Microsoft’s cloud-first strategy enables most Microsoft employees to directly access applications and services via the internet, but remote workers still use the company’s virtual private network (VPN) to access some corporate resources and applications when they’re outside of the office.

This became increasingly apparent when Microsoft prepared for its employees to work remotely in response to the global pandemic. VPN usage increased by 70 percent, which coincides with the significant spike in users working from home daily.

So then, how is Microsoft ensuring that its employees can securely access the applications they need?

With split tunneling and a Zero Trust security strategy.

As part of the company’s Zero Trust security strategy, employees in Microsoft Digital Employee Experience (MDEE) redesigned the VPN infrastructure by adopting a split-tunneled configuration that further enables the company’s workloads moving to the cloud.

“Adopting split tunneling has ensured that Microsoft employees can access core applications over the internet using Microsoft Azure and Microsoft Office 365,” says Steve Means, a principal cloud network engineering manager in MDEE. “This takes pressure off the VPN and gives employees more bandwidth to do their job securely.”

Eighty percent of remote working traffic flows to cloud endpoints where split tunneling is enabled, but the rest of the work that employees do remotely—which needs to be locked down on the corporate network—still goes through the company’s VPN.

“We need to make sure our VPN infrastructure has the same level of corporate network security as applications in the cloud,” says Carmichael Patton, a principal security architect on Microsoft’s Digital Security and Resilience team. “We’re applying the same Zero Trust principles to our VPN traffic, by applying conditional access to each connection.”

[Learn how Microsoft rebuilt its VPN infrastructure. Learn how Microsoft transitioned to modern access architecture with Zero Trust. Read how Microsoft is approaching Zero Trust Networking.]
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=bleFoL0NkVM, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Securing remote workers with device management and conditional access

Moving most of the work that employees require to the cloud only became possible after the company adopted modern security controls that focus on securing devices.

“We no longer rely solely on the network to manage firewalls,” Patton says. “Instead, each application that an employee uses enforces its own security management—this means employees can only use an app after it verifies the health of their device.”

To support this transformed approach to security, Microsoft adopted a Zero Trust security model, which manages risk and secures working remotely by managing the device an employee uses.

“Before an employee can access an application, they must enroll their device, have relevant security policies, and have their device health validated,” Patton says. “This ensures that only registered devices that comply with company security policies can access corporate resources, which reduces the risk of malware and intruders.”

The team also recommends using a dynamic and scalable authentication mechanism, like Azure Active Directory, to avoid the trouble of certificates.

While most employees rely on our standard VPN infrastructure, Microsoft has specific scenarios that call for additional security when accessing company infrastructure or sensitive data. This is the case for MDEE employees in owner and contributor roles that are configured on a Microsoft Azure subscription as well as employees who make changes to customer-facing production services and systems like firewalls and network gear. To access corporate resources, these employees use Privileged Access Workstations, a dedicated operating system for sensitive tasks, to access a highly secure VPN infrastructure.

Phil Suver, a principal PM manager in MDEE, says working remotely during the global pandemic gives employees a sense of what the Zero Trust experience will be like when they return to the office.

“Hardened local area networks that previously accessed internal applications are a model of the past,” Suver says. “We see split tunneling as a gateway to prepare our workforce for our Zero Trust Networking posture, where user devices are highly protected from vulnerability and employees use the internet for their predominant workload.”

It’s also important to review your VPN structure for updates.

“When evaluating your VPN configuration, identify the highest compliance risks to your organization and make them the priority for controls, policies, and procedures,” Patton says. “Understand the security controls you give up by not flowing the connections through your internal infrastructure. Then, look at the controls you’re able to extend to the clients themselves, and find the right balance of risk and productivity that fits your organization.”

Keeping your devices up-to-date with split tunneling

Enterprises can also optimize patching and manage update compliance using services like Microsoft Endpoint Manager, Microsoft Intune, and Windows Update for Business. At Microsoft, a split-tunneled VPN configuration allows these services to keep devices current without requiring a VPN tunnel to do it.

“With a split-tunneled configuration, update traffic comes through the internet,” says Mike Carlson, a principal service engineering manager in MDEE. “This improves the user experience for employees by freeing up VPN bandwidth during patch and release cycles.”

