back to article Corporate VPN huffing and puffing while everyone works from home over COVID-19? You're not alone, admins

With the COVID-19 outbreak pushing many companies to keep workers at home, admins are finding themselves having to deal with a crunch of traffic on VPNs and network appliances suddenly overwhelmed with remote connections. Microsoft on Tuesday issued guidance for admins on how to manage their Office 365 installations with so …

  1. chivo243 Silver badge

    Not just VPN accounts

    We've also been tasked with providing computers(w\ vpn software configured) for users who do not have approved systems at home. Just a little work for some of my colleagues!

    1. Captain Scarlet

      Re: Not just VPN accounts

      Yup, if like us you order direct from a computer maker you also have the added 2 month delay currently due to the chinese holiday shutdown followed by the virus.

      So cobbling together machines that were deemed to old to be back just in case.

      1. Peter2 Silver badge

        Re: Not just VPN accounts

        Nice to see i'm not the only person doing this.

        In case my laptop stock runs out i'm refurbing the Win7 desktops that were (finally) about to get destroyed as thin clients for a VPN client & Terminal services in case the entire country gets quarantined.

        If it all goes south, Microsoft is going to have a bloody good quarter from all the extra RDS licenses everybody is going to be buying.

        1. sebbb

          Re: Not just VPN accounts

          IF they are going to buy them. "Nah, just reset that grace period"

        2. katrinab Silver badge
          Meh

          Re: Not just VPN accounts

          We switched pretty much entirely to remote desktop about 10 years ago. Save us installing and updating software on loads of local machines. Some banking software with USB card readers needs to run locally, but that’s about it, and only three people need that.

          1. Anonymous Coward
            Anonymous Coward

            Re: Not just VPN accounts

            I've recently moved from a complete virtual desktop environment to one where VPN's are standard and remote desktop just for emergency access, meaning when we need to scale up remote working we have a capacity contraint on the virtual desktop farm.

            I am very interested in the Citrix Workplace site aggregation feature but I am finding it difficult to get a look at in trial mode and it doesn't seem set up for a true PAYG model, Citrix are looking for 500+ users and annual licensing (billed monthly but still min 12 month). I think if you could set up the capability for a handful of users and flex up and down, companies like mine would be biting their hand off.

    2. Lee D Silver badge

      Re: Not just VPN accounts

      Isn't that what Terminal Services was made for?

      Then they can literally run their stuff on anything, and the internal corporate network is still secure from whatever junk they've bought/used/borrowed.

    3. Danny 14

      Re: Not just VPN accounts

      yeah, we spooled up an SSTP RRAS for people without proper VPN.

  2. MadAsHell

    Split-tunnelling? Security madness, surely?

    Is enabling split tunnelling really such a good idea? Doesn't that make each user's remote laptop capable of being a router from nasty Internet to clean Corporate network?

    1. John Robson Silver badge

      Re: Split-tunnelling? Security madness, surely?

      Not too bad if done correctly - if you only trust the MS endpoints *AND* only allow secure connections *to* them....

      1. Anonymous Coward
        Anonymous Coward

        Re: Split-tunnelling? Security madness, surely?

        "Not too bad if done correctly - if you only trust the MS endpoints *AND* only allow secure connections *to* them...."

        And that list microsoft gave, yep its to microsoft........Azure. Millions of IP addresses. So not just stuff put up by microsoft.

    2. Anonymous Coward
      Mushroom

      Re: Split-tunnelling? Security madness, surely?

      If they have a functioning IPv6 connection, you may find they've been split tunnel for some time!

    3. Lee D Silver badge

      Re: Split-tunnelling? Security madness, surely?

      What if you're a school or a secure area who, say, requires their web filter to log and filter all inappropriate accesses?

      1. sebbb

        Re: Split-tunnelling? Security madness, surely?

        If you refer to teachers, well it's their home and they're adults. If you refer to children, well it's their home and the parents should be responsible and know how to deal with their children. Ah wait...

