Connecting users to the corporate cloud

Connecting to the cloud can be viewed from two sides:

• technology connecting end users to the cloud,
• Connecting the local infrastructure of the corporate client to the IaaS infrastructure in the cloud.

In this post we will consider the implementation of the connection to the cloud service from the end user: possible methods, options and tools.

Often, many small and even medium-sized companies do not have their own local IT infrastructure, preferring to deploy all the necessary business solutions and services in the cloud of an IaaS provider (for example, such as IT-GRAD). This approach is economically justified, profitable and convenient. The only thing that sometimes raises questions and debates is the choice of the appropriate connection method. Which is better, more convenient, safer in a given situation? We'll figure out.

To connect to cloud services by end users, as a rule, combinations of various solutions are used. We will consider them separately, our choice for today is as follows:

• RDP client
• RemoteApp
• Web access
• Remote access VPN
• VPN site-to-site,
• DirectAccess
• VDI

As practice shows, the choice of a particular remote connection tool depends directly on the needs of a particular client / employee / department. It may be more convenient for an accountant, analyst, marketer to use the web interface, while an RDP connection option or something else is quite suitable for a developer, application tester, ERP consultant. Let's consider each technology separately.

RDP Client (Remote Desktop Connection)

Remote desktop is one of the most common, convenient, universal, and frequently used tools that enable remote access to a workstation that is deployed, including in the cloud.

This type of access is based on RDP (Remote Desktop Protocol) - a proprietary application-level protocol. It is he who provides the remote work of the user with the computer on which the terminal access service is running. Today, there are clients for almost all operating systems of the Windows, Linux, FreeBSD, Mac OS X, iOS, Android, Symbian families.

The Remote Desktop Client can be further configured. The user can save his username / password so that when connecting, do not enter them again each time. However, from a security point of view, it is better not to. You can also adjust the screen settings, keyboard layouts, playing sounds, and more. If there is a need to use the local resources of the computer from which you are connecting to the remote desktop, and the clipboard - so this is “please”. In addition to the options described above, the user can change the graphics settings, which in case of low Internet speed will make the work more comfortable.

Service Provider Requirements	Client connection
The presence of a dedicated terminal server (Terminal Server).	Launch RDP client (Windows, Linux, FreeBSD, Mac OS X, iOS, Android, Symbian).

What it looks like from the user: using the RDP client, the user connects to the terminal server and sees the desktop of the remote system. Within the framework of the established session, it can run applications deployed on the terminal server.

But what about security and how can such a connection be considered reliable?

If you select the default settings when connecting via RDP, when implementing remote access, weak encryption will be used and the traffic can be decrypted along the way. However, there are a number of additional methods that can help protect and optimize RDP.

An example is Remote Desktop Gateway, formerly known as Terminal Services Gateway (TSG).

Remote Desktop Gateway (Remote Desktop Gateway) is a tool through which remote authorized users can connect both to the resources of the physical network of the enterprise and to the network in the cloud of the IaaS provider.

The Remote Desktop Gateway uses the Remote Desktop Protocol (RDP) over the HTTPS protocol, while guaranteeing a secure connection while providing a reliable encryption method between remote Internet users and the resources in the cloud required for user applications.

RemoteApp (Remote Terminal Services Applications)

RemoteApp is a variation of the above option. What are the similarities and differences?

The fact is that RemoteApp is a tool that allows you to organize remote access to installed applications on a server in the cloud.

The client can still use the applications as if they were installed locally. If at this stage of the narrative the difference is not entirely obvious, move on.

Considering the option with RDP, we talked about connecting directly to the remote desktop, which makes it possible to work with an instance of the operating system. The user sees the desktop, programs, icons, control panel and more. The situation with RemoteApp is different: the user sees only the running remote application within his physical device.

The client, for example, launches the Microsoft Word shortcut located on the desktop of its local computer, after which the authentication process is initiated. However, Word is not installed on the user's local station. After successful authentication / authorization, the application starts and is ready to work. How is this implemented?

The application is "published" on the remote server. And when you launch the shortcut using RemoteApp, it connects to the remote server. As part of the launch of the application shortcut, an RDP session is formed, after which the application starts and starts without the ability to display the remote desktop. This process for the user creates the effect of locally installing the application.

This option will be useful, for example, in the following cases:

• When you need to restrict access to specific applications.
• When the user needs to combine work on the local machine using some application, taken out to the cloud.
• When the application should be available in specific conditions and at low speed of the Internet.

