What Is Remote Access?

Remote access is part of an integrated "Routing and Remote Access" service that provides remote networks for remote office workers, out-of-office personnel, and system administrators who monitor and manage multiple departmental office servers.

The Remote Access Service provides a comprehensive remote systems management solution for use with Remote Access Card (DRAC) III, DRAC III / XT, Dell Embedded Remote Access (ERA) Controller or ERA Option (ERA / O) Card and system equipped with SNMP and CIM. These hardware and software solutions are collectively referred to as the Remote Access Controller (RAC). The remote access service enables you to remotely access a non-running system and get it up and running as quickly as possible. The remote access service also provides alert notifications when the system is down and allows you to restart the system remotely. In addition, the remote access service records possible causes of system crashes and saves the most recent crash screen. ^[1]

Chinese name: remote access

Foreign name: Remote access
Field: computer network

Remote access to specific applications

Users with computers and network connections running Windows can dial up to remotely access their network for services such as file and printer sharing, e-mail, scheduling, and SQL database access.

Remote access user classification

There are usually two types of people who need remote access, one is the system administrator and the other is the ordinary user.

System administrators usually need to remotely access network devices or servers on the corporate intranet for remote configuration management operations. In terms of current product development, most enterprise-level network devices or servers usually provide interfaces or functions for remote configuration management. Administrators can use telnet, SSH, web GUI, or even remotely manage software terminals to access the enterprise network. The WAN side enters the internal network for management and maintenance.

The remote access requirements of ordinary users are usually remote office workers, out-of-office personnel, corporate executives, etc. who need to travel frequently and often need to operate ERP, CRM, HR and other information systems for viewing, approval, bill of lading, etc. With the continuous development and progress of enterprise informationization, more and more such remote access requirements have gradually become the focus of attention of enterprise IT administrators.

Remote access requirements classification

For ordinary users' remote access requirements, there are three common ways.

The first type is to directly open the ports of the internal application system, allowing external IP to directly access, and prevent illegal users through the application system's own account verification mechanism.

The second type is to use the terminal service function provided by Windows Server 2003 and newer versions to run a windows remote desktop on an external PC, first connect to the terminal server of the internal network, and then access the internal network application system through the server proxy.

The third type is to use VPN technology to achieve remote connection to the corporate intranet, and then access the intranet application system in the VPN.

Remote access type 1: open port method

Open the ports of the internal application system directly on the firewall. For example, the application port of a company's ERP system is 7001 ~ 7006. You can configure the firewall to forward the 7001 ~ 7006 port to the IP address of the ERP server on the internal network. Out-of-office or remote office personnel can directly access the ERP system by accessing the 7001 ~ 7006 ports of the corporate public network IP. After passing the identity verification of the ERP system, you can enter the ERP system for operation.

The implementation of this method is very simple, and it is a common solution for enterprises with limited technical capabilities, especially with limited budgets. But its threat is also obvious. Opening the ERP server port directly to the public network will bring security risks such as network attacks and hacking. Especially nowadays, viruses and attacks are increasingly turbulent, which undoubtedly poses a serious threat to the security of internal application systems and application system servers.

Remote Access Category II: Remote Desktop Technology

Remote desktop terminals are integrated on all versions of Windows XP and Vista. You only need to enable the terminal service function on the application system server and open port 3389 (that is, a dedicated port for remote desktop technology) on the firewall. You can go out or work remotely. Connect to the application system server through the remote desktop terminal on your PC, and then run related application system programs.

This scheme has become common due to the popularity of windows. The main points of the plan are:

1. To access the application system through the remote desktop, it is equivalent to running the client program on the application system server or accessing the internal application system as the intranet PC of the terminal server. The generated file is saved on the server by default. If you want to save on a remote PC or print on a printer connected to the remote PC, you need to further configure the disk mapping function of the terminal service and install more complicated settings such as a remote printer driver on the server.

2. Remote desktop technology itself needs to be authenticated. It has one more authentication mechanism than the first type of solution, and the security is necessarily higher than the first type of solution.

3. External PCs still need to open port 3389 to the public network to connect to the intranet server through remote desktop. The risk of attack and intrusion of the server caused by the open port still exists.

4. The remote desktop technology itself does not encrypt the transmitted data. If someone deliberately uses a packet capture tool on the network, it is entirely possible to recover the transmitted data, which will cause the leakage of internal information and even trade secrets of the enterprise.

Some products on the market have adopted remote desktop technology as the core, and developed remote access platform software that is convenient for management and maintenance. Some of these brands can already implement disk mapping and remote printing, and provide simple encryption. Security and operability are improved compared to the solutions provided by Windows, but the installation steps are more complicated. And the encryption level is low, there is a risk of cracking. The risks brought about by the opening of server 3389 are still difficult to avoid.

VPN Remote Access Category III: VPN Technology

The application of VPN technology also has a long history. The biggest advantage is that data is transmitted in the VPN encrypted channel on the public network, and the corresponding security is high. There are also three mainstream VPN technologies: PPTP VPN, IPSec VPN, and SSL VPN.

