Automating certificate deployment for RDP over VPN

[HCHTech]

In my end of the SMB pool, most of my clients don't have servers. When we setup WFH for someone we:

1. Configure SSLVPN on their firewall (we're a Sonicwall shop), enabling 2FA for each SSLVPN user
2. Configure NetBIOS over VPN so users can connect to machine names instead of IP addresses
3. Export certificates for each employee's office computer
4. Setup an A record for something like remote.theirdomain.com and point it to their public IP
5. Purchase a cert for remote.theirdomain.com and install it on the firewall
6. Install the VPN client on the (almost always BYOD) employees' home computers
7. Configure 2FA for the VPN connection on an authenticator app on the employee's mobile
8. Import the certificate for each employee's work machine onto their home computer
9. Configure and save on the home computer an RDP connection to the work computer using the machine name and their username

This allows secure, 2FA connections without certificate warnings. This does require extra work exporting and importing certificates, though, every time either the home computer or the work computer for an employee is replaced. Since I mostly deal with small clients, though, this extra work isn't a deal breaker.

Because this is the method I know, I have also used it with clients that do have on prem servers, even though the more-acceptable method is to setup a local certificate authority, which somehow automagically handles certificates for any domain-joined computer.

I'm wondering at what level (client size, other determinates?) it really makes sense setup and maintain a certificate authority, how much work that really is, and what the pros and cons of that are. I've been thinking about this for my largest client, who is approaching 50 employees. We're replacing about 2 workstations a month on average now, so there has been more of the certificate work than normal because of that pace.

 

[Sky-Knight]

1.) If your supported workflow requires a VPN, you need to get rid of it.
2.) Letsencrypt all the things.

Active Directory is a certificate authority. Entra ID is not... but there are services in Azure you can use. Still, I'm left wondering why you're doing all this at all. If the organization has their junk in M365 where it belongs, they just login and access it. This energy goes into conditional access once, and you never touch all this again.

 

[YeOldeStonecat]

For users that still need to "remote into the office"....I said to myself "f-that...and all the headaches"....that come with VPN, and/or...RDGateway, etc...and I just replaced all those headaches with Splashtop for Business. Sooooooooooo much easier to maintain for the IT guy, and to use for the clients. Win-win on both sides!

yes I still have a few clients that do that, such as large accounting firms that run the whole Thompson Reuters suite on servers at their office. I have started nudging them to go to TR hosted SaaS....hopefully soon. But until then, both them, and me..enjoy having them use Splashtop. So easy peasy, works well, MFA secured, excellent multi monitor support.

 

[HCHTech]

1.) If your supported workflow requires a VPN, you need to get rid of it.

First of all, I'll comment that you are painting with a pretty broad brush, there amigo. I presume you are alluding to ZTNA, and you appear to feel strongly about it. Since that's the new kid on this block, one thing you could do to help the community is to gin up a how-to resource right here on TN. Name vendors and write out instructions for a typical setup. ZTNA is such a buzzword now, that from my standpoint, it's hard to trust anyone's solution until I can see it in action. Frankly, I don't have time to grind through things to see how this would even compare to the more traditional RDP over VPN solution that is so much more common.

Additionally, I've read that implementation requires a significant investment of time rethinking access and how it is/should be granted, not to mention user retraining. Most all of my clients use remote access not to run apps directly, but instead to run RDP to get the same experience they would have sitting at their desk. Access to all of the resources they would have if they were in the office, not just some of them. I like the idea that ZTNA gives you more control over incoming connections using rules, but at least some of that is doable with a traditional solution - I know because I'm doing it. The other purported benefits are nebulous to me because I haven't seen them in action. I suspect it's going to take more than a "this is a good idea" opinion to move me (and a lot of others) off the traditional solutions and into ZTNA.

 

[HCHTech]

If the organization has their junk in M365 where it belongs,

Nice edit. You can drink that koolaid if you want, but it doesn't make it true for everyone. Mark my words, this whole "everything belongs in the cloud" mantra is not going to last. I'm calling BS.