    4. yoganmahew

      Re: Split-tunnelling? Security madness, surely?

      Never mind the security, feel the process. Six months at my place for the promised split tunnelling to relieve the already creaky VPN.

      Re: security - almost certainly your VPN already whitelists all those MS addresses to make o365 and OverDose work, so all you're saving is a round trip through your infrastructure...

  3. Roger Kynaston

    Uptick in remote S/W sales

    I should imagine the likes of Cisco and others are mobilising sales teams if they are that forward looking. Will this establish a trend for much more remote working?

    1. rmason

      Re: Uptick in remote S/W sales

      Almost all of them are offering temporary free licences, yes.

      Cisco Webex, MS teams etc etc

      1. Richard 12 Silver badge

        Re: Uptick in remote S/W sales

        Webex has been unable to cope all day.

        Clearly Cisco didn't manage to work out the "scale" thing, either.

        1. Anonymous Coward
          Anonymous Coward

          Re: Uptick in remote S/W sales

          Ironically Cisco are one of the few customers we have trouble using Webex with...

    2. Dal90

      Re: Uptick in remote S/W sales

      It might be a tipping point.

      Starting this week business groups at my employer are having some of their workers being to WFH for more than a day a time; I think this is to work out any sort of kinks like "Ok, I can work at home, but when I'm in the office tomorrow this paperwork needs to get signed by X and then delivered to Y who'll fax it to Z" stuff still around.

      My 2000 person relatively IT independent division of a multi-national can and has had all the office / tech staff WFH for a day due to snowstorms (only a skeleton maintenance / security / old iron operations crew on site at HQ).

      After a trial test telling most of the business to WFH one day, and actual "campus is closed except for skeleton staff" snow days since then, followed by adopting WFH policies allowing ~1 day a week for many folks.

      What we had for WFH already made executives comfortable enough to close a 100 person call center in another section of the country and pull that work back to the home office knowing we wouldn't be shut down by bad weather.

      1. fredesmite

        Re: Uptick in remote S/W sales

        I will never be baby sat in a cube farm at a daycare again .

        You are living in a 1980 work environment.

        1. bigphil9009

          Re: Uptick in remote S/W sales

          You said that already...

    3. Danny 14

      Re: Uptick in remote S/W sales

      yup. I demonstrated a very simple zoom session to our board management with a logitech boardroom camera/microphone. It was like moses parting the water.

      Yes, just like the demonstration I showed the management one level below you and was rebuked years ago.

  4. Flak

    100% cloud

    Went through the process of setting up a new business and decided from day one that the office would be a meeting place - not a place where data or applications are hosted.

    This means that as long as each user takes their laptop and power cable, it makes no difference from where they work.

    In fact, prior to our Internet connection being installed, we tethered our laptops to individual mobile phones while sitting in the office. Slow, but still usable.

    Collaboration tools allow screen and document sharing, voice and video calls, etc.

    I know that it is nowhere near as easy for companies that have to deal with on-prem legacy applications, desktop computers, etc.

    1. Vulture@C64

      Re: 100% cloud

      We did exactly the same thing. The office offers nothing in the way of IT other than a decent wifi system and leased line and firewall for Internet access. They do the same in the office that they do at home - no difference.

      Everybody has laptops with Cisco VPN and Duo 2fa accounts. Everything is locked away in a data centre. We use a cloud based phone system too.

      1. P. Lee

        Re: 100% cloud

        Have you read the Duo Terms of Service?

        Not the one on their website, the one on their iphone app.

        Scroll down to "Log Data"

        Now, if the company is supplying your phone, that's one thing, but that app isn't going anywhere near my own kit.

    2. Anonymous Coward
      Anonymous Coward

      Re: 100% cloud

      Depends on what you use a computer for. My workstation and its four monitors, powerful GPUs and a lot of needed local storage are difficult to move around. Plus the data are too sensitive and proprietary to be stored in any cloud outside the company datacenter (which is accessible through a VPN, of course, when needed).

