A Quick Solution to Add Remote Working Capacity When Your VPN is at its Limits

Who would have thought a few weeks ago that working from home will be our daily business? So no one can be blamed for not having the VPN capacity in place for all of your employees at once.

As the restrictions caused by the crisis might persist beyond a few days, we wanted to bring you a possible scenario to ease the load on your VPN endpoint, and add additional, secure remote workplaces without adding VPN capacity.

Why enhancing your VPN capacity most likely will fail

There are three main restrictions on the number of users who can use a VPN endpoint at a given time, which you usually can change within a few weeks or sometimes even within days:

1. the number of parallel users your license or hardware allows
2. the capacity your internet connection can handle
3. the amount of data each VPN user sends over the VPN connection

Under the current circumstances, there are certain limitations to the possibilities above.

The first one can only be solved quickly when it is just a license issue. When the hardware has a limit, there’s no easy way to fix this now within days or weeks, as exchanging the VPN concentrator could become a logistic problem and a problem of having staff at the site.

The capacity of your internet connectivity most likely is also not easily changeable short-term. Infrastructure providers have shut down to a bare minimum, and a lot of other customers might have a similar request for enhanced bandwidth.

The third one is something you can’t easily limit or change in general. As soon as a user is connected via VPN to your on-prem setup, all the traffic this computer generates goes through the VPN connection. So video and audio of a conference call, checking or sending emails, accessing public web sites, all this traffic goes through the VPN tunnel, but it doesn’t have to! It would be fine if it goes to the public internet directly instead. But changing this means you’re creating possible loopholes into your secure infrastructure, and to be able to allow this, you might need to totally revise your security concept, and implement a lot of different measures to stay secure.

How to enhance your home office capacity when your VPN can’t be enhanced

Luckily, there are other options to ease the load, and add additional remote working capacity to your IT infrastructure. We have designed a solution that could be set up totally remote via VPN, without the need that someone is on-site in your data center, be it co-located or on-prem.

The solution consists of creating virtual private networking in AWS Public Cloud, which is connected via VPN with your network (either the office network or the data center network, depending on your setup). In this virtual private network, which is not accessible from outside this VPN tunnel, we set up a virtual desktop environment that gets managed by your IT department as if it would be laptops or desktop PCs in your office.

Difference in routing the traffic between classic VPN and WorkSpaces

Your employees can then access these virtual desktops via a secure line, directly over the internet, without a VPN connection to your VPN endpoint.

This has many benefits:

• The traffic from their computers goes to the public internet, which means that conference calls, etc. do not congest the VPN concentrator
• You can dedicate almost all of the VPN concentrator’s capacity to the connection into the virtual private network
• Only traffic to the systems in your on-prem/co-located setup goes through the VPN tunnel
• Your administrators handle the virtual desktop like any other computer in your domain

Network traffic comparison classic VPN solution vs. WorkSpaces

Let’s do a quick example — your results may vary but you get the point:

Typical Traffic Types for a Remote Office User

So each user creates approximately 500 kBit/s traffic. Let’s see what a 15 MBit/s VPN concentrator can handle:

Calculation for Number of Users using same bandwidth

You can see that the solution we propose can handle 5 times the users compared to the standard VPN setup! And that’s without replacing anything in your existing infrastructure!

When this setup works best

This setup works best the more of the following conditions apply:

• Email infrastructure is available via the public internet (could be hosted on-prem, but public, or by a public internet provider, e.g. Office365)
• Conferencing infrastructure is available via the public internet

In general, the more of the features or software your employees use are available on the public internet, the better is the benefit of this solution. They use these services via their normal computer, e.g. laptop or desktop computer, and access on-prem resources via the WorkSpaces client. The client setup just contains that important software, it makes no sense to use conferencing software in the WorkSpaces client if the goal is to limit the VPN load.

Setting up is much easier than you might think!

We’ve created the whole core setup for you already, and can create the resources in your AWS account within minutes! We just need a few inputs like sizing and number of machines, network details, etc., which can all be easily clarified via conference calls. We can also exactly calculate the costs of your solution upfront.

After setting up the core part, what needs to be done on your side usually isn’t much:

• connect your VPN endpoint with the VPN endpoint we’ve created in your virtual private network
• setup the network on your on-prem/co-located network so that the virtual private network is reachable, and the virtual private network can access the resources vice versa
• provision the virtual desktop environment (connect the setup to your Active Directory, etc. — btw, you don’t need to have an Active Directory for this)

Oh, and by the way, we can destruct the whole setup as easy and immediate as we can create (or even re-create) it — it’s a matter of minutes and all resources are gone, and so are the costs!

Accessing the virtual desktops

There’s a client for all major operating systems, including Windows, Mac, Linux, Chromebooks, iOS (iPhone and iPad) and Android. Nothing is stored on the computer or device which runs this client, so your employees can use any kind of computer or device without breaching your security. If your employees have Chrome or Firefox, they can also use these browsers to connect to, without even installing a client! This makes the introduction of this new system really easy!

We’ll be hosting a Q&A for this solution on Friday March 20th, at 11:00 AM CET / 10:00 AM GMT! Join us via this link: Zoom Meeting with creative-it