Shifting to a Secure Work-from-Anywhere WAN Overnight

istock 1133992467
simonkr /istock

As companies continue to pivot users from branch offices to home offices, many are tasked with providing a seamless and secure platform for connecting a now fully remote global workforce to applications and services. One company that has successfully made this change is Gerresheimer AG, a leading global manufacturer of specialty glass and plastic products for use in the pharmaceutical and healthcare industries. Gerresheimer is a critical supplier in the fight against COVID-19.

Gerresheimer has long been a Silver Peak® SD-WAN customer, and in 2017 they rearchitected their global WAN to increase performance, provide mission-critical availability, and shift toward a cloud-first strategy. Over time, as the company has grown and its network and applications have evolved, new demands have been placed on the network. Along the way, the company has leveraged its Silver Peak Unity EdgeConnect™ SD-WAN to support its cloud-first initiatives. Most recently, they began to migrate from on-premises perimeter firewalls to cloud-delivered security, introducing Zscaler Internet Access (ZIA) to provide a best-of-breed security solution that’s fully unified with the Silver Peak SD-WAN.  

The next major phase in Gerresheimer’s cloud transformation and user mobility initiative was to introduce Zscaler Private Access (ZPA) as a VPN replacement. While this had been a project that had been under consideration before the COVID-19 pandemic, it was kicked into high gear as the pandemic escalated. Gerresheimer knew that enabling its users to work from home was going to be critical to maintaining business continuity, especially given that they were going to be a critical supplier throughout the crisis.

Greg Taylor, head of global networking at Gerresheimer and a co-contributor on this article, provides his perspective around their challenges, design considerations, and architecture.

What challenges did you need to quickly overcome when moving so many users to home offices?

Gerresheimer employs over 10,000 employees at more than 40 locations in 15 countries. When the decision was made that a portion of its operations, sales, finance, and IT workforce would immediately shift to working remotely, we knew we would have a major challenge on our hands. We had to consider some tough questions about our current architecture:

  • Could we scale our current infrastructure to support this new need? 
  • Could we provide the same level of security to our enterprise devices while off net?
  • Did we have sufficient bandwidth to support a significant increase in remote workers?
  • Could our small networking team support remote employees, many who had never worked from home before?

Our first priority was to regionalize VPN connectivity. Our existing VPN solution had end users connecting back to their local facilities, due to legacy network constraints we had before deploying our SD-WAN. We now knew that having a modernized WAN infrastructure was going to allow us to build out a more regionalized model, without sacrificing performance and still delivering the same quality of experience they had come to expect when connected locally.

Putting this knowledge to work, we identified locations with the strongest connectivity and architected a plan to minimize the number of entry points. In the end, this change made it easier for us to support end users through the pandemic and beyond, as well as shrink our attack surface while also addressing our scalability concerns.

What solution did you put in-place of your legacy VPN and why?

Unfortunately, our existing VPN solution had some serious shortcomings. The largest challenge was only being able to provide split tunnel connectivity to our users. Knowing a large portion of our workforce would now be working outside of our enterprise network, having users that were no longer behind our protective perimeter security, added additional concern and complexity we had to account for.

Because of this and issues around VPN complexity, we opted to accelerate the deployment of Zscaler Private Access to our end users. ZPA provided us with a rapidly deployable, simple, scalable, secure, “always on” method of getting our users connected back to the applications and resources they needed to continue working uninterrupted.

How are Silver Peak and Zscaler working together?

The partnership between Silver Peak and Zscaler is very strong in our experience, and we found their technologies to be very complementary. As previously stated, when looking at our legacy VPN, we wanted the ability to architect connectivity regionally into our network for the best performance, and we wanted to leverage our optimized SD-WAN fabric to route traffic once on the network. We actually leveraged many of the design principals found in the Silver Peak Work-from-Anywhere reference architecture.

The real beauty of leveraging the distributed approach was that we were able to deploy ZPA Connectors in a regional hub design throughout our facilities globally. We could then leverage ZPA to route users to the best entry point into our network based on various metrics. Once on our network, the Silver Peak SD-WAN solution takes over the routing of packets over the most optimal paths based on the parameters configured in our business intent overlays with Unity Orchestrator™. Overall, when you put these solutions together it just works with minimal effort, again leading to our ability to rapidly deploy this solution during this global pandemic while future-proofing our network moving forward.

Overall, how has the transition been since making the move?

Speaking frankly, the transition to our Silver Peak + Zscaler hybrid cloud network has been mostly smooth, and an exciting journey. ZIA provides the additional layer of security needed to leverage our Silver Peak devices as our edge. ZPA provides frictionless access to our network for our end users no matter where they are in the world. Put them together on an endpoint with the Z-App and we have a consistent user experience both on and off our enterprise network. The fact is, we were able to convert from a small POC to a full enterprise deployment in the matter of one week, quickly and easily enabling our people to work from home.

So what’s next?

In 2017 when we deployed our SD-WAN, we had a general idea of where it would take us, but the growth of our network and how it has been used year-over-year has been dramatic. We are currently leveraging traditional segmentation methods along with the Silver Peak unified zone-based stateful firewall and now ZIA to provide end-to-end security and segmentation of all application traffic. We have unbelievable visibility into what is going on from endpoint to edge, and it will only continue to get better.

We are still fine-tuning the systems, ultimately working toward a true zero trust network architecture. The goal will be to leverage ZPA both on and off our enterprise network in conjunction with our SD-WAN to provide full ZTNA and micro-segmentation at the application layer, leveraging identity services to drive role-based access. This transformation is a must as the perimeter of the network expands beyond the four walls of our enterprise, and we continue to advance our journey into the cloud. Our mission is to provide a simple, consistent, and borderless end-to-end user experience globally whether our employees are connected via wired, wireless, or remote technologies. The COVID-19 pandemic has provided a unique opportunity to leverage new technologies, giving our enterprise a sneak preview of what this mission means to us today and well into the future.


Like many companies, Gerresheimer has had to rapidly adapt its business processes while still providing products, support, and services to its customers. The combination of a modern WAN infrastructure using the Unity EdgeConnect SD-WAN platform, leveraging best-of-breed security and remote user connectivity from Zscaler has provided this forward-thinking enterprise with the flexibility to address its immediate needs, without impacting user experience while also future-proofing their network.

Watch this webcast to learn how TrialCard extended its SD-WAN to support 400+ remote workers, going live in under two weeks, all while maintaining business productivity and continuity.

Copyright © 2020 IDG Communications, Inc.