Problem
We support hundreds of clients and have access to many of their servers via VPN/RDP (SSL VPN, Cisco VPN, MS VPN, etc.). The other kicker to this is we have to be able to let support employees in other departments of the company use these connections as needed for various projects, so there has to be some sort of interface to manage all the connections.
We were doing this through the use of a very dated version of VMWare Server (no longer available and unsupported) and an individual XP virtual machine for each client of ours. They send us their VPN installer and information (or .PCF file, etc.) and we setup a new VM with the needed VPN software and RDP shortcuts. Each user that needs access gets the old VMWare Server Console client installed on their machine and they view and work on the remote servers via this console.
There are too many issues with this method to list, but the most recent is XP/IE 8 VPN Support for these XP machines being phased out.
Attempts at Solving Problem
We've looked into numerous options that would allow us to manage many remote connections WITHOUT VPNs
(Team Viewer, Citrix GoToAssist Unattended Access, etc.), but many clients still insist on their particular brand of security/VPN/Etc. and we don't try to dictate it.
We looked at trying to just move to a newer Hypervisor and use Win7 VMs instead of XP, but the cost for the licensing was high and the overhead to run the number of individual VMs we need is also too high (and thus, also cost-prohibitive).
We looked into VDI in a box that would allow us to maintain "master" images of desktop VMs that have numerous VPNs installed (obviously only VPNs that can play nicely while installed along side one another). Our thinking was that this would require less licensing and maintenance (IE no individual VM for every client), but this would likely also require some investment in hardware/software we don't have. Again, this could get expensive.
We discussed talking to our Sales/Administration about limiting our client connection options in our licensing agreement/software contract, but they don't want to add anything that could be a barrier to a potential sale… I really feel like this is our best option, but it probably won't ever happen.
Summary/TLDR
We need to be able to connect remotely to a lot of servers and use a lot of different VPNs at the same time
Our current solution was working, but was never ideal. Now it's failing fast and we need something else in its place.
We have considered lots of things, but a lot of them are expensive or we aren't sure if they are the best solutions available.
We're looking to find out what kinds of tools others use to manage this kind of rat's nest of server connections and we're trying to do it in a cost-effective way, or at least in a way that has enough longevity to provide return on investment.
Thanks in advance for your help,
Aaron
Best Answer
That's quite a unique problem to be solved.
Your old solution sounded like it worked for you, so there's got to be a cheaper way continuing what you were doing.
A free thing would be to replace VMWare Server with VMWare ESXi (Or Hyper-V, see below) and then import your old VMWare Server VMs to get onto a supported platform.
Windows Server Datacenter edition has the advantage of allowing unlimited virtualisation rights if you have licensed the correct number of sockets (or is it cores these days?) for the hosts that they VMs will be running on. Assuming you can fit them all in a single dual-socket host, your Windows licensing costs could be around $6,000 (or whatever it costs in your area of the world).
The only other thing I can think of right now is to connect as many of the VPNs as you can with a router. Something cheap but powerful like a Mikrotik RB2011UiAS-RM supports L2TP, PPTP, IPSec and OVPN connections. You could just connect them server-side and then do routing rules to get the traffic to the correct destinations, and your users can just work off their existing PCs. You would need to NAT into the VPNs as I'm guessing they are server-client VPNs and not site-to-site VPNs that you're being provided with. But this won't help with SSL based VPNs, AnyConnect VPNs, or any other proprietary VPN formats.