Despite the claims made by marketing teams at various cloud security vendors, the traditional VPN is still very much relevant in today’s enterprise. There is no doubt the rapid adoption of cloud applications and services decreases the reliance on VPN for end-user productivity. However, for those organizations with investments in Microsoft Active Directory and domain-joined computers, having persistent remote network connectivity is crucial for managing field-based devices. Also, for a variety of reasons, many organizations may choose not to expose critical applications and data via public interfaces, making the VPN an essential requirement for mobile workers.
Current Landscape
As an enterprise mobility specialist, I have spent more than 25 years implementing secure remote access solutions using a variety of technologies. In the early days it was predominantly IPsec-based VPNs. There was a time when SSL VPNs with application portals were popular choices to provide secure remote access. I have also implemented solutions using Remote Desktop Services (RDS) and Microsoft and Azure Application Proxy. Today the most common solutions are client-based using either IPsec or TLS and they provide persistent and transparent remote access for both managed and non-managed devices.
Common Solutions
When engaging with customers to design a secure remote access solution, the goal is to identify their requirements and choose a vendor that best meets their specific needs. I work with many different vendors, but here is a list of the most common solutions deployed today.
- Entra Private Access
- Microsoft Always On VPN
- Microsoft DirectAccess
- Absolute Secure Access (formerly NetMotion Mobility)
- Palo Alto Global Protect
- Cisco AnyConnect
- Checkpoint Remote Secure Access
- OpenVPN
Considerations
Organizations seeking to implement a remote work or telework strategy – whether due to the events of 2020 or just out of a desire to improve connectivity for mobile workers and field-based devices – should consider the following.
Device Support
If you are looking for a solution to support Mac devices, but the VPN vendor does not support this platform, then it does not matter what other features and capabilities the VPN offers. Deploying multiple solutions to provide complete device support should be avoided. Standardization is key when it comes to networking products. Find something comprehensive that is compatible with all your hardware and software – not just for today, but for what you might someday add to the mix in the future as well. That means Android and iOS as well as the many variations of desktop OS (Microsoft and others), even if you do not need a VPN on those devices right now, because things can change quickly.
One last thing to say here is that device support is more than just a check box. For example, if a vendor claims to have full support for Samsung Android devices, make sure it is truly native. All too often the experience of deploying or using a VPN on a mobile device can be quite challenging, so do your due diligence when it comes to selecting a vendor.
Infrastructure Requirements
Many solutions require proprietary hardware, such as purpose-built, dedicated appliances. Most of the legacy VPN solution providers are now offering virtual appliances (on-premises and cloud), but they are often difficult to implement, have limited deployment flexibility, and lack efficient scalability options.
Also, a seemingly low initial price tag can quickly add up to an increased total cost of ownership once you start factoring in the cost of upgrades, resource overhead, and scaling. Consider also that many platforms require dedicated administrators with specialized skill sets who may be in short supply. The folks who administer Cisco, Palo Alto, Checkpoint, and others are often expensive due to this high demand. It’s also worth mentioning that deploying hardware often means waiting around – implementing some of these products can take some serious time.
The burden on medium-sized companies is the greatest. They have significant IT needs, while their staff is typically spread thin. Adding insult to injury, they don’t have the resources to pay for outsourcing or bring on dedicated people, which would require even more cost.
Scalability
Having a solution that can scale efficiently and effectively is vital. For customers invested in propriety solutions on physical appliances, additional growth often requires purchasing new devices. Also, many of these solutions offer only active/passive failover, which limits scalability.
This was already an issue prior to 2020, but with so many companies now driving new business continuity policies, organizations are scrambling to meet the needs of an entirely remote workforce. There are significant costs associated with buying physical (or even virtual) appliances – but even then, they often have only limited scalability options.
This is where commodity solutions that can be installed on Windows Server excel. Technologies such as DirectAccess, Always On VPN, and NetMotion Mobility can be scaled out with relative ease. When the need for more capacity arises, additional VMs can be provisioned quickly, and without added cost. And with a little creativity this process can even be automated.
Additional Factors
These three things are undoubtedly the most important in my view, yet there are a wide range of other criteria to consider if you are in the market for an enterprise VPN.
User Experience – Organizations do not want to implement tools that cause a heavy lift or that need a lot of end-user intervention or interaction, and they certainly do not want something that the entire workforce is going to complain about. Ideally, they want the solution that is transparent to the user, but accessible to administrators for visibility and security purposes. Users also just want their devices to work, no matter what network or operating system they’re using. In this respect, solutions like DirectAccess and Always On VPN really shine. And if you are looking for this same experience for Mac, iOS, and Android platforms, consider NetMotion Mobility.
Customer Support – This is one of the less tangible aspects of a VPN solution, and it can be notoriously difficult to measure. After all, every vendor will tell you they have great support. My best advice here is to contact the vendor’s support when evaluating their solution. Customers familiar with Microsoft will be accustomed to their tiered system of triage, with different levels of support and where only the large enterprise organizations have access to the best support. Don’t be shy about testing your potential vendor’s customer support to see how good (or bad) it really is.
Trusted Advisor – <Shameless Self Promotion> Organizations should engage with an experienced advisor who can help them navigate all of the choices available, based on their current and future needs. Having access to someone with deep technical expertise and practical working experience with may different products and technologies will help reduce the noise and claims that vendors will so often make. At the end of the day you need to figure out which VPN is right for your business. An advisor will have expertise implementing and supporting those solutions and can tell you how difficult it is to keep them up and running if you do decide to invest in them. Every solution has advantages and disadvantages, so it’s in your own best interest to rely on real-world expertise to help inform your decisions. </Shameless Self Promotion> 😉
Summary
There are countless things to consider when investing in a VPN technology, but those I’ve outlined above are what I believe to be the most important factors to bear in mind. If you’d like more information about some of these solutions or would like assistance with selecting and implementing a secure remote access technology in your organization, fill out the form below and I’ll provide more information.