      I can work remotely with a laptop, but my productivity is hampered by the limited resources.

      1. Anonymous Coward
        Anonymous Coward

        Re: 100% cloud

        Ask for a workstation class laptop, get a decent TB 3 dock, and you can have as many work locations as you can afford. Our "engineer" grade laptops are Dell Precision <something or other>, 64 GB RAM, i9 processor, nvidia quadro for CUDA, one cable in the dock and I've got 4 screens beaming back at me.

        I'll admit local storage is a bit tricky if you're in one of those industries that needs TB/PB of data to be available.

        1. Anonymous Coward
          Anonymous Coward

          Re: 100% cloud

          No "workstation" class desktop can be cooled as a tower workstation. Nor you can plug as much RAM into it easily. Nor you can have more than one graphic card (but the integrated one). Local disks on NVMe connections are still faster than external disks. There is also the issue of the 10Gb/s connection to the servers in the local datacenter (just below my office).

          Nor my company is going to buy me four monitors for home, nor I wish to carry them back and forth from the office.

          Those laptops are fine when you need power outside the office but are not a full replacement of a full workstation. As said, I can work outside, the office, with less resources available. For a while, to avoid putting my and others0 lives at risk is fine.

          I know my needs are not average, just pointing out some people have needs that cannot be easily fulfilled everywhere.

          1. Michael Wojcik Silver badge

            Re: 100% cloud

            Agreed. I've worked exclusively from laptops for about 15 years now, but I recognize that even other people in my organization who do similar jobs will have different preferences and needs. It makes sense to give workers the tools that work best for them, not try to find one solution to fit all.

          2. NeilPost Silver badge

            Re: 100% cloud

            You could always invest in a Work from Home setup of your own ?? Try and Claim it back on your Self-assessment or find it my with some WFH days from your fuel.

            2 decent Samsung 27” 1080p screens and a monitor bracket will rush you only about £300. Rob a keyboard/mouse/laptop riser/printer etc from work.

          3. Joe Montana

            Re: 100% cloud

            Many companies won't provide such a setup for use in the office, let alone at home... People are made to make do with whatever they have available even if it's grossly sub optimal.

            Many of us actually have much better setups at home for our own personal use.

    3. Anonymous Coward
      Anonymous Coward

      Re: 100% cloud

      Clouds can present difficulties in respect of data protection and sensitive material e.g. classified and/or commercially sensitive information. This might be more of a consideration for organisations that could be or have been the target of spying by US and other foreign government agencies.

      1. Anonymous Coward Silver badge
        Big Brother

        Re: 100% cloud

        foreign??

        It's not like companies and individuals have never been spied on by their own government.

    4. a_yank_lurker

      Re: 100% cloud

      My group and most of the company is now home based for the duration. We all had laptops issued with VPN software preinstalled and configured. And many of us were mostly WFH or already home based as it was so switching over is not as major a headache. Still will need enough bandwidth. And are not an IT company.

      I suspect this might accelerate moving workers out of the office more once everyone adjusts. And being able to do this for a large number of workers is something that will help as you lessen the need for people to be together in large groups.

    5. NeilPost Silver badge

      Re: 100% cloud

      @ around £10-15 a month/user (to business) for All-You-Can Eat Calls, Texts & Data it so a great investment in a truly mobile workforce.

    6. Joe Montana

      Re: 100% cloud

      We did the same, but it actually worked much better when everyone worked from home... The office connection was terribly slow and most people's residential connections were much faster on their own let alone shared with 20 others.

  5. LeahroyNake

    Home working

    I wish... while I mostly work remotley / on the road visiting customer sites to fix hardware. The boss really likes people in the office. The sooner the government put in place a recommendation for all workers to work from home where possible the better.

