Secure remote access in small and midsize businesses
Updated: August 12, 2014
How can this guide help you? This guide explains how you can enable users to easily and securely access company data through a variety of Internet-connected devices from any location.
This guide describes a prescriptive, tested design and implementation solution that can help you provide secure remote access to your network users, by centralizing data storage, configuring your network for remote access, and restricting data access permissions.
In this solution guide:
The following diagram illustrates the problem and scenario that this solution guide addresses.
Problems associated with remote data access
This section describes the scenario, problem, and goals for an example organization.
The organization is small to midsize with up to 100 users and 200 devices, and it is looking for a way for users to securely access company data when they are off-premises and using a wide range of Internet-connected devices. The users do not have consistent access to company resources onsite and offsite. Files are not accessible after a network user steps outside the office. As a result, network users are saving company data on their mobile devices or sending it through email. They use a PC to email data from work, and they can email data to the office from their laptops when they are working remotely. Sometimes after work hours, users need to work on files or access data from a variety of devices, such as tablets, pads, or laptops; however, users are unable to use their line-of-business applications when they are offsite.
The organization wants to address the following problems:
Users do not have a secure way to access company data and line-of-business applications outside the office network.
Users do not have a secure way to access network resources on mobile devices.
Users are saving company’s data on multiple devices (for example, on a PC when at work, and on their laptop when remote). This is leading to multiple file versions that are hard to track and locate.
Financial loss occurs when users are unable to work because they do not have the line-of-business applications installed on their personal network-connected devices.
Your organization is looking for a solution that allows you to:
Provide secure access to company data and resources for users outside the office network.
Enable users to access network resources on mobile devices.
Eliminate version conflicts that arise because multiple file versions are created when users work on local copies when they are outside the network.
Prevent financial loss caused by lack of access to line-of-business applications outside the office.
The following diagram illustrates how to store, protect, and remotely access company data from a server running Windows Server 2012 R2 Essentials or the Standard and Datacenter editions of Windows Server 2012 R2 with the Windows Server Essentials Experience role installed (referred to as Windows Server Essentials Experience in the rest of the document).
Solution design for providing secure access to data when users are outside the network
Windows Server 2012 R2 Essentials (appropriate for use for up to 25 users and 50 devices) and the Standard and Datacenter editions of Windows Server 2012 R2 with the Windows Server Essentials Experience role installed (appropriate for use for up to 100 users and 200 devices) provide a solution for small to midsize business to enable users to easily and securely access company data through a variety of Internet-connected devices.
The following table lists the technologies that are included in Windows Server 2012 R2 Essentials and Windows Server Essentials Experience that are part of this solution design, and it describes the reason for the design choice.
Solution design element
Why is it included in this solution?
Windows Server Essentials Dashboard
Use the Dashboard to perform all administrative tasks in your network, such as creating user accounts, granting access permissions, creating storages spaces and server folders, and setting up an Internet domain name.
For information about the Dashboard, see Overview of the Dashboard in Windows Server Essentials [fwlink_SBS8_Admin].
Remote Web Access
Use the Remote Web Access portal to provide access to data and other network resources for users who are working outside your company network. With My Server app, users can securely access network resources using their network credentials. They are able to access resources from a wide range of Internet-connected devices. In addition, offsite users can connect to a computer that is on-premises by using a Remote Desktop session through Remote Web Access.
For more information about configuring and using Remote Web Access, see Manage Remote Web Access in Windows Server Essentials [A_Web_Admin_H2] and Use Remote Web Access in Windows Server Essentials [A_Web_Client_H2].
Virtual private network
Use a virtual private network (VPN) to provide users with remote access to company data and other network resources or to connect to a computer that is on-premises by using a Remote Desktop session. With VPN, users can securely access network resources using their network credentials.
For more information about a VPN, see Manage VPN in Windows Server Essentials [blue].
My Server app
Use the My Server app with a device that is running the Windows 8.1, Windows 8, or Windows RT operating system, or a Windows Phone 8, to provide access to documents and media on your server. With My Server app, users can securely access network resources using their network credentials.
For more information about the My Server app, see Use the My Server App to Connect to Windows Server Essentials [SBS8].
Use Storage Spaces to store your company data. With Storage Spaces, you can expand storage as your organization grows, ensure that your data has high availability, and make sure that your solution is cost effective. You do not need to spend money upfront on hardware, and you can scale up based on your business needs.