At Microsoft, device updates fall into two categories: feature updates and quality updates. Feature updates occur every six months and encompass new operating system features, functionality, and major bug fixes. In contrast, monthly quality updates include security and reliability updates as well as small bug fixes. To balance both user experience and security, Microsoft’s current configuration of Windows Update for Business prompts Microsoft employees to update within 48 hours for quality updates and 7 days for feature updates.

“Not only can Windows Update for Business isolate update traffic from the VPN connection, but it can also provide better compliance management by using the deadline feature to adjust the timing of quality and feature updates,” Carlson says. “We can quickly drive compliance and have more time to focus on employees that may need additional support.”

Evaluating your VPN configuration

When your enterprise evaluates which VPN configuration works best for your company and users, you must evaluate their workflows.

“Some companies may need a full tunnel configuration, and others might want something cloud-based,” Means says. “If you’re a Microsoft customer, you can work with your sales team to request a customer engagement with a Microsoft expert to better understand our implementation and whether it would work for your enterprise.”

Means also said that it’s important to assess the legal requirements of the countries you operate in, which is done at Microsoft using Azure Traffic Manager. For example, split tunneling may not be the right configuration for countries with tighter controls over how traffic flows within and beyond their borders.

Suver also emphasized the importance of understanding the persona of your workforce, suggesting you should assess the workloads they may need to use remotely and their bandwidth capacity. You should also consider the maximum number of concurrent connections your VPN infrastructure supports and think through potential seasonal disruptions.

“Ensure that you’ve built for a snow day or a pandemic of a global nature,” Suver says. “We’ve had to send thousands of customer support agents to work from home. Typically, they didn’t use VPN to have voice conversations with customers. Because we sized and distributed our infrastructure for a global workforce, we were able to quickly adapt to the dramatic shift in workloads that have come from our employees working from home during the pandemic. Anticipate some of the changes in workflow that might occur, and test for those conditions.”

It’s also important to collect user connection and traffic data in a central location for your VPN infrastructure, to use modern visualization services like Microsoft Power BI to identify hot spots before they happen, and to plan for growth.

Means’s biggest piece of advice?

Focus on what your enterprise needs and go from there.

“Identify what you want to access and what you want to protect,” he says. “Then build to that model.”

Tips for retooling VPN at your company

Azure offers a native, highly-scalable VPN gateway, and the most common third-party VPN and Software-Defined Wide Area Network virtual appliances in the Azure Marketplace.

For more information on these and other Azure and Office network optimizing practices, please see:

• Office Connectivity Principles
• Network considerations for Teams
• Azure OpenVPN client
• Azure VPN Gateways
• Azure Point-to-site VPN
• VPN Network Virtual Appliances in the Azure Marketplace
• Publishing web applications using Azure Active Directory’s Application Proxy
• VPN split tunneling for Office 365
• How-to guides for common VPN platforms
• Updates for improving work-from-home employee access

• Here are some alternative ways for security professionals and IT to achieve modern security controls in remote work scenarios.
• Check our best practices and guidelines for security professionals on how to work remotely and stay secure.

Here are additional resources to learn more about how Microsoft applies networking best practices and supports a Zero Trust security strategy:

• Learn how Microsoft rebuilt its VPN infrastructure.
• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Read how Microsoft is approaching Zero Trust Networking.

The post Using a Zero Trust strategy to secure Microsoft’s network during remote work appeared first on Inside Track Blog.

Office printing is also a potential network security risk. Between the infrastructure of the Internet of Things and the number of users needing access to these devices, the threat surface is huge. Historically we’ve relied on print servers, virtual private networks (VPNs), and printer drivers to manage users’ access to printing.

But of course, we also know the best modern software technology exists in the cloud. It affords the most security as well as the most savings. Something wasn’t adding up.

A few years ago, we at Microsoft Digital Employee Experience (MDEE)—the organization that powers, protects, and transforms the company—realized that printing, one of the most common tasks that nearly all employees do, was one of the last operations that we had not yet brought to the cloud. It became our vision to change that and bring modern security and seamless access to printers to all employees, in all our offices, across the globe.

“Everyone needs to print something at some time,” says Pete Apple, principal architect and technical program manager in the infrastructure engineering services team within MDEE. “It’s one of those universal things about working in a business. As we upgraded the protocols with nearly everything else in our network, printing remained one of the only things done ‘the old way.’ We realized that this was a common area that needed addressing.”

