Export (0) Print
Expand All

Secure remote access in small and midsize businesses

Published: March 12, 2014

Applies To: Windows Server 2012 R2, Windows Server 2012 R2 Essentials

Who is this guide intended for? Small and midsize businesses that are looking for a secure way to access business data on any Internet-connected device from any location.

How can this guide help you? You can use this solution guide to understand the high-level solution design and implementation steps that we recommend to address secure remote access of business data in small to midsize businesses.

This guide describes a solution for when a Microsoft small or midsize business partner or an administrator needs a solution that enables users to easily access company data securely through a variety of Internet-connected devices.

The following diagram illustrates the problem and scenario that this solution guide addresses.

 

Problems associated with remote data access

Problems associated with remote access in SMBs

 

 

In this solution guide:

This section describes the scenario, problem, and goals for an example organization.

As an example, your organization is a small to midsize business with up to 100 users and 200 devices. You are looking for a way for your users to securely access company data when they are off-premises and using a wide range of Internet-connected devices. The users do not have consistent access to company resources onsite and offsite. Files are not accessible after a network user steps outside his office. As a result, network users are saving company data on their mobile devices or sending it through email. They use a PC to send data from work, and they can send it from their laptops when they are working remotely. This results in multiple file versions. Sometimes after work hours, users need to work on files or access data from a variety of devices, such as tablets, pads, or laptops. Users are unable to work on their line-of-business applications when they are offsite.

Your organization wants to address the following problems:

  • How can you provide users with secure access to company data and line-of-business applications outside of your office network?

  • How can users securely access network resources on mobile devices?

  • How can you keep track of multiple file versions that result from network users saving company data on multiple devices (for example, on a PC at work and on a laptop when working remotely)?

  • How can you prevent business loss when users are unable to work because they do not have the line-of-business applications installed on their personal network-connected devices?

Your organization is looking for a solution that allows you to:

  • Provide secure access to company data and resources for users outside of the office network.

  • Enable users to access network resources on mobile devices.

  • Eliminate version conflicts that arise because multiple file versions are created when users work off local copies when they are outside the network. 

  • Prevent business loss due to lack of access to line-of-business applications outside of work hours.

This section describes the solution design that addresses the problems described in the previous section and provides high-level planning considerations for this design.

The following diagram illustrates how to store, protect, and securely access data from a server running Windows Server 2012 R2 Essentials or Windows Server 2012 R2 with the Windows Server Essentials Experience role installed (referred to as Windows Server Essentials Experience in the rest of the document).

 

Solution design for providing secure access to data outside of the network

Remote access solution for SMBs

 

 

Windows Server 2012 R2 Essentials (appropriate for use for up to 25 users and 50 devices) and the Standard and Datacenter editions of Windows Server 2012 R2 with the Windows Server Essentials Experience role installed (appropriate for use for up to 100 users and 200 devices) provide a solution for small to midsize business partners and owners to enable users to easily access company data securely through a variety of Internet-connected devices.

The following table lists the technologies that are included in Windows Server 2012 R2 Essentials and Windows Server Essentials Experience that are part of this solution design, and it describes the reason for the design choices.

 

Solution design element Why is it included in this solution?

Windows Server Essentials Dashboard

Use the Dashboard to perform all administrative tasks in your network, such as creating user accounts, granting access permissions, setting up server and client backups, creating storages spaces and server folders, and integrating with Windows Azure Backup.

For information about the Dashboard, see Overview of the Dashboard in Windows Server Essentials.

Remote Web Access

Use the Remote Web Access website portal to provide access to data and other network resources outside of your company network from a wide range of Internet-connected devices. In addition, users can connect to a computer on-premises by using a Remote Desktop session through Remote Web Access.

For more information about configuring and using Remote Web Access, see Manage Remote Web Access and Use Remote Web Access.

Virtual Private Network

Use a virtual private network (VPN) to provide remote access your company data and other network resources, or to connect to a computer on-premises by using a Remote Desktop session.

For more information about VPN, see Manage VPN.

My Server App for Windows 8 and Windows Phone

Use the My Server app with a device that is running the Windows 8.1, Windows 8, or Windows RT operating system, or a Windows Phone 8, to provide access to documents and media on your server.

For more information about the My Server app, see Use the My Server app to connect to Windows Server Essentials.

