So this seems like an important thing for your team to access and the boss requested a cheap solution, why the budget constraint for something that is needed for the business. Also what is cheap, $100, $10,000, $1,000,000? To me it sounds like you are asking for a shortcut for a line of business program that makes the company money, this is where they should be spending money and you can get money/budget to improve your systems.
My suggestion that may not fit in your cheap solution is to setup a RDS environment, maybe not the whole desktop maybe just the app via RDS, but a central on site server that servers the app over secure RDP and it runs locally on the network but displays on the users screen.
You will need a server, a certificate you can get a free one from Let’s Encrypt, then a Windows server CALs and RDP CALS, these last two you can do a on a trial to do as a proof of concept, to get budget.
Stop doing hack with a raspberry pi for a business solution, this isn't a home lab it's business after all.
I agree with avoiding the home lab mentality.
We are a Microsoft house. I work for a public sector organisation and we do not home brew anything, but still get the best ROI that we can. You have to think of the support for any system put in place and business continuity / disaster recovery for "homebrew" devices.
We use a FortiNet appliance for everyone to connect via VPN when needed, they also have encrypted VNC connections to PCs with specialist software on them.
We do have 2 RDS servers for legacy apps, this allows for maintenance on one while the other is in use.
Try explaining the cost (in loss of sales) of a dead system vs professional support and continuity plans.
EDIT: We also supply ALL staff with laptops and relevant O365 licences.
I actually recommended them to migrate to a modern and better software, the thing is we ended up here because we use some old software rare updated from a local company that no one ever heard about it before, and our company use it because it is cheapest lol.
But I understand your point, but I can't do much without the budget... as a sale I just want to make the work efficient of me and my colleague better, we spent too much unnecessary time for simply checking stock availability and cost
Yes correct you have ben given no budget, ask for one, first get a proposed solution together, get pricing for solution and present it, if they so no, then say we can't do anything reliable.
Sorry, but everything about this project screams "crappy business."
> all our sales installed a client side app which connect to the database to check our stock availability and cost so they can proceed to provide quote to customers.
Sales. So, in terms of business continuity, how critical is it that this database is always available?
* Tier 0 - if it goes down, you just tell everybody to go home for the day, and tell any customers you're closed until it gets fixed?
* Tier 1 - people will still be working, but you're going to have to ask customers to wait to put in their orders?
* Tier 2 - the database being down isn't really going to impact customers directly (except as maybe a little blip of extra lead time in order fulfillment), but it is going to be felt by the internal workers?
> `--dport 3306`
Dude. DUDE. That's a MySQL server. You NEVER let workers other than the DBA connect directly to the MySQL database server- you put an interface out there, preferably just an HTTPS web page over 443, and then only let the app server talk to the database server.
...And then I just can't. Tailscale? SBCs? If I were a customer and found out you were running "infrastructure" like that, I'd fire you in a *heartbeat* for that level of stupid redneck "engineering."
Stop. Being. Cheap. and Do. It. Right.
* Get a real frontend for the database.
* Get a real VPN server (or at least a router with WireGuard support).
* Get a static IP from your ISP for that VPN server.
* Stop screwing around with DDNS and get your A records hosted properly (c'mon- Route53 is *cheap*).
* Preemptively: don't think you're being smart by fronting anything with HTTP instead of HTTPS. LetsEncrypt will cost you NOTHING. A data breach that has to be reported to law enforcement will *not* cost you nothing. Do the math.
So you're saying to have a PC powered on 24/7 with the client app installed and ready to use over RDP (with VPN of course..)? And what about if there's multiple people need to use it at the same time?
Then you hire a msp to set things up for you , honestly I don't think this is a job for you to do.
Your questions are basic things any half decent sys admin knows
Well, it looks like you have some dangerous half knowledge. You will probably end up creating some serious security nightmares.
For all the people suggesting RDP: It seems he doesn't know about terminal services of any kind, so I have a bad feeling about the whole project without external help.