    As it is now I have recommended to our engineers that they wear a fresh pair of surgical gloves (part of normal car stock anyway) to each site before they even touch the door handle, clean each machine on arrival and consider their tools etc as contaminated. Clean their vehicle and tools at the end of each day and dispose of the gloves. It's a pain in the arse but better than potentially spreading infections to hundreds of sites.

  6. Anonymous Coward
    Anonymous Coward

    Hmmm ... surely the very first hurdle is the Home->Office connection ?

    I wonder how many ISPs broadband is actually up to the task ? I know that my last employers VPN functionality was not supported for connections under 5MB/s (no, I don't know why). Which was a barrier to some homeworking (and not accidentally, I suspect).

    The unforeseen consequences of COVID are going to rumble for a while yet, and one of the first issues is all those ISP lies about their "up to" speeds.

    For myself, full-fat VM fibre to my door is still delivering around 100 MB/s.

    1. Anonymous Coward
      Anonymous Coward

      Re: For myself, full-fat VM fibre to my door is still delivering around 100 MB/s.

      And I'm looking forward to attempts at four simultaneous skype conversations on my house's 4Mb/s, preferably whilst everyone else in the street is trying the same (or maybe just some iplayer/netflix-alike service) ... :-)

      1. veti Silver badge

        Re: For myself, full-fat VM fibre to my door is still delivering around 100 MB/s.

        4 Mb/s is plenty for four simultaneous Skype conversations, unless you insist on high-definition. For regular video calling you can get by with 128 kb/s. If you're prepared to slum it with voice only (remember that?), obviously that's even lower.

        1. Michael Wojcik Silver badge

          Re: For myself, full-fat VM fibre to my door is still delivering around 100 MB/s.

          Indeed, it's a fine excuse to turn the video off.

    2. coderguy

      Re: Hmmm ... surely the very first hurdle is the Home->Office connection ?

      Nothing to do with the idiocy that is VPN solutions that only work on Windows, or need a Java Applet to work. FFS

    3. Jellied Eel Silver badge

      Re: Hmmm ... surely the very first hurdle is the Home->Office connection ?

      I wonder how many ISPs broadband is actually up to the task ? I know that my last employers VPN functionality was not supported for connections under 5MB/s (no, I don't know why).

      Probably a combination of factors. VPN traffic can be high overhead and delay sensitive, so with no QoS, and a low speed connection end up being unreliable. T'other gotcha could be the routers typically used on consumer connections having limited capacity to run the number of sessions used, especially in a split tunnel config. So attempting to support 100+ sessions, NAT and firewalling stresses those boxes and packets or sessions get dropped. I had that at one ISP I did some work for where the <$10 Zyxel box was fine for most home users, but barfed at VPN traffic.

  7. Calum Morrison

    Teams!

    Teams is the answer according to Microsoft. Teams is always the answer according to Microsoft these days, even if the question is name a messaging app that rhymes with quack. Look, it's Teams, OK - just use Teams. Someone, please use Teams damnit. TEAAMS!!

    1. Dr_N

      Re: Teams!

      >even if the question is name a messaging app that rhymes with quack.

      Cack. (The nickname for Teams.)

      1. J. Cook Silver badge

        Re: Teams!

        Based on what I've heard about it as far as managing it, I'll agree.

    2. FozzyBear
      IT Angle

      Re: Teams!

      Teams is the answer according to Microsoft.

      Only if the question is

      What has been forced onto every company laptop and is such a resource hog at startup, configured so badly , that you can turn the laptop on. Go downstairs, grab a coffee, have a chat with workmates, go to the toilet. Have another chat and then slowly wander back to your laptop to be in time to cancel the load error message and finally start your day?

      1. Anonymous Coward
        Anonymous Coward

        Re: Teams!

        And then the machine decides that there has been no activity from the keyboard for x minutes and goes to sleep! Rinse & repeat..