 

[Sky-Knight]

@HCHTech The "traditional" RDP over VPN pathway is exactly why you don't have time. The world has abandoned that approach! And for good reason.

You have to maintain, patch, and manage a VPN terminating capable firewall, of which will have zero day vulns smacking it around every other week. PaloAlto had a really ugly one show up this past Friday, Fortinet has had two this year already, SonicWall is no exception... but they've been quiet this year so far.

The risk is always the same. Anything connected to the Internet is at risk. RDP as a protocol is a VPN itself, so wrapping it in a VPN on the surface is a silly decision to make, the same thing applies to SMBv3 ALSO a VPN in and of itself. But how many times have you felt comfortable putting either the server service or RDS session host services on the Internet directly? I'm quite thankful that you've shown here you are NOT comfortable doing that... Goodness I find it everywhere.

And why don't we do it? Because we know the protocols are fine, but the services they terminate on are a constant problem. By wrapping it with a VPN we move the risk to the VPN terminator. But, there's a problem with that... we haven't reduced the risk, we've just relocated it! The VPN terminator is JUST AS MUCH OF A RISK! And worse, it's HARDER TO PATCH! You want to patch Windows? You run Windows update and reboot! Do you have central control and monitoring of firewall firmware? And do you have confidence that when you push that big red update button the firewall is going to survive the process?

No.... you don't... But you trust that firewall more, which is... insane. Now, don't think I'm insulting you here, because I did the same thing! I don't know these things because I'm some sort of sage. Security is a journey, and in this space I'm simply farther along on this path than you are.

ZTNA / SASE, buzzwords yes but also associated with a horde of technologies that replace VPN with much more manageable and capable platforms.

As for the cloud... it applies to far more than M365 and Google. Your VPN terminator is "cloud technology". Splashtop is, you guessed it... cloud technologies. It doesn't matter what you do, you're "in the cloud." So how do you defray risk?

The only thing you can do, is control your supply chain. The shorter and less branched your chain is the better. That is why I M365 all the things... I have to have Exchange to move mail, I have to secure it, the fact that it comes with SharePoint to store files and everything else solves for all. I have ONE SUPPLY CHAIN TO KNOW! ONE SUPPLY CHAIN TO AUDIT! ONE SUPPLY CHAIN TO REMEDIATE! Microsoft... because they're the monopoly and I have no choice but to accept their risks.

You're not about to stop selling Windows based endpoints anytime soon are you? If so... perhaps another door makes sense. But for me? I use Windows, therefore I use M365. And my customers have less risk in their lives, because I do not have 3rd party crap running all over the place that all requires its own audit, management, maintenance, and risks. All of this is TIME, and we're human and we have a finite amount of it. And this reality is why the cloud will never... EVER... go away. And if it does, the world as we know it, is over.

Note, the above took me about 45min to write, where do I send the bill? Because, "you don't have time".

 

[trevm999]

Typically with a local network, there is implicit trust on the network. A is allowed to communicate with B with less secure authentication because just by being on the network, there is some trust. When you use VPNs with BYOD, you are expanding trust to an unmanaged device. Ideally, you wouldn't be giving that device access to the whole network, but often that is what ends up happening.

So, you look at the services that workstations are accessing on the network start to think about how you could set things up so that workstations can securely access things without relying on the implicit trust of the network. Once there is no more implicit trust, then you see that a VPN is probably no longer needed, since that implicit trust is no longer required to keep things secure.

Migrating things to M365 is just probably one of the easiest ways for SMB to achieve this.

 

[HCHTech]

Migrating to M365 does not work when your client has on-prem LOB apps. The best you can do there is partial migration. I guess I'm unusual in that many of my clients have on-prem LOB apps, I don't know. We have a lot of accountants, actuaries, attorneys & architects and I swear, every single one of them has some on-prem app they are actively using. Some clients have indeed been migrated to M365, but we still have a firewall at the edge of their network, and they still need/want to RDP into their desktop when they are WFH. It might be as simple as them wanting to print something to their office printer so it's waiting for them when they get in the next day, or ready for their assistant who is in the office to take that printout and continue work on the project (we see this a lot with attorneys and accountants).

