The goal: Allow contractors VPN access to our company network utilizing VPN while minimizing risk and maximizing ease and convenience.
Question: We are using Cisco ASA 5540's with SSL VPN clients for employees and contractors. We check to see if the machine is an asset and then allow it to connect to the VPN after the user is authenticated. If they're a contractor, we're imposing an Access Control List (ACL) on them and enabling split tunneling.
We'd like to limit this even further, since right now we have to support our vpn client on THEIR computer, which a bit sticky and also we don't trust their computer - with antivirus etc.
What we're thinking about is to allow them to WEBVPN, which is basically an encrypted reverse proxy and then allow them to remote control a "pc farm" in a DMZ running on vmware or Windows Terminal Serer. Then, they'd be using one of OUR assets - for which we can maintain appropriate patches, antivirus, etc. Then, we can build firewall rules allowing their RDP session in through the firewall.
Is this how you do it? Or would do it? Or do you have a better idea?