The path to creating Universal Print, Microsoft’s solution to the needs of modern enterprise cloud printing, has evolved over several years as technology has changed. We’ve trialed, improved, and scaled our solution with the insights gained from utilizing this solution with our own employees.

And we are on the cusp of our next breakthrough in technology and security: eliminating the need for VPNs for office printing.

[Read our earlier blog post on Universal Print where we walk through our early steps to rethink our approach to printing here at Microsoft. Learn how we’re Microsoft’s ‘Customer Zero.’ Learn how we’re doing more with less internally at Microsoft with Microsoft Azure. Learn more about the foundation for modern collaboration: Microsoft 365 bolsters teamwork. Explore a simulated experience of Universal Print.]

The road to simplification: Microsoft as the customer

A significant benefit of being a company as large, complex, and distributed as Microsoft is that we are a fantastic proving ground for new technology. If our teams can build a solution that works for our organization, we know it can work for other enterprises too. We also know that if we are experiencing a pain point, likely others are too. Because of this, we often call ourselves Customer Zero.

When it came to developing a modern solution for the needs of printing, our product groups knew who to turn to. Partnering with us in MDEE enabled the product team to develop Universal Print by testing with and taking feedback from the broad Microsoft team. The product group relied on our expertise with security review, OEM offerings, and first-hand admin feedback.

“With our partnership with MDEE we are able to gain experience as well as verifying the functionality of Universal Print,” says Jimmy Wu, senior product manager with the Universal Print team. “This helps us prove that this technology can scale to meet the needs of an enterprise as large and complex as Microsoft.”

In the last three years, Universal Print has come to eliminate the need for dedicated print servers and printer drivers, two significant headaches for admins and users alike. The one area that we hadn’t solved, until now, was the reliance on VPNs. We won’t be able to fully isolate the network printers from the core of our corporate infrastructure until we make this development.

“Using VPNs meant that every user trying to print something had to directly connect to the same network as the printer, which opens our networks to security threats. It increases the surface area for bad actors to attack,” Wu says.

Now, you send your print job to the cloud and you can “pull it down” to any printer you want, anywhere in the globe. It’s truly a universal system, and you no longer need a direct connection between your computer and the local printer you’re wanting to use. This eliminates the inherent security risk of having both the client computer and the printer on the same VPN network, while unlocking an exciting future for both improved security and an easier printing experience.

All together these changes have also resulted in significant cost savings for Microsoft and significant security and usability improvements. By simplifying our technology and reducing the scale of our infrastructure, we are realizing tens of millions of dollars in savings. This is a win-win outcome that we are all excited about.

Zero Trust: scaling security while also improving user experience.

Most employees around the globe these days are working in a hybrid setting, so when they visit one of our offices, we want their experience to be as seamless as possible. We are enabling this modern way of working by moving towards a Zero Trust environment.

Despite the intimidating name, Zero Trust provides smoother access to services for employees by ensuring user access is validated and authorized for each connection regardless of user location. In practice this means that you can easily log on to an on-campus network using the same device and same credentials you use in your home office. The experience is seamless, and the environment is more secure than ever.

This technology allows data to be transferred through secure tunnel connections. From an information security perspective this is now the gold standard for public or semi-public networks. We can further sequester our corporate network, which reduces risk to our core infrastructure. This concept is called least-privileged access, which accounts for more segmentation of users and a default to accessing only the common resources the average team member needs.

While we work towards modern security architectures, we’re also trying to minimize friction for our developers and our employees alike. “We do a real balance there. It’s a continued conversation of how we do better security while also continuing to improve the experience for folks, so it is just seamless,” Apple says.

To further this goal MDEE plans to leverage advances in Universal Print-ready printers supplied by OEM manufacturers which will connect directly to the cloud with their own Zero Trust. This new frontier is emerging through the partnership of Microsoft and manufacturers who are working together to improve printer technology to reduce complexity throughout the printing environment.

Now in 2023 we are in the process of moving all Microsoft end users over to Universal Print. With this solution we are quickly scaling up to support the whole company, worldwide. We’re now able to retire hardware and legacy solutions, and their associated risks. Fundamentally, we are shedding costs while gaining more robust security and better user experience.