Storage Spaces

Use Storage Spaces to store your company data. With Storage Spaces, you can expand storage as your organization grows, ensure that your data has high availability, and make sure that your solution is cost effective. You do not need to spend money upfront on hardware, and you can scale up based on your business needs.

For more information about Storage Spaces, see the Storage Spaces Overview and Storage Spaces Frequently Asked Questions.

Server Folders

Store your organization’s files and folders in the server folders that you create on your server. This enables you to consolidate your data in one central location that all network users can access. When you store your data in server folders, you can protect it against total server failure by using Windows Server Backup and Windows Azure Backup.

For more information about server folders, see Manage Server Folders in Windows Server Essentials.

User management

Create user accounts and user groups to control access to your company’s data and devices. When you create a user group, you can provide the same access level to network resources for all members.

For more information, see Manage User Accounts in Windows Server Essentials.

Device management

Join client computers to the network so that you can easily manage all the computers in the network through the Windows Server Essentials Dashboard.

For information about all computer management-related tasks, see Manage Devices in Windows Server Essentials.

Windows Server Essentials Group Policy

Protect client computers from network attacks and keep the software and operating system on your computers up-to-date by implementing Windows Server Essentials Group Policy settings.

 

Windows Server 2012 R2 Essentials and Windows Server Essentials Experience include the following features and technologies that can help a small or midsize Microsoft business partner or an administrator achieve the business goals that are listed in this solution guide.

Consider the following features and technologies when you are planning for this solution. We have included design recommendations for you for each feature or technology.

The Windows Server Essentials Dashboard in Windows Server 2012 R2 Essentials and Windows Server Essentials Experience helps you quickly access key information and the management features on your server. By using the Dashboard, you can create and manage user accounts, manage devices and backups, manage access and settings for server folders and hard drives, view server alerts and take action on them, integrate with Microsoft Online Services, and install non-Microsoft add-ins that integrate with online services.

Recommendation: Use the Windows Server Essentials Dashboard to perform a majority of administrative tasks for your network. You can run tasks and wizards from the Dashboard to optimally configure the features that are included in your server. By using the Dashboard, you can also configure remote access permissions to network resources (such as shared folders, client computers, and VPN) on a per user basis.

You can use the Storage Spaces feature to create flexible, low-cost, resilient, and dynamically expandable data volumes. With Storage Spaces, you can virtualize your server’s storage by grouping industry standard hard disks into storage pools, and then create virtual disks (called storage spaces) from the available capacity in the storage pools. You can use these storage spaces to store your company data in one central location.

Recommendation: For small businesses with fewer than 10 users, use at least three SAS or SATA hard disks—one hard disk to be used for the operating system, and other two to be used for storage spaces. We recommend that you create a storage space by using at least two hard drives with mirrored resiliency.

For small businesses with more than 10 users, or midsize businesses with up to 100 users, configure at least three SAS hard disks with Storage Spaces—one hard disk to be used for the operating system, and other two to be used for storage spaces. We also recommend providing a server chassis that supports adding more drives for expansion.

By using server folders, you can store files that are located on client computers to a central location. Storing files in server folders ensures that files are always accessible from every client in a secure manner by using authenticated network credentials.

Recommendation: Create server folders on a storage space drive and create separate server folders for departments or projects. For example, if you have an accounting department, you can create a server folder called “Accounting.” Creating the server folder on a storage space disk increases data availability (due to mirroring).

We also recommend that you set a quota for your server folders so that you are alerted when a server folder is about to reach its capacity. When you are alerted, you can delete files in the server folder to increase available space for storage, or you can add more space to the server folder and adjust its quota settings. You can also configure which server folders are available remotely, and you can assign remote access permissions to user accounts that can access server folders from off-premises.

You can easily manage access to your network resources by creating user accounts for all your network users from the Users tab of the Windows Server Essentials Dashboard. In addition, you can create user group accounts, and then add the user accounts as members. All members of a user group account share the same security access level to server resources.

Recommendation: Create user accounts that include members of various user groups, based on the departments that exist in your company or the various projects that people work on within your company. When you create user groups, you can assign a set of permissions to the user groups that will be applicable to all its members. For example, if you have group of users who are working in accounting department A, you can create a user group account called “Department A User Group,” and then add the relevant user accounts to this group. Next, you can assign the “Department A User Group” permissions to access the server folder named “Accounting.”

