In mid-2020, Treuhand Saar Steuerberatungsgesellschaft mbH was faced with the challenge of fundamentally realigning its IT. In addition to renewing the server infrastructure, one of the main objectives was to improve the level of protection for external workstations using VPN solutions. Existing VPN connections required IP-V4 Internet access, special VPN ports and separate administration of VPN access. This led to insurmountable obstacles, high costs and complexity for users.
com4data is a Microsoft Silver Partner and DATEV Solution Partner in the areas of accounting, human resources, cloud applications and PARTNERasp. These many years of experience ensure that the expertise of our employees in the field of business software is at the cutting edge of development - an advantage that is always passed on to our customers.
"The advantages of the new solution are obvious - cumbersome VPN installation vs. simple authentication via REINER SCT Authenticator!"
Patrick Wagner,
Managing Director
The commissioned com4data GmbH decided to use the Citrix NetScaler as a VPN gateway and reverse RDP proxy as well as REINER SCT Authenticator for two-factor authentication using one-time passwords (OTP). This solution offers considerably simplified handling: No VPN client installations are necessary, instead a web browser is sufficient for logging on to the NetScaler user portal. The use of HTTPS protocols also allows access via public hotspots and guest WLANs. Users log in with Active Directory credentials and use the REINER SCT Authenticator to generate an OTP.
The changeover brought significant advantages. Pre-installed VPN clients are no longer required, which has led to the elimination of license costs and allows every employee to access the office network from any computer. In addition, separate VPN access management is no longer required in favor of a connection to the Active Directory. The need for IP-V4 addresses, special VPN ports and protocols has been eliminated; a connection to the server now uses the NetScaler as a secure intermediate station (reverse proxy). The new solution therefore offers simpler authentication methods, reduces administrative effort and at the same time increases the level of protection for employees working remotely.
Connect sales representatives and home offices to your own network in a modern and secure way!
In the middle of 2020, Treuhand Saar Steuerberatungsgesellschaft mbH in Saarbrücken had a complete IT overhaul on the agenda. In addition to converting the core infrastructure to the latest server hardware and software, the aim was to improve the VPN solution previously used.
The main focus here was on increasing the level of protection (introduction of 2-factor authentication) while at the same time reducing complexity for users.
Previously, the external workstations were connected to the office network with a classic VPN dial-in via an installed VPN client. The employees were able to connect to the terminal server farm from there. This procedure had several decisive disadvantages for the customer: Firstly, this type of VPN connection requires native IP-V4 internet access on the employee's side. In times when the available IP-V4 addresses are becoming scarcer every day, this is already an insurmountable obstacle at individual Internet access points. On the other hand, a VPN client must be purchased, installed and licensed for each workstation, which represents a cost factor for the law firm that should not be underestimated.
The employees, in turn, are dependent on the appropriately prepared PCs. At the same time, the VPN router requires separate administration of the VPN accesses. And last but not least, special VPN ports and protocols must be open on the client PC's Internet access. A guest WLAN that only allows http and https, for example, cannot be used to dial into the office network.
com4data GmbH from St. Wendel was commissioned as the responsible IT partner to select and set up a more modern solution. As a modern hardware and software combination, the decision was made in favor of the Citrix NetScaler as a VPN gateway and reverse RDP proxy, as well as the REINER SCT authenticators for generating a one-time password (OTP) for the respective users. The interaction of these components offers the greatest possible protection, while at the same time significantly reducing administration costs.
In direct comparison with the previous solution, the new configuration offers a number of advantages: Because the NetScaler is used both as a VPN gateway and as an RDP proxy, there is no need to install a VPN client.
Users use a conventional web browser to log in to the NetScaler user portal. Access is via the https protocol using the TLS 1.2 or TLS 1.3 protocol. The use of this standard protocol also enables login to the system via public hotspots or guest WLANs. Thanks to the Active Directory connection, employees can verify themselves in the user portal with the same login data as they do at their in-house workstations.
After the first login, the OTP is requested, which is generated on the REINER SCT Authenticator.
The handy device replaces the previously used VPN client. Instead of a cumbersome software installation
and the associated dependence on a single computer, employees can use any computer system to connect to the office network. If necessary, a client's PC on site or a private PC at home can also be used for access. Once the user has authenticated himself, he can then log on to the server farm via a link in the user portal. Here, the NetScaler acts as a reverse proxy. The user connects to the Netscaler, which connects to the server farm. There is no direct connection between the remote client and the server farm. Once the employee has finished their work, they simply close the open browser window and the connection is permanently disconnected.
Summarized
...The advantages of the new solution are obvious - cumbersome VPN installation vs. simple authentication via REINER SCT. No prepared PC necessary; license costs for VPN clients are completely eliminated. Instead of separate administration of VPN access, activation in the Active Directory. Instead of direct connection of the client to the server, additional protection through the use of a reverse proxy. Instead of partly restricted VPN protocols, only access to HTTP / SSL is required.
You are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information