Transforming the printing experience for a global workforce

While there are many employees in our headquarters backyard in the Pacific Northwest, the vast majority of our team actually work in field offices all over the globe. Being able to have a printing system that is cloud-based, which can be utilized in all our offices around the world, means a more direct connection to the business for our employees wherever they are. We can ensure that all employees’ experience is much better than it was previously.

Rolling out Universal Print affects every employee of ours and thus it is a critical task to get it right the first time. For our system admins, they now can centrally manage our printing networks and ensure a common way of operating our equipment globally, which for instance reduces printer outages as a central team can diagnose and fix issues quickly. We’ve also removed unnecessary layers of security management by utilizing the inherent, built-in security of Microsoft Azure. Again, this reduction in complexity also results in savings and increased security.

And from the perspective of our end users, we’ve moved to a system where everyone is utilizing the same service, with the same access. This scales and makes life faster for employees. The printing interface is much easier than before, and fewer printer outages getting in the way of your work is always welcome.

We are also looking at new developments right around the corner: employees will soon be able to use their own badges to release the “pull down” printing functionality, adding much-requested scanning features, and enabling admins to have better fleet management of our printers across the globe. Each of these features will further enhance user experience and admin efficiency.

“We’re changing the industry, which makes me very excited,” says Michael Munch, a senior service engineer with MDEE. “It’s not just the same old print story; it’s that we are finally arriving at the day where we can do this thing we’ve only dreamed about. It’s going to save us money, we’re going to be more secure, and it gets us ready for the future with zero-trust networking because the devices themselves will become native cloud devices.”

In essence, we’re seeing a win-win situation and the future is bright. “After presenting our plan for Universal Print the leadership quickly said, ‘Wait, you said it’s cheaper, and it’s more secure?’” says Munch, “Of course, it was a no-brainer to do.”

• Modern enterprise cloud printing is designed to provide modern security and seamless access to all printers for all users. It reduces friction for admins and users while making the enterprise more secure than ever.
• Zero Trust is an important part of keeping everyone safe and secure. By moving enterprise printing to the cloud, companies can verify user and device identity to reduce risk and keep the environment productive.
• Universal Print eliminates the need for dedicated print servers and printer drivers, which are significant headaches for admins and users alike. And by using Universal Print’s entire feature set MDEE will soon eliminate the inherent security risks of VPNs.

• Read our earlier blog post on Universal Print where we walk through our early steps to rethink our approach to printing here at Microsoft.
• Learn how we’re Microsoft’s ‘Customer Zero.’
• Learn how we’re doing more with less internally at Microsoft with Microsoft Azure.
• Learn more about the foundation for modern collaboration: Microsoft 365 bolsters teamwork.
• Explore a simulated experience of Universal Print.

The post Seamless and secure cloud printing with Universal Print appeared first on Inside Track Blog.

Providing a seamless remote access experience

Remote access at Microsoft is reliant on the VPN client, our VPN infrastructure, and public cloud services. We have had several iterative designs of the VPN service inside Microsoft. Regional weather events in the past required large increases in employees working from home, heavily taxing the VPN infrastructure and requiring a completely new design. Three years ago, we built an entirely new VPN infrastructure, a hybrid design, using Microsoft Azure Active Directory (Azure AD) load balancing and identity services with gateway appliances across our global sites.

Key to our success in the remote access experience was our decision to deploy a split-tunneled configuration for the majority of employees. We have migrated nearly 100% of previously on-premises resources into Microsoft Azure and Microsoft Office 365. Our continued efforts in application modernization are reducing the traffic on our private corporate networks as cloud-native architectures allow direct internet connections. The shift to internet-accessable applications and a split-tunneled VPN design has dramatically reduced the load on VPN servers in most areas of the world.

Using VPN profiles to improve the user experience

We use Microsoft Endpoint Manager to manage our domain-joined and Microsoft Azure AD–joined computers and mobile devices that have enrolled in the service. In our configuration, VPN profiles are replicated through Microsoft Intune and applied to enrolled devices; these include certificate issuance that we create in Configuration Manager for Windows 10 devices. We support Mac and Linux device VPN connectivity with a third-party client using SAML-based authentication.

We use certificate-based authentication (public key infrastructure, or PKI) and multi‑factor authentication solutions. When employees first use the Auto-On VPN connection profile, they are prompted to authenticate strongly. Our VPN infrastructure supports Windows Hello for Business and Multi-Factor Authentication. It stores a cryptographically protected certificate upon successful authentication that allows for either persistent or automatic connection.

