Project Overview
The customer embarked on a critical project to upgrade its legacy VPN infrastructure, which was based on on-premises SSL VPN gateways. The existing setup restricted users to specific gateways, often not geographically close, leading to suboptimal connectivity and localized internet traffic breakout, sometimes resulting in language and regional content mismatches. Additionally, the old system did not adequately support compliance and security measures across diverse work environments.
The project’s primary objective was to implement an Always-On VPN solution for employees worldwide, providing a seamless and reliable connection regardless of location—whether in the office, at home, or while traveling. This approach aimed to enhance security, visibility, and user experience by ensuring continuous compliance and posture checks on all traffic, independent of the client’s location.
The scope of the project included significant improvements in network connectivity, visibility, and security. A single managed platform was introduced to consolidate both user-to-site VPNs, site-to-site IPSEC connections, and security policies. Key security enhancements included posture checks, such as verifying domain membership and the status of endpoint detection and response (EDR) software.
The modernization efforts resulted in several benefits for end users. Connectivity was significantly improved due to a global cloud-based topology, allowing users to connect to the nearest gateway. The adoption of SASE features such as threat prevention and application layer inspection enhanced security, while a centralized platform facilitated streamlined regulatory compliance across the organization.
The project involved collaboration among multiple teams: the IT team focused on network connectivity, the Security team on policy and compliance, the System team on endpoint management and system integration, and the Help Desk provided support to end users, addressing issues and ensuring a smooth transition.
Challenges
- Geographical Limitations:
- Challenge: The existing VPN setup required users to connect to specific, often geographically distant, on-premises gateways. This resulted in suboptimal connection speeds, higher latency, and inconsistent user experiences, especially for remote and traveling employees.
- Solution: The transition to a SASE framework, with a global cloud-based topology, enabled users to connect to the nearest gateway, thereby reducing latency and improving connection speeds. This approach ensured a consistent and reliable experience regardless of the user’s location.
- Security and Compliance:
- Challenge: The legacy VPN system lacked adequate security controls, failing to perform real-time posture and compliance checks, which allowed non-compliant devices to access the network. Additionally, the company needed to enforce a Zero Trust Network Access (ZTNA) model, ensuring devices were authenticated via machine certificates and users were authenticated using user certificates, SAML, and two-factor authentication (2FA).
- Solution: The implementation of comprehensive posture and compliance checks, including domain membership verification and EDR software status checks, provided a uniform security posture. These checks were enforced regardless of whether users were in the office, at home, or traveling, ensuring compliance and reducing security risks. To further address security gaps, the company integrated machine certificates for device authentication and SAML for user authentication, with two-factor authentication (2FA) providing an additional layer of security. This multi-layered approach ensured that only compliant devices and authenticated users could access the network, fully aligning with the company’s Zero Trust Network Access (ZTNA) standards.
- Complexity in Management:
- Challenge: Managing multiple, disparate security and connectivity solutions was complex and time-consuming. The lack of centralized control made it difficult to apply consistent policies and monitor network traffic effectively.
- Solution: The consolidation of VPN, IPSEC, and security policy management into a single managed platform simplified administration. This unified approach allowed for centralized control, streamlined policy enforcement, and improved network visibility, facilitating easier management and quicker response to potential issues.
- User Experience:
- Challenge: Users experienced high latency and inconsistent performance due to the physical distance to company data centers and “last mile” issues—the segment of the internet between the employee’s home and the company’s data center. Additionally, internet traffic was routed through specific customer data centers, resulting in delays and limiting access to global resources, impacting productivity and user experience.
- Solution: By routing internet traffic through the nearest SASE gateway, the solution minimized the “last mile” segment to the shortest possible distance, reducing latency and improving connectivity. This approach ensured consistent content and service quality, significantly enhancing the user experience and access to global resources.
Summary
The customer upgraded its legacy on-premises SSL VPN to a Secure Access Service Edge (SASE) framework to enhance global connectivity, security, and management. The old system’s limitations in user connection and localized internet breakout led to inconsistent experiences and security risks. The new SASE infrastructure enabled users to connect to the nearest gateway, improving performance and reliability. Comprehensive compliance and posture checks ensured secure access, while integrated security services provided advanced threat protection. A centralized management platform streamlined policy enforcement and regulatory compliance. The project involved collaboration across IT, Security, System, and Help Desk teams, resulting in improved connectivity, security, and user experience.