For each user account in your network, you can configure remote access permissions depending on the method that is used for remote access (such as Remote Web Access or a VPN). You can also configure access to network resources (such as server folders and client computers). You can create “VPN Users” and “RWA Users” user groups, configure remote access permissions for these groups, and then add the user accounts that you want to have remote access privileges, to these groups.

You can manage all the devices in your network from the Devices tab of the Windows Server Essentials Dashboard after you connect all the computers in your network to a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. To enable users to access server folders from computers in the network, you must connect the users’ computers to the server.

To do so, run the Connect Computer to the Server Wizard on all the computers that need to access files and folders that are located on the server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. When you run the wizard on a computer, it installs the Connector software and joins the computer to the server. This provides the following advantages:

  • Enables network users to securely access data that is stored on the server by using their user accounts.

  • Enables you to manage client computers from the Dashboard.

  • Protects client computers in the network by using Group Policy.

  • Backs up data on client computers regularly.

  • Monitors the health of the client computers.

Recommendation: Run the Connect Computer to the Server Wizard on all the client computers in the network, whether the computer is used remotely or locally.

When implemented, Windows Server Essentials Group Policy in Windows Server 2012 R2 Essentials Windows Server Essentials Experience helps keep your network secure by enforcing that Windows Update, Windows Defender, and the network firewall remain turned on for all the client computers in the network.

Recommendation: Turn on Windows Update, Windows Firewall, and Windows Defender settings in Windows Server Essentials Group Policy.

When you configure the Anywhere Access functionalities (Remote Web Access and the VPN), they enable network users to access server resources from any location that has an Internet connection, at any time, and on almost any device.

Recommendation: Run the Set up Anywhere Access Wizard to set up Remote Web Access and a virtual private network. Fix the issues reported by the wizard when it completes.

Remote Web Access provides a streamlined, touch-friendly browser experience for accessing applications and data from virtually anywhere that you have an Internet connection and by using almost any device.

Recommendation: Configure the permissions of users and user groups for Remote Web Access so that remote users can securely access data from off-premises locations.

Virtual private network (VPN) connections enable users who are working at home or on the road to access a server on a private network by using the infrastructure that is provided by a public network, such as the Internet.

Recommendation: Configure the permissions of users and user groups for the VPN so that remote users can connect to your server through a secure VPN connection.

The My Server app lets you connect to resources and perform light administrative tasks on your Windows Server Essentials server from a device that is running the Windows 8.1, Windows 8, or Windows RT operating system. In My Server, you can manage users, devices, and alerts, and work with shared files on the server. When you are offline, you can continue to work with files recently accessed in My Server, and your offline changes are automatically synchronized with the server the next time you connect.

Recommendation: Install the My Server app on any device that is running the Windows 8.1, Windows 8, or Windows RT operating system, and use My Server to access documents on your server.

You can use the steps in this section to implement the solutions. Make sure to verify the correct deployment of each step before proceeding to the next step.

noteNote
To follow these steps, it is assumed that there is already a server in the network that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. For information about installing Windows Server 2012 R2 Essentials or the Windows Server Essentials Experience role, see Install and Configure Windows Server 2012 R2 Essentials and Windows Server Essentials Experience.

  1. Turn on Anywhere Access (includes Remote Web Access and VPN functionalities).

    To turn on Remote Web Access and a VPN, run the Set up Anywhere Access Wizard from the Anywhere Access tab on Settings page of the Dashboard. To turn on Remote Web Access, follow instructions in Manage Remote Web Access. To turn on VPN, follow instructions in Manage VPN.

  2. Set up a domain name.

    To set up a domain name, follow instructions in Manage Remote Web Access. If you do not have an existing domain name you can get a free Microsoft personalized domain name (for example, yourhostname.remotewebaccess.com) by using the Set Up Your Domain Name Wizard.

  3. Create a storage space on the server.

    To create storage spaces, follow the instructions in Create a storage space.

    After you create the storage space, verify that it is listed on the Hard Drives tab of the Dashboard.

  4. Create server folders for various departments or data types as needed.

    To create server folders, follow the instructions in Add or move a server folder.

    noteNote
    If your organization has shared folders that are already being used, also move the data that is stored on various devices to the server folders that you create in this step.