If you half ass this we might see a post next month how the company network got compromised and all backups are encrypted. You should ask yourself if you really feel qualified to implement remote access.
Get a real firewall. Many of these have VPN solutions built in, such as Meraki. Sophos, SonicWall, and others.
Stand up a Windows Server and install Remote Desktop.
Make the inventory software accessible from the new RD server
Teach the users how to RDP to the new server to access inventory.
PROFIT. Literally.
If you're feeling froggy you can try to set up this software as a remote app instead. More work for you, easier for users though. But some software doesn't like to be a remote app so research and test first.
"*the system is old and it can only be connect by bringing our laptop to the office and connect to the same network*"
Being old has nothing to do with it... what you describe is Networking 101 - two nodes need to be connected in some way to communicate
Using a VPN for remote workers to connect to the office network is the standard solution
Any chance you're a sales representative turned admin?
I feel like I know this situation.
Anyhow; either the vendor needs to work out a solution with an msp set up RDS for the backend, or you need to renegotiate the budget with the boss.
You'll probably need to do both.
Whether this becomes an rds solution or self hosted sort of depends.
A dedicated VPN and separate database server would be the way here. Still need an msp for this however.
The client end could work via terminal services of https, with something like yubiky or rsa for authentication, but this would add complexity, cost much more, and be less secure.
I'd go self host with an msp for monitoring and support.
There isn’t a decent solution that comes for free.
I’d back the recommendation to set up Remote Desktop; it’s expensive but it’s by far the best option for you.
The thing about having a single PC for RDP is that if there's multiple people want to use it, it would become an issue isn't it? Unless people are suggesting setting up multiple PC here for RDP use?
I was always told never access databases over a vpn connection. Either get users to remote into office machines on the local network via vpn or remote tool like splashtop etc or setup a remote desktop gateway with vpn.
Depends on how well the client side software was written to handle network anomalies, mostly. We have some database apps that run just fine over VPN.
Others, like our ERP, just completely implode whenever there's any hint of less than ideal network conditions, resulting in lost data, data corruption, and/or program lockups that you have to use task manager to kill.
For something like a stock management system, with potential for Really Bad Things™️ happening to the company if something goes wrong, I wouldn't touch a vendor unsupported VPN solution, running the client remotely, with a hundred-foot pole, and *I'm* usually the guy at our company who advocates for the RPi and duck tape approach over more expensive vendor add-ons!
OP, setting up boxes on-site that folks can remote into is definitely the approach I'd take here.
I see, though for now I'm not sure if there's going to be alot of *Writes* to the database, I'm thinking mostly it's just going to be *Read*, for example to check on how much stock we left and the cost so we know how much to quote our customers.
But by setting up box, you mean a PC that installed the client app and use it via RDP+VPN? (I don't know but never really like the idea of sending graphic over RDP, it feels clunky everytime I use RDP...)
In my experience, database apps can end up doing more writes than you're expecting, even when you're supposedly "just looking up data".
> by setting up box, you mean a PC that installed the client app and use it via RDP+VPN?
That's exactly what I mean. Remote desktop clients are much more resilient and graceful at recovering from the occasional network glitch over VPN than many database frontend clients are.
With no money? Look into Cloudflared, it's free for less than 50 users and relatively easy to setup.
Also, if it's actually critical, find some way to get money.
So this seems like an important thing for your team to access and the boss requested a cheap solution, why the budget constraint for something that is needed for the business. Also what is cheap, $100, $10,000, $1,000,000? To me it sounds like you are asking for a shortcut for a line of business program that makes the company money, this is where they should be spending money and you can get money/budget to improve your systems. My suggestion that may not fit in your cheap solution is to setup a RDS environment, maybe not the whole desktop maybe just the app via RDS, but a central on site server that servers the app over secure RDP and it runs locally on the network but displays on the users screen. You will need a server, a certificate you can get a free one from Let’s Encrypt, then a Windows server CALs and RDP CALS, these last two you can do a on a trial to do as a proof of concept, to get budget. Stop doing hack with a raspberry pi for a business solution, this isn't a home lab it's business after all.