Store your organization’s files and folders in the server folders that you create on your server. This enables you to consolidate your data in one central location that all network users can access. When you store your data in server folders, you can protect it against total server failure by using Windows Server Backup and Windows Azure Backup.
For more information about server folders, see Manage Server Folders in Windows Server Essentials [A_Web_Admin_H2].
Create user accounts and user groups to control access to your company’s data and devices. When you create user groups, you can provide the same access level to network resources for all members.
For more information, see Manage User Accounts in Windows Server Essentials [H2].
Join client computers to the network so that you can easily manage all the computers in the network through the Windows Server Essentials Dashboard.
For information about all computer management-related tasks, see Manage Devices in Windows Server Essentials [H2].
Windows Server Essentials Group Policy
Protect client computers from network attacks and keep the software and operating system on your computers up to date by implementing Windows Server Essentials Group Policy settings.
This section explains the details of the design considerations and the decisions that were made that led to the final solution design. It also provides the recommended configuration or usage of each feature that is used in this solution.
The Windows Server Essentials Dashboard in Windows Server 2012 R2 Essentials and Windows Server Essentials Experience helps you quickly access key information and the management features of your server instead of using multiple native Windows Server Administration tools. For example, by using the Dashboard, you can create and manage user accounts and manage data in server folders.
Recommendation: Use the Windows Server Essentials Dashboard to perform a majority of administrative tasks for your network. You can run tasks and wizards from the Dashboard to optimally configure the features in your server. By using the Dashboard, you can also configure remote access permissions to network resources (such as shared folders, client computers, and the VPN) on a per-user basis.
Options for providing high availability and resilient storage for your company’s data include using the built-in RAID controller that comes with common server hardware. With this storage option, you could provide the storage availability and resiliency you need, but it can be relatively complex and costly.
In contrast, you can use the Storage Spaces feature to create low-cost, resilient, and dynamically expandable data volumes to store your business data, rather than storing it on standard hard drives. Storage Spaces include virtual hard disk drives (VHDs) that appear on the Hard Drives tab of the Dashboard.
Storage Spaces helps you save files to two or more drives so that your files remain safe if a drive fails. With Storage Spaces, you can virtualize your server’s storage by grouping industry standard hard drives into storage pools, and then create VHDs (called storage spaces) from the available capacity in the storage pools. You can use these storage spaces to store your company’s data in one central location, instead of all users saving data on their PCs.
Recommendation: For small businesses with fewer than 10 users, use at least three SAS or SATA drives—one drive to be used to back up the operating system, and the other two to be used for storage spaces. We recommend that you create a storage space by using at least two drives with mirrored resiliency.
For small businesses with more than 10 users or midsize businesses with up to 100 users, configure at least three SAS drives with Storage Spaces—one drive to be used to back up the operating system, and the other two to be used for storage spaces. We also recommend providing a server chassis that supports adding more drives for expansion.
By using server folders, you can store files that are located on client computers in a central location instead of users storing files on their PCs.
Storing files in server folders ensures that your files are easy to back up and easy to access. They are located in a place that is accessible from every client. Files are secure because accessing them requires using authenticated network credentials.
Recommendation: Create server folders on a Storage Space drive and create separate server folders for departments or projects. For example, if you have an accounting department, you can create a folder called “Accounting.” Creating the server folder on a Storage Space drive increases data availability (because of mirroring).
We also recommend that you set a quota for your server folders so that you are alerted when a server folder is about to reach its capacity. When you are alerted, you can delete files in the server folder to increase available space for storage, or you can add more space to the server folder and adjust its quota settings.
User accounts and user group accounts help you specify permissions that allow users to access your company data. This protects your company data from unintended user access. You can easily manage access to your network resources by creating user accounts for all your network users from the Users tab of the Windows Server Essentials Dashboard.
In addition, you can create user group accounts and add the user accounts as members. All members of a user group account share the same security access level to server resources. Group membership simplifies resource management because you can specify permissions for a group of users on one page. This is in contrast to opening property pages for each user in the network to assign relevant folder permissions.
Recommendation: Create user accounts that include members of various user groups, based on the departments that exist in your company or the various projects that people work on within your company. When you create user groups, you can assign a set of permissions to the user groups that will be applicable to all its members. For example, if you have group of users who are working in Accounting Department A, you can create a user group account called “Department A User Group,” and then add the relevant user accounts to this group. Next, you can assign the “Department A User Group” permissions to access the server folder named “Accounting.”
