Best practice advise asked when users want to work on their workstation and from remote (but on their desktop), on Windows
I've got a work-group of 5 people. All of them have their dedicated machine with Windows 7. They are all connected to a central server running Windows Server 2008 R2, currently mainly offering the file-server role, one shared data directory for all.
Now, what is considered best-practice when these users want to connect to "their desktop" while on the road. Possibly storing everything desktop-related on the server so not all these desktop machines have to be running 24/7?
Some more details:
I could port-forward the remote-desktop port 3389 to different machines via different public ports, but if possible, these machines should be allowed to be powered down. Also, I think, security-wise, exposing all these machines to the WAN is tricky, even on non-standard ports. Only having one machine, the server, handling remote connections sounds better, possibly executing a personalised desktop environment on the server. Possible?
So far, I've tried to separate user data from the users' machines as good as possible, but had little luck. On *nix having a homedir via NFS is simple, in MS world "Remote profiles" seem to be considered unreliable and get bogged up once these "profiles" get big and have to be pulled over the network on each login. mklink and thus warping a local Win7 Profile dir to a server share seems hackish and does only work on the most up to date Win OSs. Also I so far ran into all sorts of permission and architecture problems, for example when I try to use that same Win 7 Profile dir with a similar set-up user on Win Server locally, ouch.
Being on a middle ground right now, I have some data server-side and some-local data. For example people's deskside Outlook pulls files from the server (which is considered unstable by MS, btw, at least as I understood it; having fingers crosses when data eventually gets corrupted).
More hackish middleground: I emulate a server-side Desktop by having the same apps on deskside machines and on the server. People log in to the server only, with a same-username,/ same-password Profile (ouch) on the server and find a desktop similar to theirs on the real deskside system (arg!).
Is Microsoft Terminal Services a solution? So far I couldn't wrap my head around what it actually does. Or how it could help me.
Solution 1:
The Terminal Server is the way to go.
Or the other way is to VPN into the network and then do RDP on the workstation(s).
It's up to you what is the best.
Solution 2:
Terminal Services Gateway Server. Here is Microsoft's step-by-step guide.
It will give you granular control over who can access what, and it only exposes one port (port 443) to the Internet.