Not just VPN accounts
We've also been tasked with providing computers(w\ vpn software configured) for users who do not have approved systems at home. Just a little work for some of my colleagues!
With the COVID-19 outbreak pushing many companies to keep workers at home, admins are finding themselves having to deal with a crunch of traffic on VPNs and network appliances suddenly overwhelmed with remote connections. Microsoft on Tuesday issued guidance for admins on how to manage their Office 365 installations with so …
Nice to see i'm not the only person doing this.
In case my laptop stock runs out i'm refurbing the Win7 desktops that were (finally) about to get destroyed as thin clients for a VPN client & Terminal services in case the entire country gets quarantined.
If it all goes south, Microsoft is going to have a bloody good quarter from all the extra RDS licenses everybody is going to be buying.
I've recently moved from a complete virtual desktop environment to one where VPN's are standard and remote desktop just for emergency access, meaning when we need to scale up remote working we have a capacity contraint on the virtual desktop farm.
I am very interested in the Citrix Workplace site aggregation feature but I am finding it difficult to get a look at in trial mode and it doesn't seem set up for a true PAYG model, Citrix are looking for 500+ users and annual licensing (billed monthly but still min 12 month). I think if you could set up the capability for a handful of users and flex up and down, companies like mine would be biting their hand off.
"Not too bad if done correctly - if you only trust the MS endpoints *AND* only allow secure connections *to* them...."
And that list microsoft gave, yep its to microsoft........Azure. Millions of IP addresses. So not just stuff put up by microsoft.
Never mind the security, feel the process. Six months at my place for the promised split tunnelling to relieve the already creaky VPN.
Re: security - almost certainly your VPN already whitelists all those MS addresses to make o365 and OverDose work, so all you're saving is a round trip through your infrastructure...
It might be a tipping point.
Starting this week business groups at my employer are having some of their workers being to WFH for more than a day a time; I think this is to work out any sort of kinks like "Ok, I can work at home, but when I'm in the office tomorrow this paperwork needs to get signed by X and then delivered to Y who'll fax it to Z" stuff still around.
My 2000 person relatively IT independent division of a multi-national can and has had all the office / tech staff WFH for a day due to snowstorms (only a skeleton maintenance / security / old iron operations crew on site at HQ).
After a trial test telling most of the business to WFH one day, and actual "campus is closed except for skeleton staff" snow days since then, followed by adopting WFH policies allowing ~1 day a week for many folks.
What we had for WFH already made executives comfortable enough to close a 100 person call center in another section of the country and pull that work back to the home office knowing we wouldn't be shut down by bad weather.
Went through the process of setting up a new business and decided from day one that the office would be a meeting place - not a place where data or applications are hosted.
This means that as long as each user takes their laptop and power cable, it makes no difference from where they work.
In fact, prior to our Internet connection being installed, we tethered our laptops to individual mobile phones while sitting in the office. Slow, but still usable.
Collaboration tools allow screen and document sharing, voice and video calls, etc.
I know that it is nowhere near as easy for companies that have to deal with on-prem legacy applications, desktop computers, etc.
We did exactly the same thing. The office offers nothing in the way of IT other than a decent wifi system and leased line and firewall for Internet access. They do the same in the office that they do at home - no difference.
Everybody has laptops with Cisco VPN and Duo 2fa accounts. Everything is locked away in a data centre. We use a cloud based phone system too.
Depends on what you use a computer for. My workstation and its four monitors, powerful GPUs and a lot of needed local storage are difficult to move around. Plus the data are too sensitive and proprietary to be stored in any cloud outside the company datacenter (which is accessible through a VPN, of course, when needed).
I can work remotely with a laptop, but my productivity is hampered by the limited resources.
Ask for a workstation class laptop, get a decent TB 3 dock, and you can have as many work locations as you can afford. Our "engineer" grade laptops are Dell Precision <something or other>, 64 GB RAM, i9 processor, nvidia quadro for CUDA, one cable in the dock and I've got 4 screens beaming back at me.
I'll admit local storage is a bit tricky if you're in one of those industries that needs TB/PB of data to be available.
No "workstation" class desktop can be cooled as a tower workstation. Nor you can plug as much RAM into it easily. Nor you can have more than one graphic card (but the integrated one). Local disks on NVMe connections are still faster than external disks. There is also the issue of the 10Gb/s connection to the servers in the local datacenter (just below my office).
Nor my company is going to buy me four monitors for home, nor I wish to carry them back and forth from the office.
Those laptops are fine when you need power outside the office but are not a full replacement of a full workstation. As said, I can work outside, the office, with less resources available. For a while, to avoid putting my and others0 lives at risk is fine.