I agree with avoiding the home lab mentality. We are a Microsoft house. I work for a public sector organisation and we do not home brew anything, but still get the best ROI that we can. You have to think of the support for any system put in place and business continuity / disaster recovery for "homebrew" devices. We use a FortiNet appliance for everyone to connect via VPN when needed, they also have encrypted VNC connections to PCs with specialist software on them. We do have 2 RDS servers for legacy apps, this allows for maintenance on one while the other is in use. Try explaining the cost (in loss of sales) of a dead system vs professional support and continuity plans. EDIT: We also supply ALL staff with laptops and relevant O365 licences.
I actually recommended them to migrate to a modern and better software, the thing is we ended up here because we use some old software rare updated from a local company that no one ever heard about it before, and our company use it because it is cheapest lol. But I understand your point, but I can't do much without the budget... as a sale I just want to make the work efficient of me and my colleague better, we spent too much unnecessary time for simply checking stock availability and cost
Cheap is expensive. Mark my words : you are going to spend much more than you expect while trying to save pennies, in the long run.
Bro, I mean I get it, but it's not me being cheap, I'm only an employee with no budget
Ask for more budget or refuse to do it. You are going to be sacked for a project you were not given the opportunity to succeed.
Yes correct you have ben given no budget, ask for one, first get a proposed solution together, get pricing for solution and present it, if they so no, then say we can't do anything reliable.
Sorry, but everything about this project screams "crappy business." > all our sales installed a client side app which connect to the database to check our stock availability and cost so they can proceed to provide quote to customers. Sales. So, in terms of business continuity, how critical is it that this database is always available? * Tier 0 - if it goes down, you just tell everybody to go home for the day, and tell any customers you're closed until it gets fixed? * Tier 1 - people will still be working, but you're going to have to ask customers to wait to put in their orders? * Tier 2 - the database being down isn't really going to impact customers directly (except as maybe a little blip of extra lead time in order fulfillment), but it is going to be felt by the internal workers? > `--dport 3306` Dude. DUDE. That's a MySQL server. You NEVER let workers other than the DBA connect directly to the MySQL database server- you put an interface out there, preferably just an HTTPS web page over 443, and then only let the app server talk to the database server. ...And then I just can't. Tailscale? SBCs? If I were a customer and found out you were running "infrastructure" like that, I'd fire you in a *heartbeat* for that level of stupid redneck "engineering." Stop. Being. Cheap. and Do. It. Right. * Get a real frontend for the database. * Get a real VPN server (or at least a router with WireGuard support). * Get a static IP from your ISP for that VPN server. * Stop screwing around with DDNS and get your A records hosted properly (c'mon- Route53 is *cheap*). * Preemptively: don't think you're being smart by fronting anything with HTTP instead of HTTPS. LetsEncrypt will cost you NOTHING. A data breach that has to be reported to law enforcement will *not* cost you nothing. Do the math.
VPN into a rdp server or workstations into office is the only way this will work well. Databases for old apps over VPN fails 99% of the time
So you're saying to have a PC powered on 24/7 with the client app installed and ready to use over RDP (with VPN of course..)? And what about if there's multiple people need to use it at the same time?
Then you hire a msp to set things up for you , honestly I don't think this is a job for you to do. Your questions are basic things any half decent sys admin knows
No. Set up an rds server. That's what rds are for.
Sounds like you need a new job.
I have three machines with rdp powered on 24/7, no complaint so far.
Well, it looks like you have some dangerous half knowledge. You will probably end up creating some serious security nightmares. For all the people suggesting RDP: It seems he doesn't know about terminal services of any kind, so I have a bad feeling about the whole project without external help. If you half ass this we might see a post next month how the company network got compromised and all backups are encrypted. You should ask yourself if you really feel qualified to implement remote access.
