Virtual private networks (VPN) are still the mainstay for providing users with remote access to corporate resources when working from home. But with remote access networks under more strain due to the global health pandemic, many employees are experiencing poor performance of cloud-based apps.
Performance issues are usually caused by the way VPNs are configured using forced tunnels. But there are several options for configuring VPNs that can improve performance of cloud apps while still providing access to resources on the corporate intranet.
The most common configuration for a VPN is a forced tunnel. Forced tunnels route all traffic into the corporate network, regardless of where resources are located. For instance, a remote user who accesses Office 365 will experience a performance hit if connected to the corporate network via a forced tunnel VPN. Forced tunnels route traffic destined for Office 365, and all other Internet resources, into the corporate network first before forwarding to the public Internet.
As you can imagine, this causes an additional load on the VPN and other network devices that might be used to manage Internet access. Forced tunnel VPNs ‘backhaul’ Internet traffic through the corporate network so that it can be filtered and inspected to protect endpoints. But as many organizations rely on cloud apps, like Office 365 and line-of-business apps that might have been moved to the cloud, performance suffers when network traffic for these apps is routed through the corporate network.
In contrast, a split tunnel VPN routes network traffic destined for the Internet through the device’s local Internet connection rather than directing everything over the corporate network. It wasn’t so long ago that split tunnel VPNs were frowned upon because they were considered a security risk. Internet traffic can’t be inspected at a central location when using a split tunnel VPN, potentially leaving endpoints vulnerable.
But defense-in-depth security measures built into Windows, like Microsoft Defender, sandboxing, and Application Control, provide stronger protection on the endpoint than was possible in the past. Split tunnel VPN is the model Microsoft uses for its remote workers. Organizations that decide to send all non-corporate traffic to the Internet directly can still optionally collect user connection information and traffic data. You can read more about Microsoft’s deployment here.
If your organization doesn’t want to adopt a split tunnel VPN for security reasons, then you can opt for a halfway house and configure a forced tunnel VPN with exclusions for trusted Internet resources. Exclusions you define, like Office 365, are added to the routing table to use the device’s Internet-connected interface as the default gateway. All other traffic is routed via the VPN interface.
You can find information about Microsoft’s current endpoints for Office 365 here. Microsoft has announced a temporary moratorium on some planned URL and IP address changes until at least June 30th, 2020. Although Microsoft recommends automating changing Office 365 endpoints to avoid interruptions in service after June 30th.
No VPN is also an option, where corporate apps are accessible on the public Internet. Zero trust is a security framework that dates from 2009. The idea is that you shouldn’t trust anyone. Not even your own employees. Every person accessing your network must be verified. And access control policies limit the access employees have to corporate IT resources. Policies should provide just enough access to complete work-related tasks and nothing more.
Azure Active Directory (Azure AD) is the primary product around which zero trust is based at Microsoft. It has a feature called Application Proxy that lets users access corporate web applications, and apps hosted behind a Remote Desktop Gateway, using a remote client.
For more information on deploying zero trust, see Choosing between Virtual Private Network and Zero Trust Remote Access Solutions on Petri.
Finally, it’s worth mentioning that Microsoft’s Azure VPN gateway can be used to provide access to Azure resources and on-premises resources. An Azure Point-to-Site (P2S) VPN gateway connection creates a secure connection to Azure VNets or on-premises resources from client computers.
Microsoft’s Azure OpenVPN client can authenticate users in Azure Active Directory, saving organizations from deploying complicated public key certificate infrastructures (PKI). OpenVPN also supports multifactor authentication (MFA). For more information on configuring an Azure VPN gateway for remote workers, see Microsoft’s site here.