In one place where I worked VPN was enabled as follows:

- VPN client on the desktop

- second factor authentication via cell phone app 

Two end-user scenarios

1. Work laptop. Connect to VPN, authenticate and start working as if in the office

2. Home PC. Connect to VPN, authenticate and then RD to your work machine.

That worked okay but for users who did not have a laptop they had to leave their desktops on all the time with power saving mode disabled.

To try to make life easier I setup the following environment as a proof of concept.

Grabbed a spare PC (new as it happened with Core i7 16 GB 500GB SSD) and put Windows Server 2012R on it and joined to the domain.

Enabled Remote Desktop Services role, installed Office and then published the core Office applications (Outlook, Word, Excel, PPT)

Then a user could connect to the VPN as per 2, then fire up IE and point to the Remote Desktop Services server URL (obviously not a public one) and work.

The VPN software (can't remember which) I think disabled split tunnelling.

This seemed like a reasonable robust solution security wise but not being a security expert wouldn't mind some more qualified people to point out any security issues that might exist?

Obviously solution 2 means IT doesn't have control over the endpoint but given they are using Remote Desktop Services on a browser with split tunnelling disabled, I would think the risks of unauthorised access are low?

Thanks