        WFH is otherwise OK unless you need the test equipment / temperature Chanbers / specialised tools etc that can only be found at work. But at least I can "attend" the ongoing meetings that plan what we're not going to do to meet a schedule we're not going to meet and try to analyse why work is not getting done..

  8. fredesmite

    I will never be

    baby sat in a cube farm at a daycare again .

    I haven't worked in a building for 10 years . This is absolutely no reason for the majority of technical personnel to be present in a office.

  9. Anonymous Coward
    Thumb Down

    We have to use Microsoft Teams.

    And it’s utter shit.

    I just wanted to get that off my (virus-free) chest.

    1. AndrueC Silver badge
      Facepalm

      Re: We have to use Microsoft Teams.

      Yup. A lousy UI and - in my case at least - no-one listed in recent contacts or favourites. How odd, given that we've been using it for over a year now.

      And you have to question a client/server application which, when it needs you to log back in, has to first restart itself.

    2. PrcStinator

      Re: We have to use Microsoft Teams.

      How so?

      I find it way more solid (to deploy and use) and infinitely less annoying and cluttered than Slack (which decides by itself your working hours) and sure enough miles better than SfB - also very consistent across desktop and mobile platforms.

      Only annoying bit about about Teams right now is it decides that right-click -> exit means the application crashed and automatically restarts which is mental.

      1. Anonymous Coward
        Anonymous Coward

        Re: We have to use Microsoft Teams.

        "How so?" - sadly, there aren't enough free bytes on the internet to contain my reply.

  10. Danny 5

    hmmm

    I already work from home a lot, perhaps I should consider going to the office more. It's going to be nigh on deserted anyway, I run as much risk to get infected there as I do here at home. That's besides the fact that I think the widespread panic is bollocks, but that's another discussion.

    Have a short meeting planned for tomorrow, wonder if there'll be anyone else working there. Friday is already a notoriously quiet day in the office, wouldn't be surprised if it's just the receptionists and me.

    Oh and the cleaning staff of course, they're not going to be allowed to skip even a single day.

  11. VibhorTyagi

    Work From Home Engineer, AI Expert

    This recent development in my dept has seen a vast array of utility tools adjunct with my WFH profile. We engineer AI, and as such, have no qualms about working from home (I would rather prefer it). The thing is that my company has additionally moved on to MSTeams due to this, which has basically changed how we work completely. I'm shocked that its not just us AI engineers who are doing this, but a large number of folks as well.

    ~Engineer.AI

  12. Anonymous Coward
    Anonymous Coward

    Spin up some AWS Workspaces.

  13. Anonymous Coward
    Anonymous Coward

    Hopefully the end of corporate VPNs

    See title.

    VPNs might have had some security benefit 10 years about but they are next to pointless now.

    1. hayzoos

      Re: Hopefully the end of corporate VPNs

      VPNs, pointless, please explain.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hopefully the end of corporate VPNs

        >please explain.

        As soon as you open a browser you have bi-directional tunnels in and out of your VPN from every machine connected to the VPN. If anything a machine with a VPN into where your juicy data is exactly what an attacker wants.

        1. hayzoos

          Re: Hopefully the end of corporate VPNs

          I don't see what a browser has to do with it.

          I still have to guess at exactly what you are describing, but it sounds to me like more of a VPN client misconfiguration. It also may be referring to using an unmanaged machine as a VPN client. In both instances, the point of the corporate VPN IS negated.

          A proper corporate VPN will only allow connections from corporate managed VPN clients. Those clients will have the same or likely better hardening as the internal corporate network clients. They will require additional protections on the initial Internet connection during VPN tunnel establishment. No traffic outside the VPN is permitted, save authenticaton/consent to the AP/gateway. This traffic denial is bi-directional. A corporate VPN implementation has to include the very same level of perimeter protection on the VPN clients as the corporate network gateway. Anything less will not do.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hopefully the end of corporate VPNs

            As soon as you have something that can connect to something over HTTPS (or anything else over TLS) you have lost as literally anything can tunnel in and out. Browsers are doing this every day with stuff like websockets. Too many people have bought the nonsense they have been sold by Cisco reps. VPNs aren't part of your chain of trust.

