Follow the moon
Sounds like an opportunity for a new product, anycasted vpn endpoints.
Cisco was surprised by how quickly it needed to adopt a global working-from-home policy, amid the coronavirus pandemic, and is now rationing VPN use to safeguard its security. Speaking at the Cisco Live virtual event for the Asia Pacific and Japan region today, vice president of Cisco Customer & Seller Bailey Szeto said Cisco …
“Split tunnelling” has also come in handy, we're told. This technique sees traffic that absolutely needs a VPN to reach internal resources take that route, while other traffic travels over the public internet to public-facing servers.
Y'know, that technique everyone deploys on almost any VPN they've ever set up... because the last thing you need is 400 remote workers streaming cat videos on all day through the company's WAN connection...
You'd like to think that, but somehow I've (with no qualifications etc, but just happened to grow up at the right time and annoy my parents enough by breaking and fixing our home computers, learnt enough to know what I'm doing) become our companies IT guy in the office when our outsourced guy can't get in (or can't be bothered to deal with half of it)
So I suggested at the very start of this all to use split tunnelling for everyone, this was immediately rebuffed and told it would be fine... we managed to the 2nd day before management got fed up of the stupid video meetings being laggy as hell, now we have split tunnelling.
I still can't fathom why they said no, I can only imagine it's because they would need to see every laptop, which is only around 40, and just didn't fancy doing it.
One reason given for not allowing split tunnelling is to force all traffic through the company's monitoring and security systems. From a security point of view I can see the benefit but it is a pain in the ass when you have to keep disconencting the VPN so you can access your home lab etc.
its also a pain if it prevents you from using local network resources. I cant access my printer from the VPN so end up emailing documents to a personal account I save for work then printing them from my own laptop, sat beside the work laptop. Good job I have a decent sized desk.
Most of the corporate Security Guys I've worked with will only use split tunnelling for white-listed SAAS sites. Their view is if it's a company machine then they want to see all the traffic which could cause a security issue and retain audit capabilities of what staffers are doing with work resources.
they are far more likely to blacklist sites than open things up more. For example several I've worked with have blacklisted shopping sites and social media sites.
I've been told that split tunnelling offers more safety, since... I don't know what their reasoning was, because after I realized I lost contact with my internal network at home (meaning I have to switch to another computer to diagnose local network issues) I reformatted my work laptop and installed our old OpenVPN based VPN instead.
But other jerks in my past have also advocated disabling split tunnelling. Is there a best practices document somewhere that advocates this nonsense?
Put a Virtual Machine with FreeBSD or Linux on one of your home servers
Install OpenVPN and Nginx on it, plus any other stuff you need like ssh and sudo
Configure OpenVPN to connect to your work network
Configure Nginx using the stream directive to proxy the resources you need at work. In my case it is rdp and samba
When you want to access a work resource, connect to your VM. rdp will give you a certificate error, but it will still work
You will still be able to access everything in your home network as normal.
My approach at home to avoid personal traffic going through the VPN:
A FreeBSD virtual machine that connects to the VPN
A reverse proxy server on the VM that replicates the ports on my work systems
When I want to access a work resource, I connect to the VM
It also protects my home network from being accessed from the work network
Linux would also work, but I'm a FreeBSD fangirl, and linux would use about twice as much RAM. RAM is the limiting capacity factor on my home servers.
Maybe they will fix the dog-turd sucking that is Webex now they are forced to use it for themselves?
You know make it properly cross-platform, make it "just work" using any of the major web browsers, make it do all of the checks needed before the fsking start of the meeting so you don't have to install some new crap plug-in that needs admin privileges that you don't necessarily have for your work laptop during the first 10 minutes, etc, etc.
Pre crisis Cisco VPN user here with 100,000 users and of course WebEx. Couldn't move away from those fast enough. Normally, it would have needed a year to approve the alternative VPN we were testing, managed to get approval and rollout done in 5 days. MS teams should be switched on next week.
I recently watched a system admin set up Teams, over a three hour period, for my wife's work from home access. They did set it up remotely and they wanted to allow RPC in order to perform the set-up on the new ASUS high quality laptop (I7, 12 GB RAM, Win 10 professional). Tons of bandwidth. The set-up took three hours and required RPC to remain open even after completion.
How well is Teams integrated into MS infrastructure?
They who set it up are a service provider, and while they don't keep accurate records and do tend to knowledgeable, they seem to be able to make things work when required local or remotely, so there is that. My wife's firm is 40 people and use technology gingerly.
From a cold boot until the full version of Teams along with the Office 365 is loaded and ready takes about 10 minutes. Again we have lots of bandwidth, they appear to use some kind of Cisco switch (sorry I just realized they are using the Cisco VPN which is probably overworked right now and for the forseeable future) Is this the normal set-up and boot-up time you are seeing in your set-up?
I am being curious is all.
If you have Office365, installing Teams is:
Visit office.com
Log in using your O365 credentials
Click on the Teams Icon
You get Teams in a web browser, and you could use that
Click on "Download Desktop App" in the bottom left corner
Install it like any other windows/mac application
Log in to that using your O365 credentials
Or on your phone, download it from the app store, and log in using your O365 credentials
On my mid 2010 MacBook Pro, it takes about 20 seconds to load, log in etc. Skype takes 8 seconds, Whatsapp desktop takes 10 seconds
We already have Office365 for most of the employees along with OneDrive and private SharePoint. Teams is a flick of a switch to enable. Integration is fine with rest of MS productions, for most people its just another collaboration tool. Like most enterprises the issue is that different teams go ahead and implement their own tools based on prior or personal experience and that just leads to fragmentation. God knows how much of the company is using WhatsApp for communicating.