For each user account in your network, you can configure remote access permissions, depending on the method that is used for remote access (such as Remote Web Access or a VPN). You can also configure access to network resources (such as server folders and client computers). For example, you can create user groups for “VPN Users” and “RWA Users,” configure remote access permissions for these groups, and then add the user accounts that you want to have remote access privileges to these groups.
To enable users to access server folders from computers in the network, you must connect the users’ computers to the server. Connecting computers to the server provides the following advantages:
Enables network users to securely access data that is stored on the server by using their user accounts.
Enables you to manage client computers from the Dashboard.
Protects client computers in the network by using Group Policy settings.
Backs up data on client computers regularly.
Monitors the health of the client computers.
Recommendation: Connect all the computers (local or remote) that you want to administer to the server so that you can manage them from the Devices tab of the Windows Server Essentials Dashboard instead of using the native server tool, Active Directory Users and Computers.
You can use the Implement Group Policy Wizard in Windows Server 2012 R2 Essentials or Windows Server Essentials Experience to centralize your data by turning on Folder Redirection. In addition, use this wizard to help keep your network secure by enforcing that Windows Update, Windows Defender, and the Windows Firewall remain turned on for all the client computers in the network. This eliminates relying on end users to turn on these settings on their PCs.
Recommendation: We recommend that you do not turn off the Group Policy settings in Windows Server Essentials.
When you configure the Anywhere Access functionalities (Remote Web Access and the VPN), you enable network users to access server resources from any location that has an Internet connection, at any time, and on almost any device.
Recommendation: Run the Set Up Anywhere Access Wizard to set up Remote Web Access and a virtual private network. Fix the issues that are reported by the wizard when it completes.
Remote Web Access provides a streamlined, touch-friendly browser experience for accessing applications and data from virtually anywhere that you have an Internet connection and by using almost any device.
Recommendation: Configure the permissions of users and user groups for Remote Web Access so that remote users can securely access data from off-premises locations.
Virtual private network (VPN) connections enable users who are working at home or on the road to access a server on a private network by using the infrastructure that is provided by a public network, such as the Internet.
Recommendation: Configure the permissions of users and user groups for the VPN so that remote users can connect to your server through a secure VPN connection.
The My Server app lets you connect to resources and perform light administrative tasks on your Windows Server Essentials server from a device that is running the Windows 8.1, Windows 8, or Windows RT operating system. In My Server, you can manage users, devices, and alerts, and work with shared files on the server. When you are offline, you can continue to work with files that you recently accessed in My Server, and your offline changes are automatically synchronized with the server the next time you connect.
Recommendation: Install the My Server app on any device that is running the Windows 8.1, Windows 8, or Windows RT operating system, and use My Server to access documents on your server.
You can follow the steps in this section to implement this solution. Make sure to verify the correct deployment of each step before proceeding to the next step.
The following steps make the assumption that there is already a server in the network that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. For information about installing Windows Server 2012 R2 Essentials or the Windows Server Essentials Experience role, see Install and Configure Windows Server 2012 R2 Essentials or Windows Server Essentials Experience [WSE_Blue].
Turn on Anywhere Access.
With Anywhere Access, you can manage Remote Web Access and VPN functionalities. To turn on Remote Web Access and a VPN, run the Set Up Anywhere Access Wizard from the Anywhere Access tab on the Settings page of the Dashboard. To turn on Remote Web Access, follow the instructions in Manage Remote Web Access. To turn on a VPN, follow the instructions in Manage VPN in Windows Server Essentials [blue].
Set up a domain name.
To set up a domain name, run the Set Up Your Domain Name Wizard and follow the instructions in Manage Remote Web Access. If you do not have an existing domain name, you can get a free Microsoft personalized domain name (for example, yourhostname.remotewebaccess.com) during the Set Up Your Domain Name Wizard.
Create a storage space on the server.
To create a storage space, follow the instructions in the Create a storage space section of the Manage Server Storage in Windows Server Essentials.
You can also create a new two-way mirrored storage space by using the New-WssStorageSpace Windows PowerShell cmdlet.
After you create the storage space, verify that it is listed on the Hard Drives tab of the Dashboard.
Create server folders for various departments or data types as needed.
To create server folders, follow the instructions in Add or move a server folder.
