Friday, May 01, 2020

Setting up and supporting an organization from home

March 2020 changed a lot of things for everyone, everywhere.  The biggest change has been the working from home (remote working).  From an IT perspective this brings up many challenges as most work places (mine included) are not a mobile first or mobility first type of organization.  So when COVID-19 hit, we were scrambling to get a remote setup that could handle enough users, and have a way to connect them without really compromising security or making us an easy mark for an attack with few IT resource for defense.

I had three issues that I had to immediately solve.

1. How to connect users to the company's network securely
2. How to support users systems as remote desktop clients
3. How to troubleshoot issues with remote desktop clients with visibility

To solve issue 1, I decided to setup a new RDP Server (2019) based using OpenVPN.

To solve issue 2 and 3 since it would be a combination of corporate and personal devices, I decided to use MSP360 and Teamviewer with a how to document.  My idea was to treat both the corporate and personal devices as simple remote desktop clients.  With less then a week to set up a new RDP server and prep any corporate devices we had available it was going to be a huge challenge.

For issue 1, I have had experience in setting up PFSense to also be an OPEN VPN Server though this wasn't the easiest solution (such as setting up RD Gateway) it was the one I felt was more secure and easier for me to support.  I also had an issue with having to get users to update their passwords to something more secure.  Going with OpenVPN allowed me to setup long secure passwords then move to a certificate based authentication once I get that setup so users wouldn't want to fight the updating of their Active Directory passwords.  Also with RDP Attacks on the rise, I also feel it more/less avoids that kettle of fish.

For issues 2 and 3, to treat corporate and personal devices as simple RDP Client's is easy, it really doesn't matter what or how they connect so long as they have an RDP client and connect.  I setup the OpenVPN client on the corporate devices we had and used MSP360 or teamviewer quickconnect apps to setup and install the open VPN client on any devices that needed setup.  

Provide How To Documentation

My organization uses GSUITE so I have a secure way of providing the VPN documentation to the users for those who thought they can set it up on their own.  Below is a sample document with non-working links, this is more/less the document I sent out to staff to get them setup on the VPN.  I choose to support both Apple and Windows users.

To that end, only 6% of our staff were on Apple Computers.  We still chose to support them but made the documentation primarily Windows based and because of the extra security setup required for Apple Computers, we decided it was best to just provide the links for required software, and staff would walk though the "extra" requirements for the Apple machines.

Since our VPN is OpenVPN based we used the following:

Windows VPN Client - OpenVPN Client

MacOS VPN Client - Tunnelblick

Apple App Store Link for Microsoft Remote Desktop Application:

***************SAMPLE DOCUMENT*************

Staff can setup access to remotely login to the office from our RDP Server. However for network connectivity and security reasons we do require you install a VPN client where you need to login with a username and a password.

Here is a 5 minute step by step video tutorial on how to connect to the VPN from Windows

IT can remotely help you by using our Remote Support APP. Call them at 555 555 5835

Mac Version | Windows Version

If your a mac user you will need to install the Microsoft Remote Desktop Application

Then you will need to download the following files, for the VPN client please select the VPN Config File and the OpenVPN Client for your OS.

VPN Config File | OpenVPN Client (Mac version) | OpenVPN Client (windows version)

How to install the OpenVPN Client for Windows

We will need to install the vpn client and import the VPN configuration. Then put in your username/password provided by IT.

To connect to the library on a computer download the OpenVPN configuration file attached in this email.  Then install the  Open VPN client.

Once the VPN client is installed you can then connect to the VPN

How to connect to the VPN

When you're connected to the VPN you can then connect to the RDP Server.  You can manually connect or download the RDP connection files

Here is a 2 minute video on How to connect using a RDP connection file

If you want to manually input the information open the Remote Desktop Connection App

When you open the program you will see a dialog box as shown below

In it you will be able to put either of the following

IT would prefer if you would use the RDS 

And if you have an issue please use the secondary

Press connect.

Then put in your workstation username and password

login with your domain username and password (the one you would use if you were sitting in front of the screen at work).  It should be in the following format

domain\$username or $ where $username is your workstation login

*******End Of Sample Document*******

Remote Support Applications

For the remote support applications we used a combination of msp360 and Teamviewer both work great for remote support.  We did not install the app though we decided to go with the Quick Support Application for both.  For the laptops connected to the domain, my preference was to use Teamviewer as it does domain authentication and you just need to get the ID number.

Teamviewer Client 

Teamviewer Console

By default the teamviewer tries to connect using teh teamviewer password, but if the user is a limited user, you will see a note about UAC controls.  To bypass this you can use teamviewer to sign in as a windows administrator.

Teamviewer authentication from domain is a two step process.  You actually have to connect twice.  The first time after authentication it will actually close Teamviewer on the client then relaunch using the admin credentials provided.  This will cause your console to be disconnected.

When you disconnect you can immediately reconnect using Teamviewer as the id will be saved in the Partner ID field. 

 and it will then prompt you to sign in with the the windows authentication again.

It will then connect and you will have administrator permissions.

MSP360, works well as well but doesn't give you the UAC login options and you will be required to give username/passwords over phone, chat etc.  It is not a good solution for UAC protected devices but it is great for connecting regular laptops (as everyone on their personal device is an administrator).

MSP360 Client

MSP360 Console

Once you connect you will be prompted to put in the password on the client side, then be connected.

Remote support applications.


Overall the experience for the users wasn't terrible, there were a few hiccups that occurred caused by ISP DNS.  The issues did not affect the remote access using the remote support apps but did cause issues connecting to the VPN which was setup to use a DNS address in case we want to change or need to change our ip address.  At any rate an ISP was giving only IPV6 DNS and the translation to IPV4 was not working properly since our DNS host was not setup to use IPV6 some users could not connect to the VPN.  Remoting in and changing either the config file to the ip or adding a host entry in the host file resolved the issue.  A part from ISP issues, most users had a pretty positive experience with working from home (or at least that's what they told me).  Using MSP360 and Teamviewer to remotely administer essentially RDP clients did work incredibly well.  Users either tried to connect to the RDP server using a downloaded RDP connection file; or were setup by IT staff when using the remote support applications.  Beyond that any application or other issues were resolved using RDP admin shadow sessions once the user was connected to the remote desktop server. 

How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...