For more information about how we use Microsoft Intune and Endpoint Manager as part of our device management strategy, see Managing Windows 10 devices with Microsoft Intune.

Configuring and installing VPN connection profiles

We created VPN profiles that contain all the information a device requires to connect to the corporate network, including the supported authentication methods and the VPN gateways that the device should connect to. We created the connection profiles for domain-joined and Microsoft Intune–managed devices using Microsoft Endpoint Manager.

For more information about creating VPN profiles, see VPN profiles in Configuration Manager and How to Create VPN Profiles in Configuration Manager.

The Microsoft Intune custom profile for Intune-managed devices uses Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings with XML data type, as illustrated below.

Installing the VPN connection profile

The VPN connection profile is installed using a script on domain-joined computers running Windows 10, through a policy in Endpoint Manager.

For more information about how we use Microsoft Intune as part of our mobile device management strategy, see Mobile device management at Microsoft.

Conditional Access

We use an optional feature that checks the device health and corporate policies before allowing it to connect. Conditional Access is supported with connection profiles, and we’ve started using this feature in our environment.

Rather than just relying on the managed device certificate for a “pass” or “fail” for VPN connection, Conditional Access places machines in a quarantined state while checking for the latest required security updates and antivirus definitions to help ensure that the system isn’t introducing risk. On every connection attempt, the system health check looks for a certificate that the device is still compliant with corporate policy.

Certificate and device enrollment

We use an Azure AD certificate for single sign-on to the VPN connection profile. And we currently use Simple Certificate Enrollment Protocol (SCEP) and Network Device Enrollment Service (NDES) to deploy certificates to our mobile devices via Microsoft Endpoint Manager. The SCEP certificate we use is for wireless and VPN. NDES allows software on routers and other network devices running without domain credentials to obtain certificates based on the SCEP.

NDES performs the following functions:

1. It generates and provides one-time enrollment passwords to administrators.
2. It submits enrollment requests to the certificate authority (CA).
3. It retrieves enrolled certificates from the CA and forwards them to the network device.

For more information about deploying NDES, including best practices, see Securing and Hardening Network Device Enrollment Service for Microsoft Intune and System Center Configuration Manager.

VPN client connection flow

The diagram below illustrates the VPN client-side connection flow.

When a device-compliance–enabled VPN connection profile is triggered (either manually or automatically):

1. The VPN client calls into the Windows 10 Azure AD Token Broker on the local device and identifies itself as a VPN client.
2. The Azure AD Token Broker authenticates to Azure AD and provides it with information about the device trying to connect. A device check is performed by Azure AD to determine whether the device complies with our VPN policies.
3. If the device is compliant, Azure AD requests a short-lived certificate. If the device isn’t compliant, we perform remediation steps.
4. Azure AD pushes down a short-lived certificate to the Certificate Store via the Token Broker. The Token Broker then returns control back over to the VPN client for further connection processing.
5. The VPN client uses the Azure AD–issued certificate to authenticate with the VPN gateway.

Remote access infrastructure

At Microsoft, we have designed and deployed a hybrid infrastructure to provide remote access for all the supported operating systems—using Azure for load balancing and identity services and specialized VPN appliances. We had several considerations when designing the platform:

• Redundancy. The service needed to be highly resilient so that it could continue to operate if a single appliance, site, or even large region failed.
• Capacity. As a worldwide service meant to be used by the entire company and to handle the expected growth of VPN, the solution had to be sized with enough capacity to handle 200,000 concurrent VPN sessions.
• Homogenized site configuration. A standard hardware and configuration stamp was a necessity both for initial deployment and operational simplicity.
• Central management and monitoring. We ensured end-to-end visibility through centralized data stores and reporting.
• Azure AD­–based authentication. We moved away from on-premises Active Directory and used Azure AD to authenticate and authorize users.
• Multi-device support. We had to build a service that could be used by as much of the ecosystem as possible, including Windows, OSX, Linux, and appliances.
• Automation. Being able to programmatically administer the service was critical. It needed to work with existing automation and monitoring tools.