If your organization has shared folders that are already being used, also move the data that is stored on various devices to the server folders that you create in this step.
When you create a new server folder by using the Add Folder Wizard, on the Type a name and description for the folder page, in the Location field, store the folder in its default location, which is the storage space that you created in Step 1, to ensure high availability for the data. Verify that all the server folders you created are listed on the Storage tab of the Dashboard.
You can also add a server folder by using the Add-WssFolder Windows PowerShell cmdlet. For more information, see Add-WssFolder.
Create user accounts and user groups.
Create user accounts for all the users in the network, and then create user groups that are based on the departments and projects in your organization. You can also create user groups according to the method of remote access, such as users who access data through the VPN, or users who access data through Remote Web Access.
Next, add the user accounts to the relevant user groups, based on the departments, projects, or remote access methods that the users are associated with. For step-by-step instructions to create user accounts, see Add a user account. For more information about user groups, see Manage User Accounts in Windows Server Essentials [H2].
Verify that all the user accounts and user groups are listed on the Users and User Groups tabs of the Dashboard.
Assign user access permissions for the server folders.
To assign permissions to user accounts so that users can access the server folders, follow instructions in Manage access to server folders.
After you have granted user access permissions, you can verify, view or modify permissions to network resources for any user account by viewing the user account’s properties from the Dashboard. For more information, see Manage User Accounts in Windows Server Essentials [H2].
Connect all the client computers in the network to the server.
All clients need to be connected to a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. Before you connect a client to a server that is running Windows Server Essentials, review the following:
Run the Connect Computer to the Server Wizard on all computers in your network, whether they are local or remote. For step-by-step instructions to connect client computers to a server running Windows Server Essentials Experience, see Connect computers to the server.
After you have connected a client computer to the server, verify that the computer’s name is listed on the Devices tab of the Dashboard. You can manage all computers that are connected to the server through the administrative tasks that are listed in the task pane of the Dashboard. For more information, see Manage devices by using the Dashboard.
Configure remote access permissions for user accounts and network devices.
Assign remote access permissions to the user accounts and the network devices that users can use to connect remotely. This connection can be through a VPN connection or through a Remote Desktop session by using Remote Web Access. For step-by-step instructions, see the following sections in Manage User Accounts in Windows Server Essentials [H2]:
Give user accounts Remote Desktop permissions
Allow users to establish a Remote Desktop session to their computer
Change remote access permissions for a user account
Change virtual network permissions for a user account
Implement Group Policy settings.
To implement Group Policy settings in Windows Server Essentials, turn on settings for Folder Redirection, Windows Defender, Windows Firewall, and Windows Update as discussed in Configure Group Policy settings for folder redirection and security.
After the Group Policy settings has been implemented, verify that the task Configure group policy settings appears on the Devices tab.
Install the My Server 2012 R2 app.
Install the My Server 2012 R2 app on your Windows Phone and devices running Windows 8.1 and Windows 8. You can install the My Server 2012 R2 app for devices running Windows from the Windows Store. For information about using this app, see Use the My Server App to Connect to Windows Server Essentials [SBS8].
You can install the My Server 2012 R2 app on your Windows Phone from the Windows Phone Store. Verify that the My Server app is installed on your device. For information about the My Server 2012 R2 phone app, see the blog post My Server 2012 R2 Windows and Windows Phone apps.
To successfully use the My Server 2012 R2 app for Windows Phone and devices running Windows 8.1 or Windows 8 in Windows Server Essentials, you must first install the server certificate on your device. The certificate enables you to connect your device to your server running Windows Server Essentials from your local network. For step-by-step instructions to install the server certificate, see the “How to connect to my server from my local network” section in Use the My Server App to Connect to Windows Server Essentials [SBS8].
After you complete the previous steps, the goals for your organization as listed in this document are met as follows:
Network users can use Remote Web Access or a VPN from outside the office network to securely access company data and resources.
Users are able to access network resources from a wide range of mobile devices by using Remote Web Access, a VPN, or the My Server 2012 R2 app.
Users can work from outside the network so that they no longer need to use local copies when they are working off-premises. Version conflicts that arise from multiple file versions are eliminated.
Business loss is prevented because network users can access their line-of-business applications outside of work hours by using a VPN or by using Remote Web Access to create a Remote Desktop session with their on-site client computers.
Product evaluation/Get started