Live Webinar
Troubleshooting Digital Experiences Across Owned and Unowned Networks

Product Updates

Expanding VPN Visibility to Support a Secure Remote Workforce

By Alex Cruz Farmer
| | 11 min read

Summary


Without any doubt, the pandemic has overturned our whole personal and professional worlds. It has principally shifted the way we work, the way we interact with our colleagues and customers, and permanently altered the enterprise architecture and landscape. While most of us are adapting and coping with this monumental shift, it is truly our IT teams who are unsung heroes as they strive to keep the remote workforce securely connected to business-critical apps and services. First off, I’d like to extend a huge thank you and virtual hug to all the ITOps teams (#hugops). But wait, a virtual hug is not going to expedite fault triangulation, improve MTTR, and make lives easier for IT Teams managing a remote workforce. So let’s talk about what does!

Over the last 9 months, based on feedback from our customers and our very own IT team, we have been tweaking the capabilities of the Endpoint Agent and perfecting our End User Monitoring solution. In this blog post, I’d like to introduce the recent enhancements to VPN monitoring, which includes expanded support of VPN vendors, automatic underlay and overlay detection, and intuitive visualization capabilities that help with troubleshooting a zero-trust enterprise architecture.

Pandemic Rewrites the ITOps Playbook

Let’s face it, when the big shift to home offices happened earlier this year, our IT teams’ playbooks mostly had to be re-written on the fly. They went from supporting a secure, purpose-built network infrastructure with advanced management systems, to diagnosing and fixing home-based networks, consumer-grade Internet connectivity, and performance of SaaS applications that they have no control and ownership over. It became evident very quickly that non-enterprise technology does not come with the same bells and whistles that are taken for granted in a traditional office-based enterprise environment. That meant no SLAs, no prioritized fast-lane, no telemetry, no fancy historical logging and graphing, nothing. Nada. Home Internet and bandwidth are now shared between YouTube videos, Netflix streaming, online education, and Webex calls. And to make matters worse, each remote employee's environment is unique—adding to the complexity when troubleshooting performance degradation and connectivity issues.

IT teams quickly realized that without any visibility into home-based and Internet-centric ecosystems, they were flying blind in a pandemic-altered reality. Old-school troubleshooting techniques that they were used to—for instance, using remote access software to log into a device and poke around—are no longer scalable or even useful. First off, it is cumbersome, time-consuming, and extremely frustrating for both the IT professional and the end user. And most times, it can turn into a wild goose chase. Additionally, triaging just the end user’s device to check for faults meant that you are conveniently ignoring the rest of the complex digital supply chain impacting connectivity and experience.

A new problem needed a new approach and is precisely what ThousandEyes Endpoint Agents were designed for. This new vantage point gives ITOps exactly what they were looking for: visibility all the way from the remote users to any business-critical application across any network, including the home WiFi, broadband ISP, VPN underlay, the Internet transit and public cloud environments.

Figure 1: ThousandEyes End-User Monitoring solution provides the most comprehensive visibility into user experience across a complex digital supply chain

Securing a Remote Workforce - Zero Trust and VPNs

With almost the entire workforce connecting from home, the increase in VPN usage was not surprising at all. Some of our customers detected a 10x increase in VPN sessions in the first few months of the pandemic. As the probability of remote workforce permanence increases, enterprises are proactively leaning in and investing in a Zero-Trust architecture. The concept of Zero Trust with regard to securing connectivity is to create an Over-the-Top (OTT) security layer (very similar to how VPNs work), which can be enabled on a standard Internet connection, giving access to business-critical applications with ease. Apart from securing connectivity through an encrypted tunnel, Zero Trust also authenticates the user and the device requesting access.

Although VPNs provide an added layer of security, they add an additional layer of complexity when it comes to troubleshooting performance. VPNs can obfuscate the network connectivity between the remote user and the VPN gateway, which means the network underlay is no longer visible. This makes it extremely challenging for the IT teams to identify what could be causing a problem with your connection. Misconfigured VPNs or user error can also sometimes result in traffic taking a suboptimal route to reach a service and can manifest as poor user experience.

ThousandEyes Deepens Visibility into VPN Deployments

Recognizing the complexity and challenges with Zero Trust environments, we doubled down our focus on solving VPN-related problems, improving visibility into underlay and overlay network paths and supporting multiple VPN vendors to address the diversity of remote workforce deployments.

Expanded VPN Vendor Support
We are pleased to announce that we will be shortly adding Pulse Secure Connect and Zscaler Internet Access to our portfolio of supported secure access solutions to complement our existing Cisco AnyConnect support. Both of these vendors are available today in early access, if you’re interested in joining our early access beta, please reach out to your account team.

Automatic VPN Detection and In-Depth Underlay Visibility
ThousandEyes Endpoint Agents can automatically detect a VPN connection and require zero instrumentation. Once a VPN’s presence has been established, ThousandEyes seamlessly discovers the underlay and overlay path through the VPN and monitors user experience in correlation to the underlying network connectivity. So at any point in time, you can not only identify if a lossy node within the obscured underlay network is impacting performance but also establish if a sub-optimal network path is preferred. For example, in Figure 2, traffic from a remote user in San Jose is being routed through Dublin to reach a service hosted in the United States.

Figure 2: Automatically detect VPN paths and identify sub-optimal network paths and lossy nodes

In addition to extending our VPN vendor support, we have also improved our user experience when navigating and diagnosing issues where VPNs are involved. In the GIF below, you will be able to see that the VPN underlay is now highlighted in purple and is automatically collapsed and can be controlled using the “VPN Overlay/Underlay” toggle next to filters.

Figure 3: Granular visibility into VPN Underlay and Overlay

Upon automatic detection and monitoring end-to-end performance, ThousandEyes Endpoint Agents will also start explicitly monitoring VPN performance metrics, such as loss and latency. This not just removes the need to manually create a test, but also takes care of automatically updating the VPN gateway the remote user is connected to. A historical timeline lets you go back and forth while troubleshooting to identify any newly introduced anomalies, such as connecting to a sub-optimal VPN gateway or a sudden increase in VPN latency.

Figure 4: Dynamically detect multiple VPN gateways and continuously monitor VPN performance

Expedite Troubleshooting with VPN-centric Labels and Filters
To be able to filter or dynamically group users logically, we are extending support to add four new VPN-centric attributes. You can now not only search and identify users on a specific VPN vendor but also dynamically group your remote employees based on the vendors they are using.

Figure 5: Filter on or label users based on four new VPN-specific attributes

These are just a few product enhancements we have been working on in regards to monitoring VPNs to ensure that a remote workforce can securely connect to business-critical applications. While remote working might have been triggered by the pandemic, it is not going away with the pandemic. As we continue to support large Fortune 500 enterprises to manage their remote workers, we will continue to innovate. To learn more about VPN monitoring, sign up for a custom demo with our team.

Subscribe to the ThousandEyes Blog

Stay connected with blog updates and outage reports delivered while they're still fresh.

Upgrade your browser to view our website properly.

Please download the latest version of Chrome, Firefox or Microsoft Edge.

More detail