    After you create a storage space, the default location of the server folder is on a storage space hard drive. To verify that all the server folders you created are listed, click the Storage tab on the Dashboard, and then click the Server Folders tab. We recommend that you always add server folders to a storage space hard drive.

  5. Create user groups and user accounts, and assign access permissions to network resources for departments or projects in your organization.

    Create user accounts for all the users in the network, and then create user groups based on the various departments and projects in your organization. You can also create user groups according to the method of remote access, such as users who access data through the VPN or users who access data through Remote Web Access.

    Next, add the user accounts to the relevant user groups based on the departments, projects, or remote access methods that the users are associated with. For step-by-step instructions to create user accounts, see Add a user account. For more information about user groups, see Manage User Accounts in Windows Server Essentials.

    To verify that all the user groups you created are listed, click the User Groups tab on the Dashboard, and then click the Users tab.

  6. Assign user access permissions to server folders.

    To assign permissions to user accounts so that users can access the server folders, follow the instructions in Manage access to server folders.

    After you have granted user access permissions, you can view or modify permissions to network resources for any user account by viewing the user account properties from the Dashboard. For more information, see Manage User Accounts in Windows Server Essentials.

  7. Connect all the client computers in the network to the server that is running Windows Server 2012 R2 Essentials or Windows Server 2012 R2 with the Windows Server Essentials Experience role installed.

    Before you connect a client computer to the server that is running Windows Server Essentials, review the following topics:

    Next, run the Connect Computer to the Server Wizard on all the computers in your network, whether they are local or remote. For step-by-step instructions to connect client computers to a server running Windows Server Essentials Experience, see Connect computers to the server.

    After you have connected a client computer to the server, verify that the computer’s name is listed on the Devices tab of the Dashboard. You can manage all computers that are connected to the server through the administrative tasks that are listed in the task pane of the Dashboard. For more information about using the Dashboard to manage computers, see Manage devices by using the Dashboard.

  8. Configure remote access permissions for user accounts and network devices.

    Assign remote access permissions to the user accounts and the network devices that users can use to connect remotely. This connection can be through a VPN connection or through a Remote Desktop session by using Remote Web Access. For step-by-step instructions, see the following sections in Manage User Accounts in Windows Server Essentials:

    • Give user accounts remote desktop permissions

    • Allow users to establish a remote desktop session to their computer

    • Change remote access permissions for a user account

    • Change virtual network permissions for a user account

  9. Implement Windows Server Essentials Group Policy.

    To implement Windows Server Essentials Group Policy, turn on Group Policy settings for Folder Redirection, Windows Defender, Windows Firewall, and Windows Update as discussed in Configure Group Policy settings for folder redirection and security.

  10. Install My Server 2012 R2 app on Windows Phone and devices running Windows 8.1 or Windows 8.

    Install the My Server 2012 R2 app on your Windows Phone and devices running Windows 8 and Windows 8.1. You can install the My Server 2012 R2 app for devices running Windows from the Windows Store. For information about using this app, see Use the My Server app to connect to Windows Server Essentials.

    You can install the My Server 2012 R2 app on your Windows Phone from the Windows Phone Store. For information about the My Server 2012 R2 phone app, see the blog post My Server 2012 R2 Windows and Windows Phone apps.

    To successfully use the My Server 2012 R2 app for Windows Phone and devices running Windows 8.1 or Windows 8 in Windows Server Essentials, you must first install the server certificate on your device. The certificate enables you to connect your device to your server running Windows Server Essentials from your local network. For step-by-step instructions to install the server certificate, see How to connect to my server from my local network.

After you complete the previous steps, the goals for your organization as listed in this document are met as follows:

  • Network users can use Remote Web Access or a VPN from outside of the office network to securely access company data and resources.

  • Users are able to access network resources from a wide range of mobile devices by using Remote Web Access, a VPN, or the My Server 2012 R2 app.

  • Users can work from outside of the network, so they no longer need to use local copies when they are working off-premises. Version conflicts that arise from multiple file versions are eliminated.

  • Business loss is prevented because network users can access their line-of-business applications outside of work hours by using a VPN or by using Remote Web Access to create a Remote Desktop session with their on-site client computers.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft