Sign in Subscribe

Remote Access Methods Explained: VPNs, SSH, RDP, ZTNA, and Their Security Implications for CompTIA Network+

Remote Access Methods Explained: VPNs, SSH, RDP, ZTNA, and Their Security Implications for CompTIA Network+

Introduction

Remote access is now a core network design topic, not a side feature. For Network+ candidates, the goal is not just to identify acronyms but to compare methods by scope, security, usability, and operational fit. Honestly, the best answer is usually the one that gives people just enough access to do the job, wrapped in the strongest controls you can realistically enforce.

So anyway, it really comes down to tradeoffs. Do you want broad network-level access or just app-level access? A client-based setup or something clientless? Convenience or better auditability? Speed or more inspection and control? A secure tunnel is helpful, but it does not automatically mean least privilege, good visibility, or safe endpoint trust.

Understanding Remote Access Categories

I organize remote access into five practical categories:

  • Remote user access for employees reaching internal apps, file shares, email, or line-of-business systems.
  • Remote administrative access for IT staff managing servers, network devices, and security appliances.
  • Site-to-site connectivity for linking branch offices, partner networks, or cloud environments.
  • Application-specific access for publishing one app or service instead of the whole network.
  • Client-based versus clientless access depending on whether software is installed or the session is brokered through a browser or portal.

That framework matters because exam questions often hinge on access scope. If a user needs one internal web app, full VPN may be excessive. If a branch needs always-on connectivity between subnets, application publishing is the wrong tool.

Core Remote Access Methods

IPsec VPN secures IP traffic at Layer 3 and is common for site-to-site tunnels and full client VPN access. IPsec and SSL/TLS can both be highly secure when configured properly; the difference is mainly operating layer, deployment model, and access style. In IPsec, IKE handles key exchange and tunnel negotiation, while ESP usually provides confidentiality, integrity, and authentication for the data plane. AH exists for integrity and authentication without encryption, but it is less common and does not work well through NAT. For the exam, the big ones to keep straight are UDP 500 for IKE, UDP 4500 for NAT-T, ESP as IP protocol 50, and AH as IP protocol 51 — those numbers show up a lot more than people expect. Those numbers come up a lot more than you'd expect. Those little details show up more often than people expect.

Here’s the practical difference: transport mode protects just the payload of an IP packet and shows up more in host-to-host scenarios, while tunnel mode wraps the whole original packet and is what you usually see in VPNs. Site-to-site designs also depend on things like traffic selectors or encryption domains, peer authentication with pre-shared keys or certificates, security association lifetimes, and, quite often, Perfect Forward Secrecy. NAT traversal matters because a lot of internet paths still involve NAT, and NAT-T helps by wrapping IPsec traffic in UDP 4500 so it has a much better shot at getting through those devices.

SSL/TLS VPN is commonly used for remote users because it works well over TCP 443 and often traverses restrictive firewalls more easily. Implementations vary: some offer portal mode for browser-based access to selected web apps, while others provide a lightweight agent for broader network access. This is why SSL/TLS VPN is flexible but also easy to mis-scope. It can be narrow and app-specific, or it can become a broad remote network extension if policy is loose. Certificate trust is critical here because the gateway typically presents a server certificate that clients must validate.

Client-to-site VPN connects one endpoint into the private environment. It is a good fit when a user needs multiple internal resources. In practice, deployment includes client software, route injection, DNS settings, and often posture checks. Some organizations permit unmanaged devices, but that is a policy exception, not a security goal. Modern designs usually split access by trust level, so a managed device might get full access, an unmanaged device might only get clientless or app-only access, and a noncompliant device just gets blocked.

Site-to-site VPN connects networks rather than individual users. A simple example would be an HQ subnet like 10.10.0.0/16 linked to a branch subnet like 10.20.0.0/16 over an IPsec tunnel. The “interesting traffic” should be only the approved subnets, not everything. In a simple environment, static routes are often enough, but if the network needs more flexibility, dynamic routing over the tunnel can make life a lot easier. Plain IPsec is fine for many static designs, but GRE over IPsec is useful when you need multicast, non-IP payload support, or dynamic routing protocols such as OSPF more flexibly. GRE adds tunneling but no encryption, and GRE is IP protocol 47, not TCP or UDP port 47.

L2TP/IPsec is another exam favorite. The key point is simple: L2TP is tunneling, not encryption. L2TP usually rides on UDP 1701, and when you pair it with IPsec, now you’ve got to think about UDP 500, UDP 4500, and ESP too. It works, but it adds overhead and can be less elegant through NAT or strict firewalls than newer options.

IKEv2/IPsec is a strong modern option for mobile users. One reason is MOBIKE, which helps the tunnel survive network changes such as moving from Wi-Fi to cellular. It commonly uses UDP 500 and UDP 4500 with ESP and supports certificate-based authentication or EAP-based user authentication depending on platform and design.

SSTP, or Secure Socket Tunneling Protocol, is primarily associated with Microsoft environments and tunnels over HTTPS/TLS on TCP 443. Its main advantage is firewall traversal in restrictive environments. The downside is mostly ecosystem fit, since it’s not as common in mixed-vendor enterprise environments as IPsec or broader SSL VPN options.

PPTP is obsolete and insecure. It uses TCP 1723 plus GRE and should be recognized as a legacy distractor on the exam, not a modern recommendation.

Secure Remote Administration

SSH is the secure replacement for Telnet. SSH runs on TCP 22, while Telnet uses TCP 23 and sends everything in plaintext, which is exactly why Telnet just doesn’t hold up anymore. That’s why Telnet really doesn’t have much of a place in a modern network unless you’re talking about a legacy example or an exam distractor. If I need secure command-line administration, SSH is usually the first thing I'd reach for without even thinking twice. And hardening matters a lot. I’d use key-based authentication when you can, turn off password logins where appropriate, lock down source IPs, disable direct root or built-in admin logins, and keep SSH behind a VPN or a bastion host. Host key verification also matters so administrators do not ignore trust warnings and connect to the wrong system.

RDP provides GUI access to Windows systems and commonly uses TCP and UDP 3389. It really shouldn’t be exposed directly to the internet. Better design looks like this: User -> MFA -> VPN or RD Gateway -> jump server -> target host. RD Gateway encapsulates RDP inside HTTPS/TLS, reducing direct exposure of port 3389. Network Level Authentication is an important hardening control, but it is not enough by itself without MFA, segmentation, and gateway protection. Also watch clipboard, drive, printer, and file redirection because those features can create data leakage paths.

VNC is another remote desktop method, but traditional VNC deployments often lack strong native security controls. Unless you have a verified enterprise-secured implementation with strong encryption and authentication, assume it should be tunneled through SSH or protected by a VPN.

Bastion hosts or jump boxes are one of the best admin patterns. Instead of exposing every internal device, you harden one controlled entry point. Good bastion design includes MFA, centralized AAA, session timeout, session recording for privileged workflows, no general web browsing, restricted admin tools, and logging into a SIEM. In higher-control environments, this overlaps with PAM and credential vaulting.

Out-of-band management uses a separate management path such as console servers, iDRAC, iLO, or LTE-backed management links. That’s really useful during outages because even if production routing is down, you may still be able to reach the device.

Web-Based and Modern Access Models

HTTPS portals, reverse proxies, and clientless SSL VPN are all ways to publish selected internal resources without handing out full network access. A reverse proxy can terminate TLS, hook into authentication, enforce header controls, and sit behind a WAF, but it definitely won’t magically turn an insecure backend application into a safe one. Clientless access is usually browser-based, though the exact feature set can vary a lot. Depending on the platform, it might include proxied internal web apps, bookmarks, limited file access, or web rewriting.

RemoteApp publishes a single application window instead of a full desktop. VDI publishes a full hosted desktop. RemoteApp can reduce complexity for app-specific use cases, but performance still depends on latency and app behavior. VDI keeps data and compute centralized, which is great when you don’t fully trust the endpoint, but it does chew through more resources. Also, VDI is not exactly the same as DaaS; DaaS is the cloud-delivered service model for hosted desktops.

ZTNA grants access to specific applications based on identity and, depending on the platform, device posture, location, and policy context. A traditional VPN tends to drop a user into the network, while ZTNA usually keeps them down to the one app they actually need. That’s a pretty big difference. Architecturally, a lot of ZTNA platforms use a connector near the private app, an identity provider for authentication, and a cloud or policy broker to decide whether access is allowed. Some use agents, some are browser-based, and some support both approaches.

SASE is broader than ZTNA. Think of it as a cloud-delivered security and access architecture that can combine ZTNA, secure web gateway, CASB, firewall-as-a-service, and policy enforcement close to users and branches. It is not just “cloud VPN.”

AAA, Identity, and Certificate Dependencies

Remote access security depends on AAA: authentication, authorization, and accounting. Accounting is more than generic logging; it includes session start and stop, source IP, duration, policy decisions, and in some admin workflows even command logging.

RADIUS commonly supports network access use cases such as VPN and wireless. It usually uses UDP 1812 and UDP 1813, and while it does handle authentication securely enough for its role, it doesn’t encrypt the entire payload the way people sometimes assume. TACACS+ commonly supports device administration, uses TCP 49, encrypts the full payload, and separates AAA functions more cleanly. That’s why TACACS+ often fits administrative access better, while RADIUS tends to show up more often in user access scenarios.

LDAP and Active Directory provide identity stores and group membership for authorization. LDAPS typically uses TCP 636; LDAP commonly uses TCP 389. A practical example is mapping an AD group like VPN-Finance to access only finance applications, while VPN-Network-Admins is routed only to a management VLAN through a bastion.

MFA, SSO, and certificate-based authentication are major controls. Certificates may represent a server, a user, or a machine. VPNs often use server certificates on the gateway and machine or user certificates on clients. Trust failures commonly come from expiration, wrong SAN values, missing intermediate CAs, or failed revocation checks through CRL or OCSP. 802.1X is port-based access control for authentication before full network access is granted; posture assessment usually comes from NAC or endpoint platforms layered on top, not from 802.1X alone.

A few port, NAT, and firewall details are worth keeping straight

These identifiers are absolutely worth memorizing for the exam:

  • SSH TCP 22
  • Telnet TCP 23
  • HTTPS / SSL VPN / RD Gateway / SSTP TCP 443
  • RDP TCP and UDP 3389
  • IKE UDP 500
  • IPsec NAT-T UDP 4500
  • L2TP UDP 1701
  • PPTP TCP 1723 plus GRE protocol 47
  • ESP IP protocol 50
  • AH IP protocol 51

Why does that matter? Because restrictive networks often allow TCP 443 but block or mishandle UDP 500, UDP 4500, or ESP. That’s one reason SSL/TLS VPN or SSTP may work on hotel Wi-Fi when IPsec runs into trouble. NAT-T exists specifically to help IPsec get through NAT devices more reliably.

A few security implications and troubleshooting points are worth calling out

The major risks group cleanly into four buckets. Identity threats include credential theft, brute force, token theft, and weak MFA. Endpoint threats include malware, missing EDR, lack of disk encryption, poor patching, or rooted and jailbroken devices. Network-path threats include man-in-the-middle risk from bad certificate validation and DNS leakage in split-tunnel designs. Misconfiguration risks include overbroad access, bad routing, exposed admin interfaces, and weak logging.

Full tunnel sends all traffic through the VPN, improving centralized inspection and web filtering but increasing backhaul and gateway load. Split tunnel sends only corporate traffic through the VPN. That can improve performance, but it can also reduce centralized inspection, cause DNS leakage, and create pivot risk because the endpoint is tied into trusted internal resources and the public internet at the same time.

A practical troubleshooting flow is usually pretty straightforward, at least in theory, and I’ve found it helps to think about it in layers:

  • Tunnel will not establish: check internet reachability, UDP 500, UDP 4500, or TCP 443 availability, certificate or PSK mismatch, expired certificates, NAT-T, and gateway logs.
  • User authenticates but has no access: check group-to-role mapping, RADIUS, TACACS+, or identity provider policy, conditional access, and posture results.
  • VPN connects but apps fail: check DNS, internal routes, split-tunnel policy, ACLs, and firewall rules.
  • Certificate warning appears: verify SAN, expiration, intermediate CA distribution, and CRL or OCSP reachability.
  • Performance is poor: check latency, MTU and fragmentation, MSS clamping, gateway load, and whether full-tunnel backhaul is hairpinning traffic unnecessarily.

For visibility, log VPN authentication success and failure, source IP and geolocation, concurrent sessions, admin session records, tunnel errors, and correlations with identity provider and endpoint telemetry in the SIEM.

Compare and Contrast: Quick Exam Matrix

Method Best use Scope Key identifier Main risk Best control
IPsec VPN Site-to-site, full remote access Network-level UDP 500/4500, ESP Overbroad access, NAT issues MFA, segmentation, certificates, logging
SSL/TLS VPN Remote users, portal access App-specific or broad, depending on design TCP 443 Portal abuse, loose authorization MFA, strict app publishing, certificate validation
SSH Secure CLI administration Host or device specific TCP 22 Brute force, exposed admin plane Keys, source restrictions, bastion, MFA
RDP Windows GUI administration Desktop session TCP/UDP 3389 High-value target if exposed RD Gateway or VPN, NLA, MFA
VNC Legacy or cross-platform desktop access Desktop session Implementation-specific Weak native security in many deployments VPN or SSH tunnel
ZTNA Private app access App-level Broker, agent, or browser based Policy or identity compromise MFA, posture, least privilege
PPTP Legacy only Network-level TCP 1723 + GRE Obsolete and insecure Replace it
GRE Tunneling and routing flexibility Depends on design IP protocol 47 No encryption Pair with IPsec

Scenario-Based Exam Guidance

One internal web app for a contractor? Prefer reverse proxy, clientless portal, or ZTNA over a full VPN.

Employee needs file shares, email, and multiple internal apps? Client VPN is reasonable, ideally with MFA, posture checks, and least-privilege routing.

Branch office to headquarters? Site-to-site IPsec, possibly with GRE over IPsec if dynamic routing or multicast support is needed.

Network engineer needs CLI access to routers? SSH through a bastion host, not direct internet exposure.

Windows admin needs GUI access to servers? RDP through RD Gateway or VPN, with NLA and MFA.

Hotel Wi-Fi blocks IPsec client? SSL/TLS VPN or SSTP over TCP 443 may still work because many restrictive networks allow HTTPS.

Best Practices and Common Exam Traps

  • Tunnel does not mean encrypted. GRE and L2TP alone prove that.
  • Encrypted does not mean safe to expose publicly. RDP and SSH still need protection.
  • Prefer least privilege. If one app is enough, do not hand out full network access.
  • Use MFA and centralized AAA.
  • Know the legacy distractors. PPTP and Telnet are bad answers in secure modern scenarios.
  • Remember protocol identifiers. GRE is protocol 47, not port 47. ESP is protocol 50. AH is protocol 51.
  • Know the RADIUS vs TACACS+ distinction.
  • Know split-tunnel risk. Better performance, weaker centralized visibility.

Conclusion

When you compare remote access methods correctly, the answer is always context-dependent. IPsec, SSL/TLS VPN, SSH, RDP, VDI, ZTNA, and site-to-site tunnels all have valid use cases. The right choice depends on access scope, endpoint trust, firewall traversal, audit requirements, and operational complexity.

For the exam, keep the logic simple: choose modern secure protocols, avoid direct exposure of management services, match the method to the access need, and prefer app-specific or least-privilege access whenever possible. If you can explain not just what a method is, but why it fits a scenario and what risks it introduces, you are thinking like a network professional.