VPN Deployment

Corporate Virtual Private Network Deployment Steps

A Virtual Private Network (VPN) is required in an office environment. The VPN provides connectivity from your home users or trusted partners and allows them access to your network resources in a secure fashion. Access to these network resources can occur via the mobile phone, laptop, tablet or other device that needs to connect.

The companies that provide enterprise VPN technology include: Palo Alto Networks, Pulse Secure Networks, Cloudfare, Cisco and their are several vendors that can provide users a VPN connection to protect you at home. The configuration of a connection for a home user is far easier than that of the enterprise. Enterprise users need to consider a number of tasks for deployment.

In your enterprise deployment of a VPN, your purchase should include the hardware, user software license and hundreds of hours of professional service hours to help you with your deployment. Enterprise VPN connections are difficult to configure and you will want assistance from the vendor. I can’t emphasize the need for professional services from the vendor. This is especially important if you are converting to a new vendor and adding new security protocols.

Prior to engaging with the vendor for your VPN deployment, you need to document the following configuration items:

1. Active Directory servers
2. Servers that are used for the HelpDesk to provide troubleshooting to the users
3. Servers that are used for sending virus scan software updates
4. Servers that are used for sending software updates to the devices
5. Special groups that users are added to once they connect to the VPN
6. Any other items that a user needs access to for authentication when they login
7. Applications that need to route from the user desktop direct to the hosting provider. Examples include MS Teams Audio and Video activities.

The resources required to deploy a corporate VPN solution will include: Security (Policy and EndPoint, i.e. McAfee, Symantec) Engineers, Desktop Engineers, Certificate Engineers and Network Engineers. From the list of resources, the Security resources need to tell you the paperwork that you will need to fill out for the product. If they don’t tell you about the security scans or other pieces of security paperwork, then question this!

In order to deploy the VPN connection, you need a laptop or desktop that you can control. During the deployment of the new VPN solution, you are going to want to test various scenarios from the types of devices that connect to your network. The testing associated with a new VPN connection requires that your team have a 2nd device that they can have full administrative privilege to modify and quickly restore. If you start this project and your team needs to rely on different groups to help them make changes on the laptop for testing, then you should plan on the different groups to SPEND A LOT of time partnering with your VPN team and be immediately available to the VPN team at any time. The cost is far less if you can temporarily give your VPN team full administrative access to a laptop so they can make the required changes for testing. The deployment of a laptop or image that can mirror the user laptops is extremely important in this deployment!

My recommendation for the testing includes establishing a virtual machine on the VPN team member laptop. This would require the deployment of virtual desktop software from VMware. This virtual machine would run the identical desktop image that is deployed on the hardware used in your company. The VPN tester would have the ability to make changes to this virtual machine, and restore it back to the original configuration for testing. If you are unable to do this, then you should deploy a 2nd laptop for the VPN tester that they can make changes to. Your laptop testing needs to include a model and desktop image that is currently in production for your users.

List all of the permutations to allow or deny access to the VPN

In addition to setting up the test systems, you need to list the methods of authentication that occurs to your network. This will be a table that will includes all of the permutations that can occur for logon. This table is important as it highlights the “weaknesses” in your security profile where somebody could “mimic” your corporate machine and gain access to your network.

The security implementation of your VPN solution requires that you examine all of the methods for access and make sure a rogue user can’t impersonate your corporate desktop. Impersonation can be stopped through the use of multiple logon methods. This includes a PIV card and certificates. One of the security methods supported by VPN software includes machine certificates. Machine certificates are issued by your private key infrastructure (PKI) Team and your company maintains the private key. Impersonating a private key and machine certificate adds a layer of protection to your PIV card or username and password method.

Inevitably a remote user will experience an issue with their logon method or security profile on their device. A common issue is a mismatched certificate between the laptop and what is expected at the corporate network. In order to avoid the user travelling to the office, the VPN solution can establish a remediation portal. This remediation portal will provide the user the ability to work with the helpdesk to resolve machine certificate or password issues. This remediation portal will restrict access to the rest of the network and is only provided to help resolve issues. In your architecture design of the VPN solution you need to account for this remediation portal.

A VPN solution is extremely important to your company. Changes to the VPN need to be thoroughly tested. In order to test these changes you should purchase an identical device where you can test your changes. This device can be used to test policies or software upgrades prior to the deployment to production. For a large organization this is considered the development or quality assurance environment. Spend the money to acquire this extra environment.

The setup of the infrastructure is complimented with the new user software. Your users will need to be trained on the new software that will come with the solution. Training should include videos and knowledge base (KB) Articles for the users to connect to the solution. Additional KB and videos will be required for the Help Desk staff to utlize the remediation portal to help troubleshoot user issues. This will need to be distributed in a consolidated “marketing plan” to your entire company. This plan will outline when the software will appear on their desktop and when they should start using it.

The deployment of a new VPN solution involves a number of resources in the organization. These resources will work on a complex deployment with new hardware and policies. Spend the time to acquire the required time from each group and the tools they need for the deployment. Based on the size of the organization you could be looking at a one year project duration. Spending the time and money to acquire a new VPN solution will create benefits to support your remote workers and potentially reduce your office costs!