Service Provider Requirements	Client connection (possible options)
Presence of a configured RD Session Host Server with a list of related programs (RemoteApp Programs list).	Run the configured rdp file to initiate a connection to the application via RDP (from the RemoteApp Programs list). Launching the application icon from the desktop or the Start menu to initiate a connection to the application via RDP (from the RemoteApp Programs list).

How it looks on the part of the user: for the user, the launched remote terminal services applications look as if they were executed directly on the user's system. It displays NOT the desktop of the remote system with applications running on it, but the applications are integrated into the desktop of the user’s system with window scaling and its own application icon in the taskbar.

Terminal Services Web Access

Access to certain applications and desktops in the cloud (both previously considered options) can be arranged using a browser, which is now installed on the vast majority of devices. For the user, this option is as follows: launches a browser, enters the required address, passes authentication, and then works with the published application / applications or remote desktop / desktops. In this case, application shortcuts are placed on a pre-configured web page.

Service Provider Requirements	Client connection
The presence of a dedicated terminal server (Terminal Server). Example: OS Windows Server 2008/2012 + TS Web Access.	Using a URL to access a resource through a web browser.

How it looks from the user's side: using a web browser, the user enters the appropriate URL to access the resource, passes authentication and authorization, and then gets access to applications or the remote desktop using the web.

Another option for connecting to cloud services is a VPN connection.

Recall that a VPN (Virtual Private Network) is a virtual private network, being a generic name for a technology that allows one or more reliable network connections over an insecure network such as the Internet, using various cryptography tools.

There are two types of VPN tunnels: Remote access VPN and Site-to-site VPN. Let's consider each of them in more detail.

Remote access VPN

Another convenient, safe and quite often used tool for connecting to cloud resources is Remote access VPN.

Service Provider Requirements	Client connection
Presence of a configured VPN device / server.	Launch a shortcut to connect to the VPN server. After the VPN connection is established, access to company resources is realized.

What it looks like from the user: on the client side, an outgoing VPN connection is established, which the user uses as necessary. To implement access to a remote resource, the user launches the VPN shortcut, enters his credentials and, with successful authentication, gains access to the necessary resources. In other words, the user's computer, due to the IP configuration parameters issued during the VPN connection, enters the virtual remote office network in the cloud and can use the resources as if it were located directly in the company’s office (on the local network).



To access the file server resources in the cloud, each user must use a VPN connection. After successful authentication and authorization, the user gains access to File_server1.

Site-to-site VPN

However, this scenario is also possible: company employees from their non-virtualized, non-cloud infrastructure need to connect to a resource in the cloud.

What would it look like with the familiar implementation of Remote access VPN?



Before accessing resources in the cloud, each user establishes a separate VPN connection to the VPN server, and then accesses the resources of the file server \\ File_server1. And what does this look like with Site-to-site VPN? Let's start with the definition.

Site-to-site VPN - implies the presence of two devices (for example, VPN Server 1 and VPN Server 2 of Figure 4), between which a tunnel is established. In this case, users are behind devices on local networks, and no special software is required on their computers.

For example, if the number of users in the company who need access to the resources of the file server is large enough, it is easier to implement a Site-to-Site VPN connection at the level of the VPN server in the cloud and the VPN server in the company’s office. To do this, you need to additionally deploy a VPN server in the company’s office, and the process of accessing the file server resources will look like this:



In this scenario, the user accesses the resource in the cloud directly. In our example, to the resource \\ File_server1 in the cloud subnet with this access, VPN Server 1 establishes a VPN connection with the VPN Server 2 server in the cloud, after which the user sees the contents of the requested resource. On the client side, there is no need to create an outgoing VPN connection. This configuration is called Site-to-Site VPN.

Service Provider Requirements	Client connection
The presence of two configured VPN servers. Example: A VPN server in a company and a VPN server in the cloud.	No need to create and run a VPN connection shortcut. Accessing branch / head office / cloud resources directly. When accessing resources, a VPN connection is organized automatically at the server level. Transparent to the end user.

Directaccess

In addition to the usual VPN implementations that can be used to connect to the cloud remotely, there is another technology that can rightly be called quite “young”. It's about DirectAccess.

DirectAccess allows you to realize the ability to remotely access corporate network resources as follows: as soon as a user's computer connects to the Internet, he immediately gets access to Internet resources and to the entire corporate network.

