How do you plan for your network to accommodate an influx of work from home traffic? This is a question on a lot of network managers’ minds right now. Many organizations are busy keeping their networks up and running, making sure they have the right capacity, issuing notebooks, etc. And while they’re busy addressing these initial needs, they may not be thinking about the underlying infrastructure needed for increased WFH activity. What if you send all 10,000 people home — do you have the right capacity to support that? This blog will cover what should be top of mind when planning for your organization’s network to scale for WFH.
Network Bandwidth Needs
The first thing to consider is the user’s home internet connection. Think of it as an extended branch office. If everyone is suddenly working from home, you need to ensure that users have adequate bandwidth and performance on their home internet to support your organization’s productivity suite. If your organization is expecting people to use voice, video or other performance-heavy applications, you’ll need to know what the requirements are for those applications. You can generally find that in the product data sheets; they show how much bandwidth is needed to run certain applications and other requirements such as jitter and latency.
Another consideration is that home internet connections often have bandwidth caps. You’ll need to consider how you want to handle those restrictions so they do not impact your users financially. Will you reimburse overages? Will you supply a cellular hotspot for your users? Will you avoid bandwidth-heavy applications such as video altogether? Will you limit email attachment sizes? Even email can be bandwidth intensive, if your users send a lot of attachments. There is no right answer, but these things do need to be considered when thinking about how you want to address WFH.
Next, how would your staff help users identify the performance characteristics of their home internet connection? Information about data caps will need to be provided by the user; however, to help gather performance data, you could instruct users to download a speed test on their laptop, tablet or smartphone. You could also provide a survey where users can input this information and then collate the data to identify users that may need the augmentation described earlier. With larger organizations, you may just need to stipulate the minimum requirements for using certain applications from home as your IT staff may not be able to scale. For example, releasing a memo that states, “Make sure that you meet this bandwidth minimum before enabling video on Webex or Zoom.” This will let your users self-regulate, allowing you to spend more time on users who don’t meet the requirements.
Another major consideration is how you want to support applications remotely. Do you have Software as a Service applications such as Office 365 that do not need connectivity back to the data center? Do you have a procurement system that does? What about collaboration tools such as Voice over Internet Protocol or instant messaging? Some of these applications may be able to go direct to the internet, but some may require connectivity back to your office or data center. Even if they do support direct internet access (DIA), you still want to force applications to go through your data center for security inspection.
Speaking of forcing applications to go through your data center, tunneling everything back to your data center is an option. Keep in mind that doing this could negatively impact application performance and thus the user experience. Supporting DIA while working from home may be critical to maintaining a good user experience. There are many ways to do this, depending on your security requirements. Solutions such as cloud firewalls or whitelisting certain applications, such as Office 365, may be a way to provide a better user experience, while still maintaining your security policy.
Once you identify application requirements, then you can discuss how you want to present those resources to the user. Do you have an existing remote access VPN infrastructure? Do you have a virtual desktop infrastructure (VDI)? Do you want your users to just open their laptop and “go”? These options are all possible, depending on your WFH requirements.
Addressing VPNs and Firewalls
Each remote device requires a secure connection. Typically, remote access VPN (RAVPN) is provided by a VPN concentrator, such as a firewall. Organizations need to make sure that concentrator is sized correctly. Typically, you might expect to have 20 percent of your users connected. While the percentage of WFH users can vary significantly per organization, most expect only a subset of users. But if you want to have 100 percent connected, then you may need a bigger appliance that has capacity to handle the additional connections back to the data center.
When looking at capacity, it’s good to keep in mind that some manufacturers will treat the hardware and licensing completely differently. You may already have RAVPN through your current firewall, you just may not have necessarily planned to scale to this size. You need to know what your physical and licensing capacity is. Can you support this large of a WFH group? You may not be as prepared as you thought.
A lot of organizations spend time prepping for something big like a data center disaster, but not necessarily for a large portion of your workforce working from home.
Remotely Accessing VDI
If you have a VDI environment such as Citrix or VMware, you can provide the same experience at home as in the office. You will still need to ensure that your server and licensing capacity are enough to support the increased user count.
A big consideration is how will your users access that VDI remotely. There are different options to do this, whether it be through a remote access gateway or even through a RAVPN connection. Even if your VDI environment will scale with servers and licensing, how will it scale over the internet, rather than in your office? You will need to look at your entire environment holistically.
End Devices and Zero-Touch Provisioning
As mentioned above, providing a remote access appliance is one way to enable users to access the VDI. This option can take some upfront work to set up, but the tradeoff is that it provides seamless “office-like” access through your corporate devices. These types of solutions are really meant to be simple — your user gets this device and plugs it in to their broadband, and then it phones home and connects to your corporate network via zero-touch provisioning (ZTP). This has the benefit of not changing the user experience, since workers do not have to connect to RAVPN or VDI. Their laptops would automatically connect to the corporate service set identifiers broadcasted by the appliance, offering them a seamless, secure WFH experience. This method can be combined with things like split tunneling and cloud firewalls to improve performance even more.
The logistics can take a lot of planning for a solution like this, since you’ve got to send the remote access devices out to your users as well as configure your data center environment. Luckily, solutions such as Aruba Remote Access Point (RAP), Cisco Meraki Teleworker and Cisco OfficeExtend access point (OEAP), while taking some planning, tend to be easy to set up, especially for the end user. With ZTP, your IT staff can set up the devices via the dashboard or controller prior to the appliance arriving at the user’s house. Your IT staff can even stage them, prior to sending them out, just to validate that they will work flawlessly when connected — very easy from an admin perspective.
You may also identify different requirements for different workers. If certain groups require access to certain resources, consider using a handful of the remote access appliances rather than distributing to the entire workforce. The remainder of your workforce could leverage the methods mentioned previously, which may be sufficient.
It’s Really a Bit of Everything
Having a large portion of your users working from home creates an enormous amount of potentially unexpected impact on your infrastructure because you may not be built out to do it. So, what do you do? Look at capacity across all of your infrastructure — everything is affected.
Maybe your VDI server capacity is OK and your licensing is fine, but now your internet circuits at your data center are too small. Everything connects, unfortunately, and everything is going to have to be looked at from a capacity perspective from start to finish, whether it’s WAN bandwidth, uplink capacity over to the server farm, the server farm itself, the firewall, or licensing across all of that. It all is interconnected and all needs to be considered.