I know my needs are not average, just pointing out some people have needs that cannot be easily fulfilled everywhere.
Agreed. I've worked exclusively from laptops for about 15 years now, but I recognize that even other people in my organization who do similar jobs will have different preferences and needs. It makes sense to give workers the tools that work best for them, not try to find one solution to fit all.
You could always invest in a Work from Home setup of your own ?? Try and Claim it back on your Self-assessment or find it my with some WFH days from your fuel.
2 decent Samsung 27” 1080p screens and a monitor bracket will rush you only about £300. Rob a keyboard/mouse/laptop riser/printer etc from work.
Clouds can present difficulties in respect of data protection and sensitive material e.g. classified and/or commercially sensitive information. This might be more of a consideration for organisations that could be or have been the target of spying by US and other foreign government agencies.
My group and most of the company is now home based for the duration. We all had laptops issued with VPN software preinstalled and configured. And many of us were mostly WFH or already home based as it was so switching over is not as major a headache. Still will need enough bandwidth. And are not an IT company.
I suspect this might accelerate moving workers out of the office more once everyone adjusts. And being able to do this for a large number of workers is something that will help as you lessen the need for people to be together in large groups.
I wish... while I mostly work remotley / on the road visiting customer sites to fix hardware. The boss really likes people in the office. The sooner the government put in place a recommendation for all workers to work from home where possible the better.
As it is now I have recommended to our engineers that they wear a fresh pair of surgical gloves (part of normal car stock anyway) to each site before they even touch the door handle, clean each machine on arrival and consider their tools etc as contaminated. Clean their vehicle and tools at the end of each day and dispose of the gloves. It's a pain in the arse but better than potentially spreading infections to hundreds of sites.
I wonder how many ISPs broadband is actually up to the task ? I know that my last employers VPN functionality was not supported for connections under 5MB/s (no, I don't know why). Which was a barrier to some homeworking (and not accidentally, I suspect).
The unforeseen consequences of COVID are going to rumble for a while yet, and one of the first issues is all those ISP lies about their "up to" speeds.
For myself, full-fat VM fibre to my door is still delivering around 100 MB/s.
And I'm looking forward to attempts at four simultaneous skype conversations on my house's 4Mb/s, preferably whilst everyone else in the street is trying the same (or maybe just some iplayer/netflix-alike service) ... :-)
4 Mb/s is plenty for four simultaneous Skype conversations, unless you insist on high-definition. For regular video calling you can get by with 128 kb/s. If you're prepared to slum it with voice only (remember that?), obviously that's even lower.
I wonder how many ISPs broadband is actually up to the task ? I know that my last employers VPN functionality was not supported for connections under 5MB/s (no, I don't know why).
Probably a combination of factors. VPN traffic can be high overhead and delay sensitive, so with no QoS, and a low speed connection end up being unreliable. T'other gotcha could be the routers typically used on consumer connections having limited capacity to run the number of sessions used, especially in a split tunnel config. So attempting to support 100+ sessions, NAT and firewalling stresses those boxes and packets or sessions get dropped. I had that at one ISP I did some work for where the <$10 Zyxel box was fine for most home users, but barfed at VPN traffic.
Teams is the answer according to Microsoft.
Only if the question is
What has been forced onto every company laptop and is such a resource hog at startup, configured so badly , that you can turn the laptop on. Go downstairs, grab a coffee, have a chat with workmates, go to the toilet. Have another chat and then slowly wander back to your laptop to be in time to cancel the load error message and finally start your day?
And then the machine decides that there has been no activity from the keyboard for x minutes and goes to sleep! Rinse & repeat..
WFH is otherwise OK unless you need the test equipment / temperature Chanbers / specialised tools etc that can only be found at work. But at least I can "attend" the ongoing meetings that plan what we're not going to do to meet a schedule we're not going to meet and try to analyse why work is not getting done..
Yup. A lousy UI and - in my case at least - no-one listed in recent contacts or favourites. How odd, given that we've been using it for over a year now.
And you have to question a client/server application which, when it needs you to log back in, has to first restart itself.
I find it way more solid (to deploy and use) and infinitely less annoying and cluttered than Slack (which decides by itself your working hours) and sure enough miles better than SfB - also very consistent across desktop and mobile platforms.
Only annoying bit about about Teams right now is it decides that right-click -> exit means the application crashed and automatically restarts which is mental.
I already work from home a lot, perhaps I should consider going to the office more. It's going to be nigh on deserted anyway, I run as much risk to get infected there as I do here at home. That's besides the fact that I think the widespread panic is bollocks, but that's another discussion.
Have a short meeting planned for tomorrow, wonder if there'll be anyone else working there. Friday is already a notoriously quiet day in the office, wouldn't be surprised if it's just the receptionists and me.