That is, a user computer configured as a DirectAccess client automatically establishes a tunnel to the DirectAccess server and through it gains access to the entire corporate network. In this case, the user does not need any additional actions. The tunnel between the client and the DirectAccess server is installed automatically, and this process is completely transparent for the user. No need to start any VPN connections, no credentials - login and password, PIN for a smart card, etc. Moreover, if the Internet connection is lost for some time (and at the same time, of course, the tunnel is broken), and then restored, then again automatically, without user intervention, the tunnel to the corporate network is restored.

Service Provider Requirements

Client connection

The presence of one or more DirectAccess servers in the domain. Availability of a certification authority (PKI). Windows infrastructure.

A limited list of client OS from which you can connect: Windows 7 Enterprise or Windows 7 Ultimate. The client computer must be a member of the domain. No need to create and run a connection shortcut. With access to the Internet, a reliable tunnel between the client and server is automatically built. Access to company resources is transparent to the user. The physical location of the client does not matter.

VDI (Desktop Virtualization)

Since high business mobility today requires constant availability of applications for employees, the approach to implementing and solving such problems is constantly changing. Today, the virtual desktop infrastructure (VDI, Virtual Desktop Infrastructure) is implemented on many cloud platforms of corporate IaaS providers. This technology allows you to centralize user workstations on virtualization servers, while creating a single point of management, deployment and maintenance.

On the client’s side, everything is just as simple: you need an Internet connection and a desktop PC / laptop / mobile phone / tablet. Subject to these conditions, the user has access to his virtual workplace from anywhere in the world, and this is the merit of VDI.

Desktop virtualization in practice might look like this.

A server is allocated in the cloud of the IaaS provider on which the hypervisor is installed. On it, in turn, separate virtual machines are deployed - as a rule, from the client OS. The client program is launched on the user's end device and a connection to the infrastructure takes place. This type of connection, at first glance, is not much different from an RDP connection. But what is the difference?

In the case of an RDP connection to a terminal server, this is a separate session on a shared Windows server. In the case of VDI (desktop virtualization)- This is a separate isolated container with a client OS. Thus, two key differences can be distinguished: server OS versus client and a separate session (which shares the resources of one OS) versus an isolated virtual machine.

When working in terminal mode, isolation occurs at the session level, and if the application causes a failure at the level of the OS itself, then other users working on the same server will restart with the user who launched such an application. And when using desktop virtualization, only one virtual machine will be rebooted.

Service Provider Requirements	Client connection
Deployed VDI virtual desktop infrastructure (solutions from VMware, Citrix, Microsoft).	The user gets his own virtual PC, which can be connected using a thin client, desktop PC, laptop, tablet, mobile phone.

In conclusion, we present a general table with the considered technologies for connecting users to the cloud.

Connection	Service Provider Requirements	Client connection
RDP client	The presence of a dedicated terminal server (Terminal Server)	RDP Client Launch (Windows, Linux, FreeBSD, Mac OS X, iOS, Android, Symbian)
Remoteapp	Presence of a configured RD Session Host Server with a list of related programs on it (RemoteApp Programs list)	Run the configured rdp file to initiate a connection to the application via RDP (from the RemoteApp Programs list). Launch the application icon from the desktop or from the Start menu to initiate a connection to the application via RDP (from the RemoteApp Programs list).
Web access	Presence of a dedicated terminal server (Terminal Server) + TS Web Access service	Using a URL to access a resource through a web browser.
Remote access VPN	Presence of a configured VPN server	Launch a shortcut to connect to the VPN server. After the VPN connection is established, access to company resources is realized.
VPN site-to-site	The presence of two configured VPN servers. Example: VPN server in the head office and VPN server in the cloud	No need to create and run a VPN connection shortcut. Accessing branch / head office / cloud resources directly. When accessing resources, a VPN connection is organized automatically at the server level. Transparent to the end user.
Directaccess	The presence of one or more DirectAccess servers in the domain. Availability of a certification authority (PKI). Windows infrastructure.	A limited list of client OS from which you can connect: Windows 7 Enterprise or Windows 7 Ultimate. The client computer must be a member of the domain. No need to create and run a connection shortcut. With access to the Internet, a reliable tunnel between the client and server is automatically built. Access to company resources is transparent to the user. The physical location of the client does not matter.
Vdi	Deployed VDI virtual desktop infrastructure (solutions from VMware, Citrix, Microsoft)	The user gets his own virtual PC, which can be connected using a thin client, desktop PC, laptop, tablet, mobile phone.

Additionally, you can read about the options for connecting the company's local infrastructure to the IaaS infrastructure in the cloud in our blog about corporate IaaS, in the article “ Connecting to the corporate cloud ”.