March 31, 2020
Deploying Enterprise-Grade Wireless for Work from Home
Explore workarounds for connecting WFH users to the corporate network.
Distributed the laptops? Check. Wireless mice? Check. Warm, snuggly pajamas with your company’s logo? Check. Your organization is ready for work from home. Except… you need to also extend your network to support this workforce. That’s where the real struggle is: where the hard-working IT professionals are having to support a massive influx of remote users, often without having the luxury of scaling out infrastructure or redesigning edge networks.
I want to outline a few suggestions that could help in these kinds of situations.
Wireless WFH: Use What You Have
You may be surprised to know that some of the old, spare or unused wireless infrastructure you have today might help you out. While some organizations widely deploy access points out to remote workers, many might not even realize that the device normally seen up on the ceiling in the office could be the answer to bridging them back into the corporate network. Combining these APs with underutilized or spare wireless controllers could help extend corporate wireless LANs to remote locations without putting much additional burden on VPN hardware or licensing. Clearly, purchasing new hardware can also help in this situation, but I’m outlining these solutions with the idea that things can be done immediately while you wait for that order to arrive.
Vendor Solutions: Cisco
Cisco’s solution is called OfficeExtend and, using Datagram Transport Layer Security (DTLS) encryption, provides secure connectivity between the remote location and the corporate head-end WLAN controller. Additionally, MAC whitelisting or certificates may be used to restrict which APs may join the controller, ensuring only known APs connect.
As OfficeExtend is intended to be used behind a router or other gateway device using network address translation, most home networks should not increase complexity in setup. While each AP configured in OfficeExtend access point (OEAP) mode will consume a license from the controller, nearly all Cisco Aironet APs with integrated antennas are supported. For the definitive list of what APs are supported, it is best to review the configuration guide for the version of code the controller is running.
Vendor Solutions: Aruba
Aruba’s solution comes by way of its Remote Access Point (RAP). Aruba has long manufactured several models of APs that were designated to be used solely as RAPs. The modern versions of these APs include the AP-203R and the AP-303H, which both offer local Ethernet ports (useful for printers, switches, etc.) and can also support Power over Ethernet for devices like Voice over Internet Protocol phones. While these hardware-specific devices are nice, RAP is just a mode, which means any other Aruba APs can be converted to support the same remote capabilities utilizing secure Internet Protocol Security (IPSec) tunnels.
As with any Aruba AP, standard licensing is required (AP/PEF/RFP) for the AP to function on a mobility controller. A RAP can be configured to support split- or full-tunnel operation, as desired. This can provide additional flexibility for the administrator to allow access to local resources, such as printers or network enabled scanners, or merely to allow internet-bound traffic to go direct rather than tunnel all the way back to the head end.
One feature that makes the Aruba product shine is the ability for an AP to dynamically apply and enforce access policies based on the user’s role. This means that even from home the remote worker can be held to the same security standards as if they were in the office. For instance, a BYOD tablet may have limited access only to Citrix servers, while the corporate-owned laptop has full access to file shares required for their day-to-day function.
Vendor Solutions: Meraki
Meraki APs can utilize a feature called service set identifiers (SSID) tunneling by leveraging a Meraki MX as a VPN concentrator. Meraki provides an MX sizing guide, which should be consulted to determine if existing infrastructure will be able to accommodate the additional tunnels this feature would create. As this connection operates just like a VPN, administrators have the option to set up either full-tunnel or split-tunnel modes for the remote MR AP.
The nature of Meraki’s cloud-managed system also ensures that the tunnel creation from behind a home router or gateway is very simple due to the auto VPN capabilities. Coordination of the tunnel is done by both ends, first establishing connections up to Meraki’s cloud infrastructure and then negotiating a peer-to-peer IPSec tunnel. This means no client data is ever seen by Meraki, and the traffic between the AP and concentrator is secure.
Two more Meraki items worth highlighting are smaller teleworker devices: the older Z1 and the newer Z3. Both models offer site-to-site VPN capabilities, wired ports and wireless access, making them another good option for remote workers. Additionally, Meraki recently announced the temporary disabling of licensing enforcement, which should help organizations with expiring licensing and allow usage of currently unlicensed hardware for temporary utilization.
Keeping the Edge Secure
Apart from one vendor, a commonality that all these solutions share is that each of them needs to be able to phone home back to the corporate environment. Often, there are edge firewalls that are doing their job keeping attackers out so it’s likely that ports will need to be opened to allow secure tunnels to form back to the wireless infrastructure. It’s imperative while implementing these solutions that proper precautions are still taken to ensure organizational security is maintained.
One Piece of the WFH Puzzle
Other challenges exist in rapidly expanding an organization’s remote worker capabilities. VPN sizing, bandwidth, licensing and virtual environment accessibility can all be counted among these factors. For more information on some of these topics, see my colleagues Robert Herriage and Sven Rasmussen’s blog post: “Tips for Adjusting Your Network for Work from Home.” Adding wireless into the mix provides administrators another technology that can be brought to bear in their efforts to scale in this changing landscape.
CDW is here to help you navigate WFH. For more information, reach out to your account manager and solution architect.