Edit: Hopefully this problem has been solved by now.
Originally posted October 2006 by IBM Systems Magazine
It’s 2 a.m., and you’ve just been paged. Do you have an easy way to get into your network, or is the pain of waking up going to be compounded by frustrations associated with dialing into work? In the good old days, I can remember dialing into work with a modem in order to get work done. It was slow, but there weren’t any alternatives. I just thought I was lucky I could avoid the drive back onsite to fix something in the middle of the night.
Sometimes I would use a package like Symantec’s pcAnywhere to remotely control a PC that had been left powered on in the office. We would use this same type of solution for our road warriors, who would dial in from a hotel room and do their best to get their e-mail or reports from the server. It wasn’t ideal, but it was one of the best solutions available at the time. Some employers still use solutions like pcAnywhere, gotomypc.com, Citrix, etc. These approaches can be useful for non-technical users, or for people that need to use desktops that are locked down. However, with the advent of the ability to tunnel over a virtual private network (VPN) into the corporate network, the need to use remote control software should lessen, especially for the technical support staff members who happen to be remote.
The need to be remote might not even be related to a call out in the middle of the night. You might have employees who travel and need to access the network from a cab, airport or hotel. You may be interested in offering the ability for your employees to work remotely and require them to be in the office less often. You may have an employee who is too sick to come into the office, but not so sick that they cannot take some Dayquil and do some work from home. You may have an employee with a sick child who is unable to go to daycare. Instead of asking them to take a sick day to care for their child, hopefully you have the tools and policies in place to allow them to work remotely while their child is resting. All of these situations end up being productivity gains for the employer. Instead of idle time during which an employee is unable to connect to the office and get work done, a simple VPN connection into the office gives the employee the opportunity to get things done from wherever they are, using the tools they’re accustomed to.
I have known customers that outfit their employees with laptops that allow them to work from home, but then cripple them with a Citrix solution, or another remote access method that doesn’t allow them to use the tools that are on their machines. It’s much easier for the employee to use the applications that are loaded on the laptop, in the same way that they are used in the office. When you put another virtual desktop in the middle of things, it complicates life unnecessarily compared to allowing this machine to be just another node on the network.
Security Considerations and Precautions
There are security considerations and precautions that need to be taken when thinking about a VPN. Nobody wants to deploy a solution that allows their employees in, but also allows non-employees to have unauthorized access. We must do our best to mitigate these risks, while still allowing trusted people to have the resources to do their jobs. There are going to be some networks that don’t allow any traffic in or out of them from the outside, and obviously this discussion is not intended for them. There are going to be situations where sensitive information exists where the risk of disclosure outweighs any benefits of allowing remote access to anyone.
In many instances, providing employees with network access is a benefit to the employee and the employer. The time it will take to wait for an employee to get dressed and drive in (especially when they live great distances away) can be an unacceptable delay when a critical application goes down during the night. Instead of waiting for them to drive on-site, provide the right tools to get the job done remotely.
An ideal world is one where you can work seamlessly from wherever you happen to be. Cellular broadband networks, 802.11 wireless networks, and wired broadband networks in the home, coupled with a decent VPN connection, has gotten us to the point where it really doesn’t matter where an employee physically resides in order to get the work done. We can see the truth of that statement when we start to see the globalization of the technical support work force. Many organizations are taking advantage of the benefits of employees working from anywhere, including other countries. It would be ridiculous to ask an employee to work remotely from overseas over a Citrix connection that has a 15-minute inactivity timeout. It should be just as ridiculous to ask a local employee to use this type of connection to troubleshoot and resolve issues with servers.
Using What You’re Familiar With
When you need to connect to your hardware management console (HMC) from home, it’s nice to run WebSM the same way you do in your office. You could run Secure Shell (ssh) into the HMC as hmcroot, and run vtmenu. From there, you enter the correct number for the managed system you want to use, and then type the number of the LPAR you want to open a console window for. This is fine, but sometimes you need to use the GUI to do work on the profiles or to stop and start LPARs.
Why not just use the tools and methods you’re familiar with and use in the office? I’ve worked both ways, and being able to suspend your laptop, go somewhere else, restart it, connect to the VPN, and pick up right where you left off by using virtual network computing (VNC) is a great way to work. If you have your instant messenger running in a VNC session, it can be so seamless that your coworkers may not even realize that you have moved physical locations – they just noticed that you did not respond to them for a while, and you did not have to interrupt the flow of the chat session that was in progress.
Being asked to use a Citrix-like solution that is clunky by comparison (especially if there are issues with the Citrix connection being lost, or timing out too quickly) can quickly make employees not as eager to take care of problems from home. Instead of quickly and easily connecting to the network and solving the problem, you have people wasting time trying to use a difficult solution.
When I use a seamless VPN connection, I actually find that I work more hours. It’s so easy to get online, I constantly find myself doing work before and after my hours on-site, and even doing things on the weekends. Checking e-mail, looking at server health-check information and checking the on-call pager logs are all so easy to do, I figure why not spend a few minutes and do them. When I contrast that with a solution that’s painful to use, I see that people are not nearly as interested in getting online and getting things done, and things are only done as a last resort in a situation where they have to get online to fix something that’s broken.
VPN Options
I have used commercial VPN offerings, including the AT&T network client, the IBM WebSphere Everyplace Connection Manager (WECM), and open source offerings including OpenVPN. There are pros and cons with all of them, but the main thing that they shared was the capability to make your remote connection replicate the look and feel of your office environment while you’re away from the office.
One aspect of the AT&T client that I liked was the capability to go between using dial-up access when you could not find broadband access, or going over a broadband connection when you could. Obviously, the speed differential was tremendous, but the capability to dial in when there is no other way to make a connection was very helpful while traveling.
When I used a WECM gateway, I found I was able to be connected on a wireless network, suspend my laptop, go to a wired network, take my laptop out of hibernation, and have the network connections re-establish themselves over the new connection. This made things even more seamless and transparent to the end user.
As this IBM Web site explains: “IBM WebSphere Everyplace Connection Manager (WECM) Version 5.1 allows enterprises to efficiently extend existing applications to mobile workers over many different wireless and wireline networks. It allows users with different application needs to select the wireless network that best suits their situation. It also supports seamless roaming between different networks. WECM V5.1 can be used by service providers to produce highly encrypted, optimized solutions for their enterprise customers.”
“WECM V5.1 is a distributed, scalable, multipurpose communications platform designed to optimize bandwidth, help reduce costs, and help ensure security. It creates a mobile VPN that encrypts data over vulnerable wireless LAN and wireless WAN connections. It integrates an exhaustive list of standard IP and non-IP wireless bearer networks, server hardware, device operating systems, and mobile security protocols. Support for Windows Mobile V5 devices clients has now been added.”
Both of these solutions cost money, so a low cost method is to set up a Linux machine as an OpenVPN server. A full discussion is beyond the scope of this article, but more information can be found at openvpn.net. From that site’s main page: “OpenVPN is a full-featured SSL VPN solution that can accommodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.”
“OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a Web application proxy and does not operate through a Web browser.”
The competition for talent in today’s IT world is fierce. During the interview process, when a potential candidate asks you about the solution that you use for working from home and on call support connectivity, hopefully you can give them the right answer. With the right infrastructure in place, it may even be possible to recruit talent and allow them to continue living where they are, instead of asking them to relocate.
Most organizations already have good solutions in place, but it never hurts to revisit the topic, and see if there is room for improvement where you work.