This is a guest blog post. Views expressed in this post are original thoughts posted by Graham Brown, Network Support Engineer at Imtech ICT Limited. These views are his own and in no way do they represent the views of the company he works for.
Winter is fast approaching (to the dismay of some, but not for me as this is a season I really enjoy because of my outdoor interests) and with the increasingly bad weather that we have experienced over the past few years in the UK, it is a good idea to take stock on the company’s business continuity plans or remote working capabilities. Ask yourself how many employees missed days in the office due to bad weather conditions last year, or the year before that? In December 2010 it was estimated that the financial impact of that years weather, could have cost the UK economy as much as £27.7bn.1
This was the challenge put in front of me towards the end of October 2010; I was given a high profile project to enable key teams within the business to be able to continue their work remotely, whatever the weather!
Obviously some kind of remote access would be required, it needed to be scalable to support at least 50% of the workforce (200 users) in the short term and have the ability to grow to over 400, assuming growth and every staff member having some kind of remote access capability. Access needed to be secure; clients must be authenticated to access the system, and authorised to the same level that they would have been given from within the office. Above all, the system should be flexible. And finally the required solution had to be OS agnostic and if possible clientless, in order to allow non-company supplied hardware access.
Ticking the box for all of the requirements and having the knowledge that Juniper Networks has both the leader and visionary position within the Gartner Quadrant for SSL VPN sewn up; their SA Series of SSL VPN appliances were chosen to provide the remote access functionality. Juniper has since added more products and functionality to its remote access portfolio. In addition to the SA appliances, there is a new range; the MAG Series Junos Pulse Gateways, which perform all remote access functionality. These also can be combined with standards based Network Access Control (NAC) and application acceleration functionality.
The Juniper SSL VPN appliances are licence based and can be sized for an immediate deployment, with room for future growth or additional functionality, such as contractor or business partner access. One of the great options available is the “In Case of Emergency” (ICE) licence. This gives you a boost of up to eight weeks to the number of available connections on your boxes – there are two types of licences available. The first will allow you to use 100% of the platforms total capacity, for the number of concurrent users able to connect; the second will give you a 25% burst based on the existing licence applied. If you have a 100-user licence, then you could connect 125 concurrent users for up to eight weeks – more than enough to cover an emergency or bad weather crisis situation.
These Juniper appliances are a dream to work with, very easy to set up and GUI driven. The developers obviously took a lot of trouble to ensure that the administrators could get these up and running with minimal fuss, get them racked and apply some very granular access policies with ease. Once again I approached these appliances armed with a trusty book – Juniper Networks Secure Access SSL VPN. This is a very well written guide to allow you to get the most out of your equipment; it certainly helped speed things up for me. One thing I feel that I have to mention is the failover when these devices are deployed in a cluster – the user is blissfully unaware that you are testing a failure scenario as session state is shared between devices, no traffic loss and no support calls are always a good thing.
Some people view SSL VPNs from a very sceptical perspective, mainly stemming from a deep routed history of using IPSec VPNs. If required you can deploy IPSec VPNs through these appliances, by using the Junos Pulse client. In addition to the usual IPSec functionality, you get SSL as a failback protocol in the event that IPSec cannot be established (ESP blocked for example). During the testing phase, I politely requested that some of the staff disconnect their VPNs. Their response was “I didn’t realise I was still connected” a glowing example of how quick and stable the connections can be.
Ultimately, the project was delivered on time, under budget and just in time for another fantastic, cold and snowy winter. Employees were able to work from home when travelling would have been dangerous or far too time consuming. This decreased the number of unnecessary journeys and ultimately increased productivity. If anyone has any comments or queries, or perhaps even similar deployment stories, please get in touch and share your thoughts. In the meantime, I’m hoping for another great winter season.
Discussing a wide range of topics impacting enterprises and
data center security.