Newbi Guidance 1

[peteb869]

I have been asked by a charity organization to set up access to an application for their members. The application will run on a machine located in one office. They want to use VPN to access this machine.

I believe that what is needed is a VPN router attached between the machine and broadband modem to the ISP. I think the remote users could use a client of some type to establish a vpn connection between their machine and the application machine.

Is this resonably correct? Could someone suggest the necessary components (e.g. the router and clent)? Please remember there is a cost issue, since it is a charity.

Thanks

 

[John Lewis]

Client wise, the VPN client supplied with current versions of Windows should be sufficient. There are other clients available offering more features, but they come with a price tag.

The server would depend upon how may users you will have connecting at one time, and what operating system is running on the server?

 

[peteb869]

The application machine will be running Windows XP Pro. The application is written in Ms Access. There could be as many as 25-30 users logged on at one time.

If I can use the std microsoft VPN client, what type of VPN router should I be using and what would you recommend for the security (IpSec)?

 

[John Lewis]

This is not going to be an inexpensive project, as there are a couple of problems to overcome.

1.) "Pro" versions of Windows will only allow 10 connections to shared resources at one time. There are some factors that can cause one remote computer to use more than one of these available clients, so it is best to assume you will only be able to have five computers (plus the one acting as a server) using the file at the same time. This has nothing to do with a VPN connection -- if you had 11 computers at the same physical location, they would not all be able to use the shared file at the same time.

2.) MS Access applications do not work well over a VPN (or any slow connection, for that matter). An Access application requires that very large chuncks of the file move to the client for processing then back to the server for storage. Over a 100mb LAN this is not a big problem, but over a 256kb VPN connection you will have frustrated remote users (best case) or constant database corruption problems (worst and most likely case). One or two users on an occasional basis may be OK, but 25-30 users will be a problem.

A few options:

1.) Buy a server with Windows Server 2003 and Terminal Services. The Terminal Services will allow your remote users to run the Access application on the server instead of their remote computer, so only the display information and keyboard/mouse input are going over the VPN. This should work quite well. The Windows Server should also be able to handle being a VPN server as well, if you are happy with a PPTP connection. The server will need lots of RAM and some decent processing power. This would easily require a $5-10K budget, just to get off the ground. The biggest advantage to this route would be little or no modifications to the application.

2.) Modify the application to use a SQL server to store the data. The server would be doing much of the work and only the data being reviewed or changed would travel across the slow connection. The cost of changing the application would depend upon the complexity of the application and how it was originally coded. Some applications can be converted very easily, sometimes it is best to start from scratch -- maybe even a move away from the Access interface. You will still need something different for a server.

You could go the way of a Microsoft Server with Microsoft SQL server. Again, this machine could also act as your VPN server. I would think hardware and software on the order of $4-8K. You will still have the cost of software conversion to deal with.

Linux would be the other option for the server. Linux is free and there are SQL servers for Linux. You may want to buy commercial versions of these products for the support provided. The hardware would not need to be quite as beefy -- if you needed to you could reuse existing hardware. If you move to something better later on, you don't have the issues with buying the OS again that you may have otherwise. Many other things that you could add on at little or no cost as well -- including several VPN solutions. You could spend as much as $8K with this option, the low side would depend upon if you reuse hardware and how much (if any) you spend on support. Again, you will still have the software conversion to deal with.

Afraid that got a bit more lengthy than I planned, but some complicated issues to deal with.

As to the VPN itself, for individual users connecting to a VPN server I tend to use a PPTP client. The one that comes with Windows works fine. The security provided with PPTP is more than sufficient for most applications (in my opinion) and the processing overhead on both ends of the connection is a bit less.

IPSec is certainly an option, although you will need to purchase a client for each of your users and you will not be able to use the Windows box as the server without additional software -- the software for the Linux box to act as an IPSec server is free.

If you were to use a separate device for a VPN server, the low end devices (NetGear, Linksys, Etc) will not handle the number of users you are indicating. I usually use SnapGear (CyberGuard) or Cisco products in that order.

The last money issue that I see for you is bandwidth. You will need at least 768kb of upstream bandwidth. Upstream bandwidth is usually less than the downstream bandwidth for DSL or cable connection. If you have a 1mb DSL connection, you may have 384kb or less upstream bandwidth. Upgrading your upstream can be a significant monthly expense, depending upon your provider.

Sorry for the length. Post back if anything needs clarified.