Way to provide a lot of users access to browser

[Levisallanon]

So I have an web application running on a virtualized server in skytap (a virtualized cloud platform). I need to use this platform so don't say to use something else please ;).
The web application is running okay and I can provide a port which connects to the http port so people could acces it from outside the cloud network.
BUT this application provides a SSH access to configure things in the application (it's a learning environment for configuring network equipment). And every ssh connection goes trough another port. I can't change the port ranges and can't forward them all. So I need another solution to have users interact with this application.
In the past we had 1 or 2 client machines which we RDP'ed into and from there opened a browser to interact with this application. But now more and more people want to use it and spinning up a complete virtual machine for everyone is kind of costly.
I was thinking of setting up a server instead with RDS so mulitple users could log into that. But I'm not sure yet that would be the best solution also.
Does anyone has a good idea for how to tackle this problem?

[Nerdtality]

RDP is really insecure outside the network, or even sometimes internally. I would recommend TightVNC or some type of web browser Remote Desktop Control. Sounds kind of redundant at that point though...

[Levisallanon]

Just now, Nerdtality said:

RDP is really insecure outside the network, or even sometimes internally. I would recommend TightVNC or some type of web browser Remote Desktop Control. Sounds kind of redundant at that point though...

it's a secureRDP (encrypted). it's what the provide of this platform provides to have a good connection with the machines.
That is not the problem ;).

[Nerdtality]

Oh well then yes. I would recommend using Windows Server to power the Virtual Machines and RDP since Windows server integrates RDP with Virtual Machines really well. Even if you only have a single public IP Address.

[Levisallanon]

10 minutes ago, Nerdtality said:

Oh well then yes. I would recommend using Windows Server to power the Virtual Machines and RDP since Windows server integrates RDP with Virtual Machines really well. Even if you only have a single public IP Address.

How do you mean?
The virtual machines are in the cloud platform. I need a good way to have multiple uses have a browser. I could do this by providing an RDS server but I'm looking for other options which I might have missed.

[brwainer]

19 minutes ago, Levisallanon said:

I can't change the port ranges and can't forward them all.

Why not? Does it use/create dynamic port numbers out of a large range? Does your router not support IP range forwarding? (One single rule for multiple ports in a row)

[Nerdtality]

It would require a RDP Gateway/Manager and Hyper-V
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-prepare-vms

[Levisallanon]

Just now, brwainer said:

Why not? Does it use/create dynamic port numbers out of a large range? Does your router not support IP range forwarding? (One single rule for multiple ports in a row)

The cloudplatform (Skytap) provides me with a DNS (just like azure) with a port. I have to forward every port then.
But this application (Eve-NG) provides the user with the SSH details (when clicking on a node it opens the SSH terminal on the users computer) and it uses the "internal" port number. I can't use a 1-to-1 translation as the cloud provider has other ranges for me. Also I would have to put all avaible options (128 port per user in the program) open. that would cost me money too (every port cost a little bit).

[Levisallanon]

1 minute ago, Nerdtality said:

It would require a RDP Gateway/Manager and Hyper-V
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-prepare-vms

I think you really don't get what I'm trying to archieve here.
I can't use Hyper-v here. I have the virtual machines in a could platform (skytap). I'm bound to their platform. I know about hyper-v etc. But unless you are sugesting I'm going for the nested virtualization route I don't think your solution is what I'm looking for.
The RDP gateway/manager is an option. and that's what I'm thinking about but I'm looking for something more scalable.

Let me explain better (hopefully):
I pay for every processor core and network etc so I want to use a little resources as possible.
Sometimes I might have only 1 user use it while at other moments I have 20+ users use it.
I have 1 server which is a linux server which hosts this app which can be accessed by http or https. and it needs multiple ports which are picked for each user. for every user this app reserves 128 ports which it can use.
so I want to have a client solution on this platform where I can scale it up and down (or turn stuff on or off) depending on how many users I have. So I'm looking for the most lightweight possible way to provide someone with a browser.
I was for example thinking of spinning up chrome os VM's to reduce the amount of cpu usage. but it would still require 1 cpu per user. Same goes for using something like windows 10 iot core (with the browser set as starting application).
Having a RDP server would give me less cores etc when I have multiple users. but if I only have 1 user working on it it would be overkill and cost me a lot more then it should. So preferbly I'm looking for some kind of RDS cluster solution where I can spin up/start up more VM's (on this platform) if the users are running out of resources because I can't add or remove ram and cores without shutting the VM's down first.

[brwainer]

It seems to me that this application really was not designed to be used in the type of environment in which you are using it. Anyway, I think the best solution would be to set up a VPN server in skytap that is on the same LAN as the application server. Users can connect to the VPN server when they need to use the SSH ports. You can define the VPN (either on client side or server side) such that they don’t use the VPN for their default gateway, just for IPs in the local subnet of the VPN server.

[Levisallanon]

1 hour ago, brwainer said:

It seems to me that this application really was not designed to be used in the type of environment in which you are using it. Anyway, I think the best solution would be to set up a VPN server in skytap that is on the same LAN as the application server. Users can connect to the VPN server when they need to use the SSH ports. You can define the VPN (either on client side or server side) such that they don’t use the VPN for their default gateway, just for IPs in the local subnet of the VPN server.

Nope it's not . But the one which is designed for it cost me about 100 dollars a month which for now is a bit to much  so i'm looking for a work around with the free version.
I didn't think of the vpn solution yet. Might be a good option indeed. Which server software would you recommend for the vpn?
Requirement:
Be as lightweight as possible (in total with the server software included)
Preferbly not requiring the user to install anything (but wouldn't be such a problem).
Free
Secure
Preferbly manageable.

[brwainer]

13 hours ago, Levisallanon said:

Nope it's not . But the one which is designed for it cost me about 100 dollars a month which for now is a bit to much  so i'm looking for a work around with the free version.
I didn't think of the vpn solution yet. Might be a good option indeed. Which server software would you recommend for the vpn?
Requirement:
Be as lightweight as possible (in total with the server software included)
Preferbly not requiring the user to install anything (but wouldn't be such a problem).
Free
Secure
Preferbly manageable.

PFSense is normally a good choice when you need a VPN server (can support multiple types) as well as very specific network setup requirements. Its also very efficient, depending of course on how much and what type of encryption you use in the VPN.

 

Edit: to be clear, my solution is to use a second VM for the VPN server, which would need to have a shared private LAN with the application VM. I believe that overall such a setup is simpler and easier to troubleshoot.