Quote:
Originally Posted by takayama
Hello
At my work we have a windows 2008 that serves as a "bounce pc" i cant find any better word (thats directly translated from the word we use in my language) What i mean by that is that if we want to access the server net and so on we first have to rdp to a w2k8 computer and from their ssh/rdp/www futher to admin. The few admin have their own account and can be logged on at the same time.
|
There seem to be Linux RDP clients, but considering Microsoft's history regarding network security, I would never use it myself. I've used a simple SSH port forwarding via a border server for years, especially when I needed a remote GUI (X11 forwarding).
But, since your use cases are more varied, perhaps you should consider OpenVPN? It is used by many Universities around the world for exactly this.
Although openvpn.net sells something called Access Server, the open-source OpenVPN package is used in that too. You really only need the open-source OpenVPN package, for both the client and the server.
Here is the HowTo.
In a multi-OS environment, OpenVPN works best if
Public Key Infrastructure (certificates) is used for authentication, instead of usernames and passwords. The secret keys should be stored totally off the net; only the signed certificates (user and the certificate authority) need to reside on the user's machine. Your organisation can be, and probably should be, its own certificate authority for this. (That would also mean you do not need to pay anything to anybody outside your organization for this.)
Mandating that the user certificates must be password protected at all times is a good idea. The users will need to supply the
certificate password when opening the VPN, but on the other hand, a nefarious attacker would need both the user certificate file, and the password used to open it, until they can gain access to your organization's network via the OpenVPN server.
If not password protected, the theft of a user's machine or the user certificate on it, will allow access to the internal LAN, until the theft is noticed and reported and the certificate is revoked, or until the certificate expires.
The theft of the certificate authority certificate does not matter. It is on the user's machine only to let the user know if the other end is the expected machine; if not, OpenVPN will complain loudly. The certificate authority certificate is public, and will not open any doors, or allow anyone to posture as the OpenVPN server, as long as the key used to generate is it safe and secure (off the network, preferably).
Hope this helps.