PDA

View Full Version : What's the best way to grant access to server data?




oneofthesedaves
Jun 26, 2011, 09:14 PM
I have a MacMini Server that I am about halfway set up for my small business. All we are going to use it for is to make electronic records accessible to about 5 or so employees. We want to be able to access it from laptops, iPads, and smart phones both inside and away from the office. I understand that I need to set up a VPN. My question is: how do my employees access the VPN? Do they enter an IP address in their browser and log in? I was also thinking of having a hidden web page on our company web site such as www.website.com/server so that it easy to access and the employees will just see a username and password field. Am I headed in the right direction? Any suggestions?



jtara
Jun 27, 2011, 11:22 AM
My question is: how do my employees access the VPN? Do they enter an IP address in their browser and log in? I was also thinking of having a hidden web page on our company web site such as www.website.com/server so that it easy to access and the employees will just see a username and password field. Am I headed in the right direction? Any suggestions?

VPNs work at the networking layer. A VPN connects two networks through an encrypted "tunnel". The two networks work as if they were directly connected through a router.

There's no connection between VPNs and websites. They aren't accessed by logging-in to a website. Typically, there is some set-up page within your networking setup, or within a third-party driver that you install. On the setup page you specify the endpoint, password, etc.

How your employees actually access the VPN after they have connected is up to you. They can interact in the same ways that they might were they on-site. They can access internal websites, access file shares, etc.

Access to the Internet can be done through the VPN or directly through the user's Internet connection, though, by default, it's usually done through the VPN. That is, ALL Internet traffic from the user is encrypted and sent over the tunnel. It exits to the Internet through your company's router. This can be changed, though, so that users access the Internet directly. This would be less secure, though, when, say, working from a public WiFi location.

It sounds like you may not actually need a VPN. If you have a specific web application that you need to employees to access remotely, it may be sufficient to simply set up a public website secured with SSL and logins.

If you need to access other networking resources within your company, then perhaps you need a VPN.

oneofthesedaves
Jun 27, 2011, 10:27 PM
VPNs work at the networking layer. A VPN connects two networks through an encrypted "tunnel". The two networks work as if they were directly connected through a router.

There's no connection between VPNs and websites. They aren't accessed by logging-in to a website. Typically, there is some set-up page within your networking setup, or within a third-party driver that you install. On the setup page you specify the endpoint, password, etc.

How your employees actually access the VPN after they have connected is up to you. They can interact in the same ways that they might were they on-site. They can access internal websites, access file shares, etc.

Access to the Internet can be done through the VPN or directly through the user's Internet connection, though, by default, it's usually done through the VPN. That is, ALL Internet traffic from the user is encrypted and sent over the tunnel. It exits to the Internet through your company's router. This can be changed, though, so that users access the Internet directly. This would be less secure, though, when, say, working from a public WiFi location.

It sounds like you may not actually need a VPN. If you have a specific web application that you need to employees to access remotely, it may be sufficient to simply set up a public website secured with SSL and logins.

If you need to access other networking resources within your company, then perhaps you need a VPN.

Thanks for taking the time to reply. I think that you are correct. Do you have any suggestions as to how to set up ssl and logins so that they can access certain files on my Mac Mini Servr? Or do you have any suggestions as to a good place to learn about this?

jtara
Jun 28, 2011, 01:58 PM
Thanks for taking the time to reply. I think that you are correct. Do you have any suggestions as to how to set up ssl and logins so that they can access certain files on my Mac Mini Servr? Or do you have any suggestions as to a good place to learn about this?

Well, I wasn't actually suggesting that you use SSL and logins to have your users access files stored on your server. You mentioned making "electronic records" available, and I assumed that meant that you had some internal web application for that.

I think it would make sense to back off and look at the bigger picture. What IS the best way to deliver this information to your user's desktops (or laptops)? Take the remote aspect out of the equation. Say they are just sitting at their desk in the office. What would be most convenient for them?

And how do they do this now? (If they do?)

How are these records stored? In what form? How are they presented? How often do they change, and/or how often are new ones added, and in what quantity?

It sounds to me like some kind of web application might make sense. Perhaps these documents are in or belong in some kind of database.

Or perhaps nothing more than a simple static web page with links to documents that can be downloaded. This can be as simple as using a text editor (or an HTML editor) to create a web page and putting the documents in a directory accessible to a web server. (And, of course, setting-up a web server.)

MOST companies of any size today have at least one internal web server with typically a mix of static pages, off-the-shelf, and custom applications. It's today's equivalent of the "company handbook" (even though companies still have those. But, of course a copy is to be found on the website.) You'll find the company phone directory, hierarchy chart, policies, benefit information, some way to order office supplies, various forms and/or applications for various types of reporting, internal company newsletter(s), etc. etc. etc.

