Surviving the winter weather: how to remote work successfully!

You may have been blown off course by the wind, been late because of leaves on the line, and are rightly worried about any kind of snow (not just the wrong kind), but why not just stay at home instead.

I have highlighted different technologies that’ll ensure you can get work done from the comfort of your own home and in this post I want to contrast and compare these.

If your IT is under the control of Active Directory it is a relatively simple matter to allow you or your users to tunnel into work from Windows 7 and later to connect to a Windows Server 2012 server the Direct Access role.  You can lock this down with two factor authentication using things like smart cards, to make it as secure as you need to. Just as importantly, all that needs to be done on the clients is join them to a designated group and mange them centrally within group policy, so it’s low maintenance using familiar tools.  To give you an idea of how well it works, I can continue a Skype or Lync call while I am connecting and it only requires the SSL port ( 443) to be open on firewalls so as well as working at home you can get stuff done on planes trains and automobiles (but not while driving please).  Direct Access moved on Windows Server 2012 and no longer depends on Forefront UAG making it easier to deploy. How much easier will vary according to your security needs, but there are great lab guides to work though for most of the common scenarios including the ability to load balance Direct Access Servers for resiliency.

Not everyone has domain joined devices to connect in from, so you could augment your Direct Access in two ways.

Firstly you may employ a lot of contractors and vendors who have their own Windows devices that you don’t manage. In this scenario you could build a standard desktop deployment and setup special memory stick like certified devices with Windows-To-Go (WTG).  You can configure the desktop you deploy to this device to be Direct Access aware and the latest devices can be bitlocker enabled to make them as secure as your other desktops.  There’s a step by step guide to doing this here, and while this may work on a non-supported device it’ll burn out a conventional memory stick in a few hours.

That’s only going to work on x86 devices so Direct Access can additionally be configured to provide a VPN which would allow authenticated users to connect in from other kinds of devices.  In Windows Server 2012R2 it is possible to auto trigger a connection when a user requests a network resource and there’s even a lab for you to try this.  However what can they do when they get there?  Chances are they won’t have Office on these devices so while they might be able to open files editing is going to be difficult and not a great experience, though of course some access is better than none if you’re at home.

Another completely separate option is to create a Virtual Desktop Infrastructure (VDI), This is a pretty straightforward process the only tricky bit is opening this up via the dedicated Remote Desktop Gateway role which is designed to be installed on a perimeter network with restricted communication between it and the rest of the VDI.

A final variation on this theme is to use the same infrastructure but just use it to provide access to specific applications your users need rather than giving them whole desktops. If you’re remote workforce is on windows 7 or later they can save the links to these applications (known as RD-RemoteApp) as standard desktop shortcuts, if not then each one can be accessed from the remote desktop services web portal.

The big advantage of using remote desktops in the last two scenarios is that you as an administrator retain total control. The application or desktop is run from servers you administer and you can restrict such things as cut, copy and paste as well access to local resources to ensure that your data doesn’t leak out onto an unmanaged device.  There are other ways of dealing with this and Simon has a compete post on those aspects in this recent post.

One final thought: Whilst writing this article I’ve been suffering from man-flu and these tools have enabled me to work from home, when I am not really up to fighting my way in to work staying at home helps me from spreading whatever it is I have.  Of course some ill effects (not mine!) are alcohol related at this time of year, and your body can process about a unit of alcohol an hour. This means if you are out late on the sauce then you may well be over the legal alcohol limit for driving the following day, so be safe and work from home!



Comments (1)

  1. Adam Jacobs says:

    Shame on you Andrew! :)

    I would have thought focusing on Lync more would have been beneficial for an article focused around remote working?

    All the best, Adam.