PPTP VPN

PPTP is a remote dial-up technology. The dial-up program that comes with Windows provides PPTP VPN dial-up. The user can remotely dial in to the enterprise PPTP VPN gateway through the dial-in program that comes with Windows through the pre-configured account, obtain the internal network IP address, and then access the internal application system as the internal network PC.

The advantage of PPTP VPN lies in the popularity of technology. Windows comes with a dial-up program that eliminates the need for end users to purchase and install additional software, which reduces costs and maintenance. The disadvantage is that the PPTP protocol itself also provides lower-level encryption, which provides corresponding security for data transmission on the public network. However, PPTP's encryption security level is not high, and there is a risk of being cracked by people with intentions. In addition, after dialing into the intranet, the user does not have corresponding permission management and can access any intranet resources, which is not conducive to internal network information security management.

IPSec VPN

IPSec VPN has become the preferred solution for enterprises to build cross-region VPN networks due to its 168-bit encryption security and the cost reduction brought about by the popularization of core technologies. As long as an IPSec VPN is established between any two networks, it is like being in the same local area network, and can arbitrarily transmit data and access the other application system.

Gateway routers of mainstream brands on the market usually support the IPSec VPN function. This function is also mostly used to establish a cross-region VPN between the corporate headquarters and branches, and connect multiple LANs in different regions. If IPSec VPN is used to meet the needs of remote access, an IPSec VPN client program must be installed on the remote PC. Usually such client programs are not free, and the price ranges from hundreds to thousands. And the configuration of the client is usually more complicated, and there are certain technical difficulties for the general employees of the enterprise, especially the executives of the enterprise. Similarly, IPSec VPN is also difficult to manage permissions. As long as the VPN is connected, you can access any system without restriction, which is not conducive to internal information security management.

SSL VPN

The 128-bit encryption technology used in SSL VPN can also provide a high level of data transmission security. Moreover, SSL technology is generally built into various mainstream browsers, and ordinary users only need to access via https to transmit data in the SSL-encrypted channel, which avoids the tedious installation and debugging and does not require additional investment. Because of its advantages of high security, simple application, and low cost, SSL encryption technology has been widely used in industries that require high security and mobility, such as online banking, online shopping, and online payment.

For corporate travelers or remote office workers, simply open a browser, enter the corporate SSL VPN portal URL or IP, and log in with their personal VPN account to enter the corporate intranet and access various intranet resources. SSL VPN products on the market usually have user rights management functions, and some can set permissions for user groups (such as the finance group, the administrative group, etc.), and manage which internal network resources all members of the group are allowed or forbidden to access Or application systems. There are also a few products that can even set permissions for each user and perform batch setting operations, which greatly enhances the operability of information security management of the enterprise intranet.

Remote access plan selection

Comprehensive analysis shows that VPN technology is even better in terms of information transmission security, and has gradually attracted attention from many domestic enterprises. However, there are some shortcomings in VPN technology, especially for remote operations such as the use of ERP systems through VPNs, which generally require higher bandwidth. Insufficient bandwidth means a long wait. The best way to solve this problem is to use a combination of VPN and remote desktop technology, especially SSL VPN + remote desktop technology.

Remote access to remote desktop

SSL VPN can ensure transmission security, avoid opening server ports, and provide permission management. The characteristic of remote desktop technology is to transmit only the changes of the screen. In theory, the bandwidth required for each connection is only 28.8k, which can greatly reduce the bandwidth requirements of remote operation application systems. By using remote desktop technology in the SSL VPN tunnel, you can combine the advantages of both.

Remote access breaks through restrictions

Remote access to remote server power

Remote management of the server is only possible when it is actually powered on, so you must first ensure that the remote power supply and backup power supply are working properly. An uninterruptible power supply (UPS) system is standard and can temporarily supply power when the local public power supply is interrupted. UPS batteries generally can only provide emergency power supply for a few minutes-only enough time to complete the server shutdown process.

Some servers cannot (or are not allowed to) be shut down at all. For such application availability levels that require zero downtime, consider alternative sources of power that can take over power before the UPS battery runs out: diesel generators, local cogeneration facilities such as solar or wind farms or methane-powered fuel cells group. You can choose a fully redundant public power provider and line, although this is somewhat impractical for most businesses.

When power fails, remote server management tools can't help you-especially if the cause of the power failure is a faulty switch panel or a circuit breaker tripped. It is necessary to arrange a remote inspection by a technician, and if necessary, to visit the scene to solve the problem.

Remote access remote networking

A network must be used to manage a remote server, which requires a reliable Internet connection, and network traffic goes through local service providers, regional backbone networks, and remote service providers. Any interruption of network communication will prevent the management of remote servers.

Redundant internet connections in remote data centers are common and useful. True redundancy must be formed using different lines from different operators. Any redundant Internet provider must include line redundancy; many organizations simply contract with different Internet providers and let multiple providers share the same physical line. This redundancy is not sufficient.

Dial-up Internet connections can be deployed for emergency use, but remote server management over dial-up lines is a challenge, even for the most experienced administrators.

Consider hiring a mechanic to maintain the internal network locally at a remote site. A technician can find a failed router that is causing the connection problem, and an internal network adapter or switch port problem on the spot. None of these (physical) problems can be fixed by remote management tools. ^[2]