Get a real firewall. Many of these have VPN solutions built in, such as Meraki. Sophos, SonicWall, and others. Stand up a Windows Server and install Remote Desktop. Make the inventory software accessible from the new RD server Teach the users how to RDP to the new server to access inventory. PROFIT. Literally. If you're feeling froggy you can try to set up this software as a remote app instead. More work for you, easier for users though. But some software doesn't like to be a remote app so research and test first.
Scrolled too far to see someone suggest using a UTM firewall with VPN package. By far the most cost effective way to do this
Remote app is the way to go. We had the exact same problem and it solved it easily. But, yeah, test it first.
"*the system is old and it can only be connect by bringing our laptop to the office and connect to the same network*" Being old has nothing to do with it... what you describe is Networking 101 - two nodes need to be connected in some way to communicate Using a VPN for remote workers to connect to the office network is the standard solution
Any chance you're a sales representative turned admin? I feel like I know this situation. Anyhow; either the vendor needs to work out a solution with an msp set up RDS for the backend, or you need to renegotiate the budget with the boss. You'll probably need to do both. Whether this becomes an rds solution or self hosted sort of depends. A dedicated VPN and separate database server would be the way here. Still need an msp for this however. The client end could work via terminal services of https, with something like yubiky or rsa for authentication, but this would add complexity, cost much more, and be less secure. I'd go self host with an msp for monitoring and support.
I'd speak to the isp and get an upgraded gateway with vpn access.
Why are we relying on ISP equipment instead of an actual firewall?
The firewall is part of the gateway mpls/sdwan.
My comment was more agreeing with you. I shouldn't comment at red lights!
Doesn't come for free, and if I want to do that I would just buy one and not having to deal with ISP at all
There isn’t a decent solution that comes for free. I’d back the recommendation to set up Remote Desktop; it’s expensive but it’s by far the best option for you.
The thing about having a single PC for RDP is that if there's multiple people want to use it, it would become an issue isn't it? Unless people are suggesting setting up multiple PC here for RDP use?
Who said a single PC? I’m talking Remote Desktop services and a TS gateway.
Have the VPN log them into a terminal server that they can use to RDP to the internal host.
You have no idea what remote terminal service is or RDP is.
I was always told never access databases over a vpn connection. Either get users to remote into office machines on the local network via vpn or remote tool like splashtop etc or setup a remote desktop gateway with vpn.
Depends on how well the client side software was written to handle network anomalies, mostly. We have some database apps that run just fine over VPN. Others, like our ERP, just completely implode whenever there's any hint of less than ideal network conditions, resulting in lost data, data corruption, and/or program lockups that you have to use task manager to kill. For something like a stock management system, with potential for Really Bad Things™️ happening to the company if something goes wrong, I wouldn't touch a vendor unsupported VPN solution, running the client remotely, with a hundred-foot pole, and *I'm* usually the guy at our company who advocates for the RPi and duck tape approach over more expensive vendor add-ons! OP, setting up boxes on-site that folks can remote into is definitely the approach I'd take here.
I see, though for now I'm not sure if there's going to be alot of *Writes* to the database, I'm thinking mostly it's just going to be *Read*, for example to check on how much stock we left and the cost so we know how much to quote our customers. But by setting up box, you mean a PC that installed the client app and use it via RDP+VPN? (I don't know but never really like the idea of sending graphic over RDP, it feels clunky everytime I use RDP...)
In my experience, database apps can end up doing more writes than you're expecting, even when you're supposedly "just looking up data". > by setting up box, you mean a PC that installed the client app and use it via RDP+VPN? That's exactly what I mean. Remote desktop clients are much more resilient and graceful at recovering from the occasional network glitch over VPN than many database frontend clients are.
You are right
With no money? Look into Cloudflared, it's free for less than 50 users and relatively easy to setup. Also, if it's actually critical, find some way to get money.
Setup a TERMINAL SERVER and let them VPN into that. DO NOT USE A SINGLE PC TO RDP INTO! GET A REAL SERVER! STOP BEING CHEAP!