Oh and the cleaning staff of course, they're not going to be allowed to skip even a single day.
This recent development in my dept has seen a vast array of utility tools adjunct with my WFH profile. We engineer AI, and as such, have no qualms about working from home (I would rather prefer it). The thing is that my company has additionally moved on to MSTeams due to this, which has basically changed how we work completely. I'm shocked that its not just us AI engineers who are doing this, but a large number of folks as well.
I don't see what a browser has to do with it.
I still have to guess at exactly what you are describing, but it sounds to me like more of a VPN client misconfiguration. It also may be referring to using an unmanaged machine as a VPN client. In both instances, the point of the corporate VPN IS negated.
A proper corporate VPN will only allow connections from corporate managed VPN clients. Those clients will have the same or likely better hardening as the internal corporate network clients. They will require additional protections on the initial Internet connection during VPN tunnel establishment. No traffic outside the VPN is permitted, save authenticaton/consent to the AP/gateway. This traffic denial is bi-directional. A corporate VPN implementation has to include the very same level of perimeter protection on the VPN clients as the corporate network gateway. Anything less will not do.
As soon as you have something that can connect to something over HTTPS (or anything else over TLS) you have lost as literally anything can tunnel in and out. Browsers are doing this every day with stuff like websockets. Too many people have bought the nonsense they have been sold by Cisco reps. VPNs aren't part of your chain of trust.
Yes. But instead of having one machine in the ether connecting to stuff thats most likely hosted on AWS you now have one machine in the ether connecting into your network that's otherwise not remotely accessible connecting to stuff hosted on AWS... and now that stuff hosted on AWS has an easier route into whatever super secret gene mutation tech you have hidden behind your VPN.
TL;DR; VPNs are from a begone age where a lot of application protocols were plain text. They provide tunneling and encryption not trust. Now that basically everything uses TLS you aren't adding anything by forcing your users to use OWA or gmail via a VPN and you're exposing your internal network to whatever 0-days exist in their browser, home router etc.
You seems to be mixing the commercial consumer level and corporate VPN implemtations. A corporate VPN is self-hosted (unless the datacenter went all cloudy). The VPN server is in the datacenter's DMZ so that external clients can connect over a trusted connection using known configuration and encryption to the internal network. Those clients should not be any old client, but corporate issued clients or at least corporate vetted clients. Many corporate VPN client software solutions have a means of vetting the machine and many also can isolate the connection so there is no cross connection to the Internet at large while VPN connected. This many times includes verifying current patch levels of browsers. A proper VPN would be immune to the vast majority of router vulnerabilities. Many also include their own hardened browser. Any Internet access while on the VPN is routed through corporate firewalling and data exfiltration controls.
Commercially available consumer VPN implementations are the sort to be found AWS hosted. Even those not AWS hosted are on unproven level of security hosts. These are not what a large business should be relying upon.
I personally roll my own VPN. I chose the cloud host to install the dedicated VPN server upon. It cost me less in service fees than a commercially available consumer VPN. It cost me more in my time to setup and maintain, but I benefit greatly in being able to oversee the setup and maintenance and know that I have implemented the available security patches. I also benefit from not being blocked in the latest craze of webhosts' security theatre of blocking VPN. So, realistically my VPN cost is higher, but I get a better product. I could choose to pay colocation for a dedicated host, but you are still at the mercy of the colo landlords' lack of diligence. I researched my cloud host provider and trust them better than most colo provider's at a lower cost.
Working for a major UK IT company you would think we have it all figured out, right? Well, yes and no.
Yes - we have the tools to enable wfh
No - management are stuck in the 1980’s and think if they cant see you then you can’t be working....ffs
I’ve always been more productive working from home and with all the ‘tools’ I can communicate, collaborate and interact all day long if needs be.
The reality is that I’m not allowed and whilst I’d love to be able to walk away and do something somewhere else......that won’t be happening for a while.
I guess it’s time to suck it up and look forward to the lottery that is Covid-19 infection.
Personally I'm a huge fan of working from home, but - just like many others have mentioned - there appears to be an innate lack of trust on this front between manglement and underlings.
The excuses I've heard that come most readily to mind:
1. "We pad a lot of dosh for this office space - it has to be used!"
2. "Emergency maintenance". Give your keyboard a can of coke to drink at work, and a replacement can normally be provided tout suit. Pull the same trick at home and you'll probably be off-line for a few hours at best.
3. Insurance. Trip and twist your ankle at the office and elf&safety decrees that the company has to DO something. Damage yourself while working from home and... who pays?
Biting the hand that feeds IT © 1998–2021