I had three issues that I had to immediately solve.
1. How to connect users to the company's network securely
2. How to support users systems as remote desktop clients
3. How to troubleshoot issues with remote desktop clients with visibility
To solve issue 1, I decided to setup a new RDP Server (2019) based using OpenVPN.
To solve issue 2 and 3 since it would be a combination of corporate and personal devices, I decided to use MSP360 and Teamviewer with a how to document. My idea was to treat both the corporate and personal devices as simple remote desktop clients. With less then a week to set up a new RDP server and prep any corporate devices we had available it was going to be a huge challenge.
For issue 1, I have had experience in setting up PFSense to also be an OPEN VPN Server
https://optionkey.blogspot.com/2017/03/setting-up-pfsense-with-openvpn-using.html though this wasn't the easiest solution (such as setting up RD Gateway) it was the one I felt was more secure and easier for me to support. I also had an issue with having to get users to update their passwords to something more secure. Going with OpenVPN allowed me to setup long secure passwords then move to a certificate based authentication once I get that setup so users wouldn't want to fight the updating of their Active Directory passwords. Also with RDP Attacks on the rise, I also feel it more/less avoids that kettle of fish.
For issues 2 and 3, to treat corporate and personal devices as simple RDP Client's is easy, it really doesn't matter what or how they connect so long as they have an RDP client and connect. I setup the OpenVPN client on the corporate devices we had and used MSP360 or teamviewer quickconnect apps to setup and install the open VPN client on any devices that needed setup.
Provide How To Documentation
My organization uses GSUITE so I have a secure way of providing the VPN documentation to the users for those who thought they can set it up on their own. Below is a sample document with non-working links, this is more/less the document I sent out to staff to get them setup on the VPN. I choose to support both Apple and Windows users.
To that end, only 6% of our staff were on Apple Computers. We still chose to support them but made the documentation primarily Windows based and because of the extra security setup required for Apple Computers, we decided it was best to just provide the links for required software, and staff would walk though the "extra" requirements for the Apple machines.
Since our VPN is OpenVPN based we used the following:
Windows VPN Client - OpenVPN Client https://openvpn.net/community-downloads/
MacOS VPN Client - Tunnelblick https://tunnelblick.net/downloads.html
Apple App Store Link for Microsoft Remote Desktop Application:
https://apps.apple.com/ca/app/microsoft-remote-desktop-10/id1295203466?mt=12
***************SAMPLE DOCUMENT*************
Here is a 5 minute step by step video tutorial on how to connect to the VPN from Windows
IT can remotely help you by using our Remote Support APP. Call them at 555 555 5835
Mac Version | Windows Version
If your a mac user you will need to install the Microsoft Remote Desktop Application
Then you will need to download the following files, for the VPN client please select the VPN Config File and the OpenVPN Client for your OS.
VPN Config File | OpenVPN Client (Mac version) | OpenVPN Client (windows version)
How to install the OpenVPN Client for Windows
We will need to install the vpn client and import the VPN configuration. Then put in your username/password provided by IT.
To connect to the library on a computer download the OpenVPN configuration file attached in this email. Then install the Open VPN client.
Once the VPN client is installed you can then connect to the VPN
How to connect to the VPN
When you're connected to the VPN you can then connect to the RDP Server. You can manually connect or download the RDP connection files
Here is a 2 minute video on How to connect using a RDP connection file
If you want to manually input the information open the Remote Desktop Connection App
When you open the program you will see a dialog box as shown below
In it you will be able to put either of the following
IT would prefer if you would use the RDS
$COMPANYRDSSERVER.COMPANY.DOMAIN
And if you have an issue please use the secondary
$COMPANYRDSSERVER2.COMPANY.DOMAIN
Press connect.
Then put in your workstation username and password
login with your domain username and password (the one you would use if you were sitting in front of the screen at work). It should be in the following format
domain\$username or $username@domain.com where $username is your workstation login
*******End Of Sample Document*******
Remote Support Applications
For the remote support applications we used a combination of msp360 and Teamviewer both work great for remote support. We did not install the app though we decided to go with the Quick Support Application for both. For the laptops connected to the domain, my preference was to use Teamviewer as it does domain authentication and you just need to get the ID number.
Teamviewer Client
By default the teamviewer tries to connect using teh teamviewer password, but if the user is a limited user, you will see a note about UAC controls. To bypass this you can use teamviewer to sign in as a windows administrator.
Teamviewer authentication from domain is a two step process. You actually have to connect twice. The first time after authentication it will actually close Teamviewer on the client then relaunch using the admin credentials provided. This will cause your console to be disconnected.
When you disconnect you can immediately reconnect using Teamviewer as the id will be saved in the Partner ID field.
and it will then prompt you to sign in with the the windows authentication again.
It will then connect and you will have administrator permissions.
MSP360, works well as well but doesn't give you the UAC login options and you will be required to give username/passwords over phone, chat etc. It is not a good solution for UAC protected devices but it is great for connecting regular laptops (as everyone on their personal device is an administrator).
MSP360 Client
MSP360 Console
Once you connect you will be prompted to put in the password on the client side, then be connected.
Remote support applications.
https://www.msp360.com/remote-assistant.aspx
https://www.teamviewer.com/en-us/