Anyway, once you have a web server up internally with your information (whether it is the company phone directory, or these electronic documents you are referring to) you need to set up passworded access, get an SSL certificate, force users to log-in and use only an encrypted connection, and put the site "on the Internet" by either poking a hole in your firewall to allow outside access. If your use will be PRIMARLY outside of your office, you might want to consider hosting in a datacenter, rather than in your own office. It can be much cheaper, faster, and easier than maintaining your own server in your office.

In any case, I don't see anything yet that calls for a VPN. If you said, for example, "our users need to connect to our mail server, they need to access web applications on 4 different internal servers, and they need to be able to access file shares in Finder, then I'd say, yes, a VPN is a good solution. A VPN will make things seem for your remote users as if they are sitting at their desktop computer. (Although perhaps at significantly reduced access speeds.) But first you need to step back and decide just how you want your users to access the data in the first place. Securing the access using either a VPN or a secure web site is a technicality that can be addressed once you've decided that. Otherwise, the VPN question is just a tail wagging a dog.

oneofthesedaves
Jun 29, 2011, 04:30 PM
That was a very thought provoking response. Thank you very much for that.
Here is the situation:
The business is a 120 acre perpetual care cemetery. We have about 7,000 property owners. Each property owner has a physical paper file with copies of their contracts and headstone orders/designs etc. We recently had every document in the building scanned. Every physical file now has a multi page PDF consisting of all of the pages in the physical file. There is one administrative assistant who is responsible for creating a new PDF when we make a new physical file and also for updating existing files when a new purchase is made by an existing property owner. That person has all of the PDF's in a folder in the finder on an iMac.

We use a backup/syncing service called SugarSync to automatically backup all of the files on the iMac. SugarSync also syncs all of the files from the iMac to the Finder of the Mac Mini server. SugarSync is extremely fast. Any changes made on the iMac appear within seconds on the Mac Mini.

There are only a handful of employees (4 or 5) who would need to access this data. The only things that they would need to do are read the PDF's and occasionally print one. The administrative assistant is the only person we want to be able to write to the files. Everyone else needs to be read only. Our email is already take care of through Google apps and we have a web site that I built and am responsible for maintaining (typical small business site with About, Contact Info, Etc.) that is not hosted using our server. The hosting is done through a 3rd party.

We need the information to be instantly up to date when changes are made, so doing a periodic upload of new data is out of the question. We are in a mixed PC and Mac environment. If we only needed data to be available to company computers connected directly to the network in the office, the easiest solution would be to just set up file sharing via AFP and SMB. However, this will not meet our needs as we need our employees to be able to look up files at a moments notice from any device that they have nearest at all hours of the day and night. For example, if we get a call that someone has died on a Friday evening after everybody has left the office, the employee on call would need to be able to pull the property owner's file from his home either on his own computer or on his smart phone. He would then call the head grounds keeper who would need to be able to look at the property owner's record on his home PC or smart phone. When the caretaker goes to dig the grave, we want him to be able to see the records from either a smart phone or an iPad. None of these devices are owned or maintained by the company. So, basically we need them to be instantly accessible on any device by simply using a username and password. Based on what I learned from your previous post, it sounds like a VPN is definitely not what we need. What would you suggest?

jtara
Jun 29, 2011, 06:19 PM
This is easy.

Install a web server on the Mac Mini. Get a commercial SSL certificate (so your users won't freak-out when they get "warning" messages) and install it into the web server. Set up user IDs on the web server for your 5 users. Restrict the entire website to registered users, and require SSL.

Set up a little top-level web page, nothing fancy. You might want to include some other stuff here, like a phone list, etc. I'm just saying, have a top-level page so you leave yourself room to add other stuff later.

Put your documents in a subdirectory under the main directory where your web server content is kept. Provide a link to that directory (say, "Customer Documents"). You can organize files under this directory further if you like, say by alphabet.

Web servers will automatically generate an index for any directory that doesn't contain an index.html file. so, when your users access the directory with the PDF files, they will see a list of file names to choose from. Presumably, you are already using sensible file names that include the name of the client, some ID number, etc.

You'll change the SugarSync setup to sync into the directory within the web server content directory.

You'll have to set up your router to do "port forwarding" from port 80 and 443 of your Internet connection to ports 80 and 443 of your Mac Mini. If you don't have a static IP address, you should arrange with your ISP to get one.

If you find you need better performance, then better to do this on a commercial web host or VPS (virtual private server) since you will have mega bandwidth available in a data center vs. whatever your Internet connection is. But based on the nature of the business, probably not an issue.

So, you will have to learn basic web server setup and how to set up your router. Get this working in-house first, make sure you got the security right (unauthenticated users can't get access) then setup the Internet access and optionally set up DNS for the site so your users can access it by name rather than IP address.

There are "scripts" you can install for nicer indexing of the files, perhaps even to be able to sort them different ways, etc. But that's icing on the cake. Any web server can very simply and easily serve-up directories of any kind of data files without any added software.

oneofthesedaves
Jun 30, 2011, 01:59 PM
Thanks a million for your time and suggestions. I'm going to try to implement this. I'll let you know how it goes.