Remote Access Methods
About this Document
This document describes all the methods that are available on AXS Guard for allowing remote access to internal corporate network resources over the Internet.
Choosing a Remote Access Method
Several access methods are available:
- Application access: this is a method that allows direct access to specific applications, e.g. a web-based application, an RDP application, a terminal server.
- Routed access: consists of methods which allow users to access private corporate subnets.
- Managed access: this method is similar to routed access, but makes use of managed personal devices for improved control and security.
Managed Access Solutions
Personal AXS Guard
Personal AXS Guard or PAX are managed devices that receive their configuration directly from AXS Guard when establishing a VPN connection to corporate HQ. Users with a PAX unit do not need to install or configure any VPN software; everything is centrally managed.
PAX devices support split tunneling and firewalling. You decide which traffic travels over the VPN tunnel and which traffic can be routed over the Internet.
Always On VPN vs. User Authentication
User Authentication
The PAX Road Warrior provides managed access with user authentication and is designed to connect a single remote user to the enterprise network. It looks and works like a USB stick and is powered via USB. It does not feature any physical Ethernet ports. Instead, it features two wireless antennas.
It needs to connect to a public wireless network in order to establish a secure connection to AXS Guard. PAX Road Warriors can also function as a wireless access point or emulate an Ethernet device when plugged into the user’s computer.
Always On VPN
Always On VPN solutions allow clients to automatically establish a VPN connection without any user interaction.
Built-In WiFi and small switch
If you prefer a device with built-in WiFi and a small switch, then we recommend the PAX Home Office. This desktop model, which physically resembles your everyday home router, has one WAN port, four LAN port and supports WLAN with three external WiFi antennas. You also can connect a 4G modem to the unit, e.g. when it's installed in a location where broadband Internet is not available.
No built-In WiFi or small switch
If you have your own access points and switches, then we recommend the PAX Industrial or Small Office model.
The PAX Industrial is extra robust and has an industrial casing so it can withstand harsher environmental conditions. It can be mounted to industrial machines using a DIN rail and can be equipped with WiFi antennas. Just like the PAX Home Office model, a 4G USB dongle option is available.
The PAX Small Office is similar in performance to the PAX Industrial model, but it does not support wireless connectivity. It is equipped with one WAN and one LAN port.
PAX Road Warrior | PAX Home Office | PAX Small Office | PAX Industrial | |
---|---|---|---|---|
Dimensions | 82 x 24 x 11 mm | 243 x 160.6 x 32.5 mm | 165 x 105 x 43 mm | 31 x 100 x 125 mm |
Number of supported users | 1 | 2-5 depending on usage | depending on usage | depending on usage |
Ethernet WAN | No | One dedicated | One dedicated | One dedicated |
Ethernet LAN | No | Four | One dedicated | One dedicated |
Built-In WiFi | Yes | Yes | No | No (external antennas are optional) |
4G (optional) | No | Yes | Yes | Yes |
Routed Access Solutions
Types
There are two types of routed access solutions: site-to-site and client-to-site.
Site-to-site connections refer to connections between multiple networks. For example, a corporate network where multiple offices work in conjunction with each other or a branch office network with a central office and multiple branch locations. Site-to-site connections require at least two routers or endpoints, each routing one or several subnets through a VPN tunnel.
Client-to-site solutions are for individual users who want to establish a VPN connection with corporate HQ. The user does not share any of its personal subnets with HQ.
Site-to-site Connections
IPsec is the obvious choice for site-to-site connections. IPsec is configured on all endpoints. If the endpoints support GRE, you can use e-tunnels, which are easier to use in terms of management and troubleshooting. If one of the IPsec endpoints does not support GRE, you can only use a standard IPsec tunnel. Regardless of the type, RSA authentication is the best option for mutual authentication.
Client-to-site Connections
Users who cannot use IPsec for technical reasons, can use a client-to-site VPN solution, which requires them to install and configure VPN software on their computer.
OpenVPN
OpenVPN is a user-friendly VPN solution which is widely supported (Linux, MacOS, Windows, iOS and Android). It also supports split tunneling.
SSTP
When you only need to provide remote access for Windows and Linux clients, you can use SSTP as an alternative. The SSTP client is built into Windows.
SSTP does not support split tunneling by default, but there are workarounds to overcome this limitation. You can either manually reconfigure the TCP/IP properties of the virtual NIC on all clients or use the Microsoft Connection Manager Administration Kit to do so.
Note that SSTP is also supported by MacOS, but it requires users to either enter commands via a terminal or to download a paid application.
L2TP
The third and final solution, L2TP, is based on IPsec. To use L2TP, you need to configure an IPsec server certificate and enable the IPsec server.
The L2TP client is built into Windows and MacOS. The L2TP tunnel configuration is similar to the IPsec site-to-site configuration, so system administrators should be familiar with IPsec.
The local IP address range must be configured in the L2TP settings, which means split tunneling is always used.
Application Access
Reverse Proxy
If you have an AXS Guard enterprise license and your application relies on HTTP, RDG or FTP, the best option is to use a reverse proxy with brute-force protection. The Reverse Proxy supports SSL offloading, request filtering and strong front-end authentication; AXS Guard performs a first authentication before the user even gets the chance to authenticate against the backend, if so configured.
Remote Workspace
If the Reverse Proxy is not an option and all you need is remote control over a system in the office, we strongly advise you to look into our Remote Workspace solution which supports RDP, VNC and SSH.
AXS Guard Remote Workspace is a browser-based VPN solution that relies on HTML5. It allows users to remotely access corporate computers via a browser session over a secure connection (HTTPS). No dedicated software is required on the client side. Two-factor authentication is also supported.
Port Forwarding
When the Reverse Proxy or Remote Workspace solutions cannot be used, then your last option is to use port forwarding.
Port forwarding should always be used as a last resort, as it offers no brute-force protection and leaves the destination server or application directly exposed to the Internet.
Forwarded traffic is checked by the IPS and Application Control system (if they are enabled) before it reaches its final destination.
Port forwarding can be further secured with user authentication, which restricts access to the forwarded port based on the source IP address of the remote host. However, once a user coming from a given IP address has been authenticated, all other clients sitting behind the same IP address will also automatically have access to the forwarded port.