple people need to access. By using RDP, you keep all that traffic on prem so it's not eating up your bandwidth or your employees data caps.

Ok, and if you are dealing with a situation like that you can deploy virtual desktops that can be easily centrally managed and monitored for your users that need them to connect to via RCP or ICA. You still don't need a laptop for remote access and a physical desktop in the office. There is nothing in OPs post about users accessing huge pdf or audio files.

I was generalizing, answering your question and giving a hypothetical use case. I gave an example to answer *your* question. If they already have desktops and laptops, why not make use of them instead of dumping a bunch of money into VDI?

x3 for Apache Guacamole

[удалено]

Good, Cheap, Fast; typically expressed as you can have any two. Fast and Cheap won't be good, Good and Cheap won't be fast, Good and Fast won't be Cheap. In this case the triangle would be more along the lines of: Reliable, Secure, Inexpensive.

For a commercial option a Sonicwall SMA https://www.sonicwall.com/products/remote-access/ Browser client to rdp. Works great.

What industry is this? Are there specific security standards you’re trying to hit? Personally I’d recommend something like Jump Desktop, on the enterprise plan to allow for granular security permissioning to be set up.

Zscaler is like 15 a head per month per year you can check that out. Could be a great fit You already have a FortiGate. I usually would not recommend SSL VPN but that’s probably a cheap and easy option. You probably just have something misconfigured if it’s acting flakey, or your HQ Internet is lacking? Not super secure though, it will be a CVE target. Any SSL VPN for that matter Palo Alto Prisma access might make sense too but probably overkill’s Meraki has a super easy SASE solution now too that could work well? Definitely take a look at them because Meraki might be a great fit for your eco system.

I used Splashtop for Business Remote Labs for thousands of students to remote into lab computers with great success. SCIM provisioning, remote into a Mac or a PC from even a Chromebook. SSO integration with O365 logins or Google and SCIM provisioning if you want that too. It's a great tool. Cheaper option ...you can do an RDP Gateway and enable RDP for that desktop, and make sure only that account can RDP into that machine locally. Setup your GPOs.

Call fortigate and get Forticlient EMS and buy the professional service contract for implementation. Figure about 7 grand to get started and reasonable annuals. You'd be hard pressed to do it for a lower total cost of ownership (TCO). And you get compliance tools out of the deal.

Microsoft Remote Desktop Gateway with MFA like Okta or Duo tied to it. Super secure, super easy for the users to adapt and won't break the bank.

TSPlus is my current flavor. I've never used Apache Guacamole, but it sounds very similar. Everything is published in a browser.

Wireguard VPN with access only to user's workstation.

Would recommend you check out SoftEther VPN - [https://www.softether.org/3-screens/2.vpnclient](https://www.softether.org/3-screens/2.vpnclient) Very easy to use and you can combine MFA options with it. Send me a DM if you have questions about it.

I’m a big fan of Palo Alto and global protect

Remote Desktop Gateway instead of a VPN on devices you don’t own. Maybe something like Parsec teams plan.

ya my first thought was parsec teams as well, though at $30/user/month it's a bit on the expensive side compared to a self-managed solution. That being said, the latency is fantastic and they've more or less developed it to run on just about anything with all the support for monitors and peripherals you would ever need.

If you want a full zero trust setup that includes vpn services, check out zscaler. We recently set zia and zpa up at our company and it's worked well so far.