When we were designing the VPN topology, we considered the location of the resources that employees were accessing when they were connected to the corporate network. If most of the connections from employees at a remote site were to resources located in central datacenters, more consideration was given to bandwidth availability and connection health between that remote site and the destination. In some cases, additional network bandwidth infrastructure has been deployed as needed. The illustration below provides an overview of our remote access infrastructure.

VPN tunnel types

Our VPN solution provides network transport over Secure Sockets Layer (SSL). The VPN appliances force Transport Layer Security (TLS) 1.2 for SSL session initiation, and the strongest possible cipher suite negotiated is used for the VPN tunnel encryption. We use several tunnel configurations depending on the locations of users and level of security needed.

Split tunneling

Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all internet traffic goes directly through the internet without traversing the VPN tunnel or infrastructure. Our migration to Office 365 and Azure has dramatically reduced the need for connections to the corporate network. We rely on the security controls of applications hosted in Azure and services of Office 365 to help secure this traffic. For end point protection, we use Microsoft Defender Advanced Threat Protection on all clients. In our VPN connection profile, split tunneling is enabled by default and used by the majority of Microsoft employees. Learn more about Office 365 split tunnel configuration.

Full tunneling

Full tunneling routes and encrypts all traffic through the VPN. There are some countries and business requirements that make full tunneling necessary. This is accomplished by running a distinct VPN configuration on the same infrastructure as the rest of the VPN service. A separate VPN profile is pushed to the clients who require it, and this profile points to the full-tunnel gateways.

Full tunnel with high security

Our IT employees and some developers access company infrastructure or extremely sensitive data. These users are given Privileged Access Workstations, which are secured, limited, and connect to a separate highly controlled infrastructure.

Applying and enforcing policies

In Microsoft Digital, the Conditional Access administrator is responsible for defining the VPN Compliance Policy for domain-joined Windows 10 desktops, including enterprise laptops and tablets, within the Microsoft Azure Portal administrative experience. This policy is then published so that the enforcement of the applied policy can be managed through Microsoft Endpoint Manager. Microsoft Endpoint Manager provides policy enforcement, as well as certificate enrollment and deployment, on behalf of the client device.

For more information about policies, see VPN and Conditional Access.

Early adopters help validate new policies

With every new Windows 10 update, we rolled out a pre-release version to a group of about 15,000 early adopters a few months before its release. Early adopters validated the new credential functionality and used remote access connection scenarios to provide valuable feedback that we could take back to the product development team. Using early adopters helped validate and improve features and functionality, influenced how we prepared for the broader deployment across Microsoft, and helped us prepare support channels for the types of issues that employees might experience.

Measuring service health

We measure many aspects of the VPN service and report on the number of unique users that connect every month, the number of daily users, and the duration of connections. We have invested heavily in telemetry and automation throughout the Microsoft network environment. Telemetry allows for data-driven decisions in making infrastructure investments and identifying potential bandwidth issues ahead of saturation.

Using Power BI to customize operational insight dashboards

Our service health reporting is centralized using Power BI dashboards to display consolidated data views of VPN performance. Data is aggregated into an SQL Azure data warehouse from VPN appliance logging, network device telemetry, and anonymized device performance data. These dashboards, shown in the next two graphics below, are tailored for the teams using them.

With our optimizations in VPN connection profiles and improvements in the infrastructure, we have seen significant benefits:

• Reduced VPN requirements. By moving to cloud-based services and applications and implementing split tunneling configurations, we have dramatically reduced our reliance on VPN connections for many users at Microsoft.
• Auto-connection for improved user experience. The VPN connection profile automatically configured for connection and authentication types have improved mobile productivity. They also improve the user experience by providing employees the option to stay connected to VPN—without additional interaction after signing in.
• Increased capacity and reliability. Reducing the quantity of VPN sites and investing in dedicated VPN hardware has increased our capacity and reliability, now supporting over 500,000 simultaneous connections.
• Service health visibility. By aggregating data sources and building a single pane of glass in Microsoft Power BI, we have visibility into every aspect of the VPN experience.

• Learn more about how we’re moving past the corporate network using Microsoft Azure.
• Get info on our Office 365 Network Connectivity Principles.
• Here’s how to prepare your network for upgrading to Microsoft Teams.
• Learn more about VPN Gateways.
• Get more info on Microsoft Azure Point-to-Site VPN.
• Check out VPN Network Virtual Appliances in the Microsoft Azure Marketplace.
• Discover more about working remotely using Microsoft Azure networking services.

