Traditionally, your remote workers connect via VPN tunnel into a firewall or VPN-concentrator in your datacenter. A Remote worker can be an employee but also a third party (business partner). The VPN data traffic is exchanged via the internet. This works great for accessing internal applications that are hosted in your datacenter. However, nowadays a large and growing part of corporate applications are hosted in the cloud. Corresponding data traffic is best routed via the Internet, as this is typically the shortest path to the Cloud. In this situation, the traditional VPN architecture is sub- optimal due to ‘hairpinning’ of data traffic:
The VPN solution forces remote users’ traffic via the company firewall in the datacenter. Inspection reveals this traffic is destined for the cloud. In this way, the majority of the traffic is routed back over the same Internet access line that the traffic came in on..
The result is several adverse effects: the Internet line is utilized twice for the same traffic, in and out. The traffic takes an unnecessary detour which can only negatively affect application performance. The central firewall becomes a ‘choke-point’ when congested. For remote workers from International companies the impact on application performance may be even more severe. Their traffic often needs to take an “international trip” to reach the nearest corporate data center. Unless their company runs data centers near the end-user’s home country, the ‘double detour’ can cause severe degradation of application responsiveness.
We propose a different way: connect via the global SASE cloud: Internet traffic no longer is forced to pass through your data centers, so an upgrade of your corporate Internet and Security infrastructure can be avoided. All traffic from the home worker travels via the secure SASE Cloud with full visibility and control, without detour, and without extra devices. Due to a SASE architecture mobile devices are natively supported as edges. Suddenly, working from home becomes as fast and safe as in the office. That is the power of simplicity. At the same time, all remote users’ traffic is fully inspected by the SASE security stack, ensuring enterprise-grade protection to users everywhere. Compromising on security or forcing a painful backhaul into a datacenter firewall is no longer a trade-off customers need to make.
Even without a VPN Client installed end-users can connect to the nearest SASE node: ‘clientless browser access’, sometimes referred to as SDP: The Software Defined Perimeter is a new approach to securing access to internal applications. It relies on software, not VPN hardware appliances, to deliver zero trust access for remote users.
How to provision a SASE VPN Client on mobile devices:
The SASE VPN Client uses device VPN capabilities to tunnel to a global SASE cloud. Devices include personal computers, laptops, tablets and smartphones covering Windows, Mac, Linux, iOS and Android. Onboarding of mobile users can be initiated via integration with Active Directory, or through user configuration in the management application. With specific Microsoft AD policies connectivity can be limited to customer-approved devices by using device certificates. Users are normally invited to register via email. Users can provision themselves in several steps through a dedicated portal. User authentication is included, and can be implemented in several ways. For example Multi-factor Authentication (MFA) or Single Sign On, integrated with the corporate identity management system.