 |
|
Introduction When using the Secure VPN technology from Elina, the standard way of tunnel setup is using what is called a “split tunnel”. In this mode, only application data travels over VPN tunnel and Internet access is direct.Split tunnel setup As shown in the figure below, the split tunnel is used where application data travels over the VPN tunnel setup to the HQ.
In this mode, the desktop has direct access to the Internet. In a small store setup, while the split tunnel provides application access over VPN tunnel, Internet access is not controlled. The only solution here is to add additional software components or an external firewall to limit access. To overcome this problem, the full tunnel mode is used. Full tunnel setup In the full tunnel mode, the Secure VPN client configuration and setup is the same as before, but with one key change: all traffic from the desktop goes over the VPN tunnel.
In the full tunnel mode, since all traffic goes over the VPN tunnel, both application data and Internet access packets land up at the VPN concentrator at the HQ. In the HQ VPN concentrator, web proxy rules can be setup on a per client or group basis to provide filtered Internet access. In most cases, the store/branch office desktop is allowed limited browsing access and the additional Internet traffic at the HQ is small. The built-in reporting functions on the ENPAQ provide a complete view, of which sites have been browsed, what is the usage on a per machine basis and so on. This information is useful to make policy decisions on corporate Internet usage. In addition, the VPN connections are also reported for usage, disconnections and uptime. Reports are available and these can be used to ascertain the Internet link quality at each store/branch. The single console view of the network available from the HQ also provides live status on which branches are connected, the amount of data being transferred etc. This provides a lot of information for troubleshooting store/branch level issues. HQ Internet usage conundrum In the full tunnel case, the Internet usage at the HQ goes up, as all the stores/branches access Internet using the HQ bandwidth. Sizing Internet bandwidth at one location is a simple task. Fighting the threat of viruses and worms, along with a complete absence of Internet usage policy enforcement means that the IT team would be battling problems at the store fronts on a daily basis. To reduce the HQ Internet usage, this method can be implemented on a distributed basis. Stores/branches in a region connect to the Regional HQ and the regional HQ can connect to the HQ over MPLS or other networks, reducing total Internet bandwidth usage at the HQ. Desktop Virtualization – the best solution Elina strongly recommends its desktop virtualization solution for stores/branches, where the best of both worlds are available: Controlled Internet access without HQ load and VPN access to HQ applications. In certain cases, desktop virtualization may not be a feasible option as it imposes a 1GB physical memory and a reasonably good processor. In such cases, the full tunnel setup works like magic and meets the objective of controlled Internet access at the store/branch fronts. Manageability with Elina solution With the VPN tunnel implementation, either a split or full tunnel, a variety of manageability features are available as part of the Elina solution.
Conclusion Elina provides multiple setups and methods to meet the security, cost and manageability concerns that customers have. |