I'll also add that in the handful of times we have investigated the costs of putting an LOB app on a server in Azure, they have been prohibitive. Things would be different if I were serving larger clients, I'm sure. But I'm not - my average client is probably 10 employees, many less than that, a few more than that.

I suppose it's possible there are businesses out there that are 100% cloud, and everyone accesses and edits files only in the cloud, but I haven't run into one yet. In my mind, this is just like the "paperless office" -- somebody's nice idea, but not representative of reality, at least not in the SMB space I'm familiar with.

Lastly, it is not my job to force clients into one way of working or another. My job - as I see it, anyway - is to present the options in a way they can understand, give them all the information (financial, risk/reward, pro/con) they need to choose and then let them choose - and support them where they have chosen.

In 10 years I'll be gone so maybe my progeny will feel differently and they can do what they want with how things are run in our business. Or maybe the whole paradigm-shift will be farther along and I'll have to change my position between now and then.

And this response took me 30 minutes to write - but I won't be sending a bill because my time on TN isn't all just looking for an answer. It's sharing discourse like this to a wider community in the hopes that it will be helpful beyond my little bubble of reality. I don't know enough to be a know-it-all, so that's the role I've taken here. I figure if I have any particular question, then others do too. Working through something publicly will hopefully help someone else. I've been at this long enough that my points of view have (or should have) some validity.

 

[YeOldeStonecat]

Migrating to M365 does not work when your client has on-prem LOB apps. The best you can do there is partial migration. I guess I'm unusual in that many of my clients have on-prem LOB apps, I don't know. We have a lot of accountants, actuaries, attorneys & architects and I swear, every single one of them has some on-prem app they are actively using. Some clients have indeed been migrated to M365, but we still have a firewall at the edge of their network, and they still need/want to RDP into their desktop when they are WFH. It might be as simple as them wanting to print something to their office printer so it's waiting for them when they get in the next day, or ready for their assistant who is in the office to take that printout and continue work on the project (we see this a lot with attorneys and accountants).

Splashtop Business (or...equiv of whatever your RMM uses that you can resell)
Say goodbye to clunk VPNs
Say goodbye to clunky RDG portals
Say hello to ease for both the IT guy and end user

 

[Sky-Knight]

@HCHTech "LOB app on a server in Azure, they have been prohibitive."

I need a specific example, because a domain controller, with backup plus VPN connection to get to it is $150 / month. That shouldn't be prohibitive and in most cases I can get an Azure plan together that will match the Dell finance charges for the server they'd have to buy. Except... now I don't have to sell Datto, and a UPS, nor consume their power and real estate in their office all additional costs!

Larger servers need to make use of the hybrid benefit plus a reserved instance which brings the cost down 70% from pay as you go rates, if you aren't pricing based on getting out of pay as you go, you aren't doing it right! I also highly recommend use of ZeroTier, because it eliminates the need for Azure VPN Gateway entirely, which is a huge cost reduction too.

Or... well do what Stonecat said and let your clients continue to operate on premise, because Spashtop really is worth it.

As for on premise LOB apps... they're dying... fast. Most LOB vendors simply don't support them anymore. And I require all my LOB apps to be under support, or I don't support them.

 

[YeOldeStonecat]

@HCHTech

As for on premise LOB apps... they're dying... fast. Most LOB vendors simply don't support them anymore. And I require all my LOB apps to be under support, or I don't support them.

Yup...those 3x points there. That's where I know...that my accounting clients with "heavy suites of apps on an on prem server"...will be going to the cloud eventually...without me having to do the pushing for it because I don't like supporting servers anymore.

 

[sits]

This certainly seems a convoluted way of doing things. I'm not sure how much or how you bill your clients for the management of their Firewall and VPN etc, but rolling out something like Splashtop, Anydesk, CW control or one of the many other RMM products out there would be so much better.

If you are using any of these products to manage your clients' devices already, then just give them a login for their own device and you've just removed the need for any of the VPN and certificate management, freeing up a huge amount of labour and improving security all at the same time.