I know that there are many smarter members on MM.net than I and I am looking for some advice:

I need to upgrade my company's network: I want 10 users to have the ability to utilize my office applications & data remotely. Because they sometimes work on client site and can NOT hook their laptops into the client network I want to use a web based type access. I have been told what I need is to setup a SSL VPN access. Ultimately- what I want them to be able to do is to use a hotel computer kiosk and edit a MS Office App such as Word/Excel/PowerPoint regardless of whether the computer they are using has those apps installed. Hope this makes sense so far.

Have spoken with some consultants and been told that I can do this with Terminal Services or virtual desktops. Some say I need an appliance (WatchDog/Netgear) and other guys have said that the 128 bit encryption will be good enough. Thoughts on this?? I do not have a huge budget ( i.e. CISCO) and do not want to buy more than I need but do want security and easy maintainability. Currently have Windows 2003 SBS. Any comments most appreciated

There are appliances you can buy for small offices that are cheaper than high dollar solutions. I don't have a hardware recommendation right off hand, but there are some broadband routers that allow VPN passthroughs.

Another solution would be to create an SSH-tunnel based VPN, you can route port traffic through a tunnel using PuTty. (Google: Putty) It's a bit more complex and you'll need an SSH server on the Windows side. You can use Cygwin (a Windows-based Linux-emulator) that comes with a free SSH server on the windows box. It's a tad complex to setup because the best way to do it is to setup the Cygwin SSH server component to run as a service in Windows. Just a simple command to do that really, though you may need to launch a batch file to have to startup with the right options. If you're so technically inclined there should be guides online that can help you, or just start by checking out Putty and it's tunneling options as well as Cygwin (which is cool in itself).

That way you could route your terminal services traffic over port 22 (SSH) - or another port for that matter. It would encrypt all the traffic within that SSH tunnel. So long as you aren't using it to access classified data it shouldn't be an issue. It's obviously not as secure as sitting at the desktop in the office, but SSH will provide a fair bit of security.

My guess is that many of the appliances use similar technology and are easier to setup. So you may want to check some of those out, or talk to your consultant about what they recommend - especially if they will be supporting you on it.

Doing the custom SSH tunnel using the apps I described is do-able but if you can't support it yourself your consultant may not. (It's a bit more complex and I don't know how many consultant firms know and support a Linux emulator on Windows anyway.)

Also, you will be limited by your terminal services licenses. Last I checked, Windoze allowed 2 concurrent connections - so two people at a time. This should be sufficient for you, but if you need more, you'll need to add more terminal services licenses above the base level.

Also make sure you add in an inactivity time-out, often times users disconnect from their session rather than logout and with only 2 concurrent connections if someone does that it can prevent others from logging in until the user is logged off through the admin console. (There are ways to configure it to help prevent this.)

I'm sorry that I'm not up on the SOHO solutions for VPN, I do know their out there and you should be able to get a decent appliance for not much cash. A basic to more-robust system would probably end up being $100-$500 in hardware - but that's just a guess.

A good place to browse might be Newegg: www.newegg.com (http://www.newegg.com) - search "Network VPN" and browse through the results to get an idea of some of the SOHO solutions out there.

Unfortunately, all I have experience w/ is probably too much $
(Checkpoint SSL Network Extender and Citrix Metaframe). I would think Terminal Services would be sufficient though. Microsoft released a new Remote Desktop Client recently for Windows XP that looks like they are adding new features to publish individual apps as well as the typical remote session.

Or just check w/ these, or similar, vendors for small business solutions
Citrix Small Business (http://www.citrix.com/English/ps2/segments/s/scale.asp?contentID=21040)
Checkpoint (http://www.checkpoint.com/products/endpoint.html)

Because they sometimes work on client site and can NOT hook their laptops into the client network I want to use a web based type access.

I just caught this statement too...

You'll need an appliance most likely, and one that can support a web-front end for the VPN config setup, so basically one that can transfer web traffic and open a portal for terminal services. I'm not sure what is out there like that for SOHO apps.

As mentioned above, Citrix is one way to do it, but that's more of a high-dollar app.

My fun MacGyver setup would require putty on the client end...so no go for Kiosk systems.

You should just get broadband air-cards. :) I wouldn't access my apps over a kiosk machine anyway, a client system maybe but not a hotel kiosk.

Sounds like your problem then is looking for an appliance that does VPN and can open a terminal services window without third party software needed on the client machine connecting. Right off hand again, I don't have a hardware solution for you and it may be tough to find on the cheaper SOHO end. I'll take a look later when I have more time though.

I'd also think something like OpenOffice for an Office application and a web-based file server solution
hosting- hfs file server (http://www.rejetto.com/hfs/) +OpenSSH (http://www.openssh.com/windows.html)for security or Microsoft Sharepoint to host files they need to work on