As the COVID-19 situation evolves, more and more companies are making the decision to support their employees in working from home. An increase in remote workers means there is greater demand for virtual private network (VPN) access. In addition to continuously monitoring employee VPN usage and adjusting the number of licenses and locations as needed, Autodesk took additional steps to ensure employees had good connectivity.
Below are Autodesk’s strategic and operational best practices for VPN deployment to support an optimal network experience for employees working from home.
VPN strategy and implementation
Locate your VPN gateways strategically
- Place VPN gateways in the regions that are closest to your company’s workforce to reduce network latency
Keep WAN circuit utilization at healthy levels
- Do not utilize circuits at more than 70–75% at any time. If you are able to maintain this level of usage during a non-major crisis period, the 25%–30% of unused bandwidth will support the increased demand until new upgrades can be purchased
- Prevent overwhelming single circuits by providing proper load-balancing configurations for sites with dual or multiple circuits. A single circuit overload will cause slowness for users on that circuit/path
- Avoid using latency-based load-balancing algorithms. These algorithms will sometimes redirect users to the farthest available gateway, as latency may be temporarily lower when the connection is requested. Instead, you should leverage geo-based load-balancing algorithms, which provide a more consistent service
Use a major internet service provider (ISP) when possible
- Try to avoid purchasing bandwidth from small ISP providers. They will likely have limited spare capacity and may negotiate separate deals with larger providers to increase their capacity, which will take extra time and can add expenses. This can also result in long term agreements for excess capacity that you will not need. Plus, major ISPs will have spare capacity and better international routing, which provides dependable connectivity to global resources.
Manage your VPN licenses effectively
- Manage your VPN licenses via licensing servers so that unused licenses can be redeployed dynamically within other regions for added capacity. This prevents licenses from being limited to a single site or device.
Strategically select your VPN vendor
- Choose a VPN vendor based on your company’s technology roadmap. To support a cloud-first strategy, there are several cloud-based VPN providers currently in the market. Find the right balance between performance, strategy, and security.
Return to Top
Ongoing VPN operations
Provide clear communications to users
- Clearly communicate which applications require VPN and encourage users to disconnect from VPN sessions when they are not needed. This saves licenses and prevents pure internet-based traffic from hitting the organization’s limited VPN infrastructure.
- Provide easy access to information and guidance on what to expect during this period.
Perform regular maintenance
- Initiate periodic firmware upgrades and reboot infrastructure equipment to provide better connection stability. Reboot your VPN servers as soon as a business continuity plan has been activated to remove any memory leaks and reset sessions for a fresh start.
Adjust VPN timeouts
- Reduce VPN idle-session timeouts so users are not consuming VPN sessions unnecessarily.
Monitor VPN usage and performance
- Set up a consolidated monitoring and alert dashboard so all resources related to the VPN service are quickly visible and actionable.
- Identify the users who are most heavily using VPN bandwidth and coordinate with them to postpone large transfers until after business hours, so they don’t impact the VPN performance for other users.
- Group users in profiles to monitor and influence VPN traffic based on those profiles.
Enable split tunneling
- Check with your security team to see if split tunneling can be enabled completely, or on more domains, to reduce internet-based traffic on the VPN infrastructure.
Check VPN modes
- Check your VPN server connection modes and work with your security team to determine how much performance can be improved without compromising security.
Effectively troubleshoot issues
- Use simple GUI-based tools, such as WINMTR, to help troubleshoot issues. These types of tools run in the background and combine traditional command-line based troubleshooting tools like "ping" and "traceroute" to gather statistics. The data is easily understandable and indicates issues starting from the immediate next hop from the user’s home machine.
Manage capacity for IP addresses
- Ensure that DHCP scopes are able to handle at least 90–95% of users for the region the SSLVPN server covers.
Create efficient communication channels for users
- Use tools like Slack and Microsoft Teams so users can easily log issues and engineers can quickly follow up. This provides clarity and transparency for users and prevents delays in addressing issues.
Return to Top
