IT’s Sudden Challenge: Connecting a Distributed Workforce

istock 1130480436

As businesses around the world adapt to the changing dynamics of the COVID-19 pandemic, the need for social distancing has unleashed an unprecedented shift toward remote and teleworking, creating a mass exodus of employees moving from branch offices to home offices. With thousands of businesses enabling a work-from-home strategy, millions of employees must quickly adapt to communicating and collaborating in entirely new ways to maintain business productivity.

Watch this on-demand webcast to learn how to securely connect a remote workforce to business applications in the data center or the cloud.

For IT departments this shift is creating an entirely new set of challenges. The primary challenge is connecting a distributed, remote workforce to business-enabling applications and services residing in the data center and the cloud. Some users require access to VoIP systems, virtual desktops, and video conferencing that require fast and highly reliable network connections. A company that had 50 branch offices yesterday must now grapple with the idea that every user, and their home network, is a new branch they have to support, representing an exponential increase in the number of sites overnight.

Over the past few weeks, as this shift has moved from possibility to reality, we’ve had a series of discussions with customers about how to best meet these changing organizational goals. We’ve taken these requirements into account and have compiled a reference architecture that allows for non-SD-WAN and SD-WAN users alike to connect to applications and services remotely. In this blog we’ll dig into this architecture in more depth.

Architecture and Use Cases

We have identified a shared set of requirements that we have accounted for in our design proposal.

  • Remote users need reliable access to on-network applications (Data Center and IaaS)
  • Remote users need secure and direct access to cloud services (SaaS)
  • For some remote users, real-time applications have unique requirements (Voice, Video, VDI)
  • For some remote users, high-throughput applications require additional performance (Software Development, Large Data Applications, Medical Imaging)

Given the need to rapidly deploy, we’ve focused on an architecture that heavily leverages software and cloud computing wherever possible.

silver peak reference architecture

Connecting Remote Users

This is arguably the most difficult element of the entire solution. As businesses send employees home, they need to find a way to rapidly connect those users back into the network, and to their applications. Many enterprises can simply leverage client-based software for connections to existing security infrastructure; however, for users who require additional reliability or performance, such as call center technicians, users who upload and download large files, and VDI users who stream their remote desktop, IT departments may prefer to provide additional mechanisms of performance and reliability.

There are two general architectures under the client software approach. The first is to deploy a client-based VPN and a series of geographically distributed concentrators. Cloud providers such as Amazon Web Services and Microsoft Azure offer client-based VPN solutions, and technology vendors such as Check Point Software or Palo Alto Networks offer remote access VPN solutions that may work with existing enterprise infrastructure.

The second option is to leverage cloud-based enforcement nodes and application connectors through cloud-delivered security services like Zscaler ZPA. In both remote connectivity scenarios, the focus is squarely on the security of both the user and the application; however, as noted, there is a subset of users who may need a higher degree of performance and reliability not offered by these approaches.

For those users who require a higher-quality connection, are pushing big workloads, or need additional visibility and security, they can leverage the Unity EdgeConnect™ SD-WAN edge platform at the home office. By deploying EdgeConnect SD-WAN locally, services such as Local Internet Breakout, QoS, Path Conditioning (Packet Loss and Out-of-Order Packet Correction), WAN optimization, segmentation, and a variety of other features can be applied to give users a higher-quality application experience. In addition to this, IT administrators can easily manage and delegate policy across the entire SD-WAN fabric with a few simple clicks within the Unity Orchestrator™ management GUI. Remote and home users can realize the same, or better, quality of experience than they do working in the branch office.

Configuring Regional Cloud Hubs and Data Centers

There can be performance limitations introduced when forcing many users into distant, overloaded VPNs. Our recommendation is to build out a geographically distributed VPN infrastructure that leverages existing data centers or cloud services (AWS, Azure, Google Cloud, or Oracle Cloud) to connect users to your network as locally as possible. Localizing the user’s connectivity to the network provides them with the absolute best last-mile experience, while connecting them into a high-quality, service-provider-grade network – this also reduces the risk of overloading circuits by forcing everyone into the same location.

Once users are connected into a localized hub, through VPN or SD-WAN, they can leverage the security, reliability, and performance features of a Silver Peak SD-WAN fabric. Here we recommend deploying an EdgeConnect virtual or physical appliance to manage policy and connectivity across the rest of network. As users try to access resources in data centers or branch offices, cloud-hosted IaaS services, or SaaS-based services such as Office365, they do so across a highly reliable and secure SD-WAN fabric. 

Connectivity is easily established and policy simply delegated here through the use of business intent overlays. Mission-critical applications can be prioritized and protected, routing to SaaS services can easily be optimized, and cloud-delivered security services such as Check Point SoftwarePalo Alto Networks, and Zscaler can easily be added. SD-WAN provides easy mechanisms for connecting branch users into the network, and it provides an easy mechanism for connecting them globally, without sacrificing performance or reliability.

silver peak business intent overlays2 SP


While many of these problems aren’t new, businesses normally have more time to prepare for remote users to be incrementally added. Providing the same applications, services, and reliable experience to thousands of users in their home offices in such a short period of time represents a herculean effort. Thankfully the cloud, combined with SD-WAN, provides an easy way to build a WAN that provides reliable access for users anywhere.

If anyone has questions, constructive feedback about the design, or is looking for advice, please feel free to post a comment below and we’ll do our best to respond to your inquiries as quickly as possible.

Be sure to watch this SD-WAN video series: Everything you should know about SD-WAN

Copyright © 2020 IDG Communications, Inc.