            1. hayzoos

              Re: Hopefully the end of corporate VPNs

              You would have the same issue from the browser on a machine on the network, that is not a VPN issue.

              1. Anonymous Coward
                Anonymous Coward

                Re: Hopefully the end of corporate VPNs

                Yes. But instead of having one machine in the ether connecting to stuff thats most likely hosted on AWS you now have one machine in the ether connecting into your network that's otherwise not remotely accessible connecting to stuff hosted on AWS... and now that stuff hosted on AWS has an easier route into whatever super secret gene mutation tech you have hidden behind your VPN.

                TL;DR; VPNs are from a begone age where a lot of application protocols were plain text. They provide tunneling and encryption not trust. Now that basically everything uses TLS you aren't adding anything by forcing your users to use OWA or gmail via a VPN and you're exposing your internal network to whatever 0-days exist in their browser, home router etc.

                1. hayzoos

                  Re: Hopefully the end of corporate VPNs

                  You seems to be mixing the commercial consumer level and corporate VPN implemtations. A corporate VPN is self-hosted (unless the datacenter went all cloudy). The VPN server is in the datacenter's DMZ so that external clients can connect over a trusted connection using known configuration and encryption to the internal network. Those clients should not be any old client, but corporate issued clients or at least corporate vetted clients. Many corporate VPN client software solutions have a means of vetting the machine and many also can isolate the connection so there is no cross connection to the Internet at large while VPN connected. This many times includes verifying current patch levels of browsers. A proper VPN would be immune to the vast majority of router vulnerabilities. Many also include their own hardened browser. Any Internet access while on the VPN is routed through corporate firewalling and data exfiltration controls.

                  Commercially available consumer VPN implementations are the sort to be found AWS hosted. Even those not AWS hosted are on unproven level of security hosts. These are not what a large business should be relying upon.

                  I personally roll my own VPN. I chose the cloud host to install the dedicated VPN server upon. It cost me less in service fees than a commercially available consumer VPN. It cost me more in my time to setup and maintain, but I benefit greatly in being able to oversee the setup and maintenance and know that I have implemented the available security patches. I also benefit from not being blocked in the latest craze of webhosts' security theatre of blocking VPN. So, realistically my VPN cost is higher, but I get a better product. I could choose to pay colocation for a dedicated host, but you are still at the mercy of the colo landlords' lack of diligence. I researched my cloud host provider and trust them better than most colo provider's at a lower cost.

  14. Anonymous Coward
    Anonymous Coward

    Working for a major UK IT company you would think we have it all figured out, right? Well, yes and no.

    Yes - we have the tools to enable wfh

    No - management are stuck in the 1980’s and think if they cant see you then you can’t be working....ffs

    I’ve always been more productive working from home and with all the ‘tools’ I can communicate, collaborate and interact all day long if needs be.

    The reality is that I’m not allowed and whilst I’d love to be able to walk away and do something somewhere else......that won’t be happening for a while.

    I guess it’s time to suck it up and look forward to the lottery that is Covid-19 infection.

  15. Sean o' bhaile na gleann

    Personally I'm a huge fan of working from home, but - just like many others have mentioned - there appears to be an innate lack of trust on this front between manglement and underlings.

    The excuses I've heard that come most readily to mind:

    1. "We pad a lot of dosh for this office space - it has to be used!"

    2. "Emergency maintenance". Give your keyboard a can of coke to drink at work, and a replacement can normally be provided tout suit. Pull the same trick at home and you'll probably be off-line for a few hours at best.

    3. Insurance. Trip and twist your ankle at the office and elf&safety decrees that the company has to DO something. Damage yourself while working from home and... who pays?

  16. jafer

    That actually happened to me, too, before changing my VPN provider.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like