Despite easing of shelter-in-place ordinances in the United States, it’s looking increasingly likely that employees that can work from home will continue to do so for the foreseeable future. In fact, this may end up being a long-term business strategy for many more months. If this is indeed the case, now may be the right time for network administrators to reevaluate their remote access connectivity architecture. In this article, we'll compare three popular remote access technologies. Those are traditional VPN, VDI, and teleworker gateways. We will point out the benefits of each and situations where one may be a better fit over the others.
Remote access VPN
If your employees are working from home (WFH) right now, chances are they are using remote access VPN to reach applications and data that resides inside the corporate network. The deployment architecture of a remote access VPN deployment is simple. At the corporate internet edge, a VPN gateway or firewall running VPN software is used as the headend for all remote access clients. A client device then uses either uses VPN software built-in to the device operating system (OS) – or third-party VPN software is installed. Once that is complete, the WFH employee will use the VPN software to initiate a connection over the internet and between the employee’s remote device and the VPN gateway residing at the corporate network edge. The user must then successfully authenticate with the VPN gateway. Once granted access, the WFH user is permitted access based on the access levels their authentication grants them.
For most businesses, VPN has been acceptable for allowing some employees to work remotely. That said, it’s likely that many VPN gateways weren’t built to support the number of simultaneous users that are now working remotely thanks to the pandemic. Troubleshooting VPN problems are also a challenge for network administrators as the software and admin tools don’t provide enough visibility into performance- or data security-related problems. Thus, administrators may have been caught off-guard with license overages, bandwidth bottlenecks, and time-consuming security and administrative overhead that legacy VPN platforms tend to have.
Virtual Desktop Infrastructure (VDI)
VDI is a way to virtualize an employee desktop regardless of whether they’re working inside the corporate network – or remotely from the internet. It works by streaming a virtualized desktop computer to any remote device running the VDI software. Thus, you can stream a high-powered desktop to an end-users low-powered PC, tablet -- or even smartphone. The remote user interacts with the virtual desktop as if it were running locally.
Note that VDI is far more than a remote access solution. Instead, it’s often used to provide company application, file, and service access in a secure, efficient, and cost-effective manner. Most organizations looking at VDI will first use it as a replacement for legacy PC and laptop deployments that allow users run and save applications/files using low-cost or aging hardware.
A VDI architecture can include a remote access gateway for users that are working from the internet. The gateway works similarly to VPN headend in the sense that a remote user will connect using hardware and a VDI software application to connect and authenticate to the VDI gateway residing at the corporate network edge. Once authenticated, the remote user can start their virtual desktop session as if they were directly connected to the corporate network.
VDI has a couple of advantages over a VPN. First, a VDI session often uses less bandwidth compared to VPN. Thus, more users can access company resources without running into internet bandwidth bottlenecks. Second, VDI is easier to manage compared to VPN. With VPN, separate access-control lists must either be created or imported from other parts of the corporate infrastructure. With VDI, access controls for users are identical, no matter if they connect inside the company network or out. Lastly, VDI is considered more secure compared to VPN – especially when it comes to remote work. Because all data and apps reside inside a virtualized desktop that's running inside corporate-managed data centers or cloud facilities, it’s far less likely that data can get lost or stolen.
That said, VDI is an expensive alternative compared to traditional VPN. To get the most out of a VDI investment, it should be designed to replace desktop computing tasks for the entire organization – not just remote users. Thus, if you’re looking only for solutions to your remote workforce problems, VDI may not fit your budget.
A lesser-known approach for remote access is known as the teleworker gateway. This hardware device is deployed in homes or branch offices to provide a seamless and secure connection back to the corporate network. It’s a nice choice for WFH employees that are working strictly out of a single location.
Teleworker gateways are basically firewalls with built-in site-to-site encrypted tunnel technology. The teleworker gateway device can be easily connected to a home broadband connection using an Ethernet connection. Once done, the remote teleworker gateway will create a static, encrypted tunnel back to the corporate office. That means that no VPN/VDI software or configuration is needed on the remote endpoint device. Additionally, teleworker gateways often provide enterprise-grade LAN and WLAN connectivity for end-user access both from a performance and security perspective. Lastly, advanced features such as layer 7 firewalling, traffic shaping, and application prioritization can be used to prioritize bandwidth and secure end-to-end connections.
The downside of the teleworker gateway compared to VPN and VDI alternatives is the fact that the gateway is not nearly as portable. If employees work solely out of their homes as they are now, this is not an issue. But as shelter-in-place ordinances begin to lift further -- and employees begin working on the road or in public places such as coffee shops -- teleworker gateways are not the best option.