The post Enhancing VPN performance at Microsoft appeared first on Inside Track Blog.

In the modern workplace, Microsoft employees access their work from diverse locations. To ensure secure and efficient connectivity to cloud and on-premises resources for our global workforce, we’re adopting Azure Virtual WAN (VWAN) in conjunction with enterprise-scale security solutions.

Our enterprise-scale security solutions are vital in authenticating remote users across Azure and on-premises resources, enabling seamless service-to-service authentication. Our approach creates a more robust and reliable environment by removing interdependencies between network services and physical locations. Through strong authentication enforcement and role-based access control, our security solutions are tailored to support deployments at an enterprise scale.

We’re evolving remote access for our employees by migrating our remote and VPN access infrastructure to a modern, cloud-based solution using Azure VPN and Azure VWAN. Our new solution accommodates evolving security requirements and scales to support the changing demands of our remote workforce. This transition improves our security posture and enhances the overall efficiency of our remote access infrastructure, aligning seamlessly with our commitment to scalable and secure solutions for our global workforce.

Moving to the Azure-based solution allows us to support all remote access users with the Azure VPN client. This unified approach creates a simplified user experience and performs better for remote employees than our previous solution.

Our solution’s core is Azure Virtual WAN, a networking service that combines many networking, security, and routing functionalities to unify Azure and on-premises networking capability into a single operational interface.

Azure VWAN supports site-to-site, point-to-site, and private connections between Azure and on-premises users and resources using ExpressRoute, Azure VPN, Azure Firewall, and advanced routing configuration. The hub and spoke architecture of Azure VWAN provides enterprise scale and performance from cloud-hosted Azure VWAN hubs in Azure regions across the globe. Using the globally distributed Azure public cloud infrastructure, we can quickly deploy a global transit network architecture for our entire enterprise, supporting instant connectivity from the closest Azure VWAN Hub to any on-premises network endpoints.

Using the Azure VPN client and integrated VPN support built into Azure VWAN, our employees connect to the closest regional hub, securely and efficiently integrating them with Azure VWAN and our global corporate network. Currently, Azure VPN is selectively deployed for specific use case scenarios. It doesn’t serve as the default network access now, but its versatility allows for such a role, and we plan to use Azure VPN as the default remote access solution soon.

Using Azure VWAN and Azure VPN to manage our global network and remote access has resulted in many improvements to our wide area network architecture and the employee experience when using the network.

We’re using infrastructure as code (IaC) to deploy and scale our VPN capacity, enabling us to quickly accommodate and host over 100,000 users. Our ongoing efforts include onboarding all Microsoft employees to Azure VPN.

Protecting intellectual property is paramount for Microsoft. Our solution provides a highly secure environment through Azure VPN, using industry-standard encryption protocols and advanced security features. This ensures that all data transmitted between employees and resources in Azure or on-premises remains confidential and protected from unauthorized access.

Our architecture is designed to scale seamlessly as the user base grows. With the inherent scalability of Azure Virtual WAN, we can accommodate additional users and network resources without compromising performance. This flexibility ensures that Microsoft can support its expanding workforce without sacrificing connectivity or user experience.

Our network build process uses IaC principles to create a highly adaptable, robust, and reliable network environment. Our deployment templates and resource modules—created using the Bicep language—define the desired state of our VWAN infrastructure in a declarative manner. Following Microsoft best practices, we maintain a central Bicep template that invokes distinct modules—also defined in Bicep—to instantiate the necessary resources for deployment. This modular framework allows us to be flexible and accommodate new changes or requirements by applying various deployment patterns. For more information, visit Deploying a VWAN using infrastructure as code and CI/CD.

Our solution offers centralized management and monitoring capabilities, enabling our support ecosystem to manage our VPN infrastructure efficiently. Our security team can easily configure VPN settings and management using Azure Dashboard, allowing them to monitor usage patterns in a smart way. This centralized control ensures streamlined administration and effective troubleshooting.

We design the user experience to maximize productivity. Our solution optimizes network connectivity, relying on a global profile to minimize latency and allow employees to access hosted resources seamlessly from anywhere in the world. This eliminates barriers to productivity and empowers users to collaborate efficiently, irrespective of their geographic location.

Intellectual property protection often involves compliance requirements. Our solution adheres to industry best practices and relevant regulations to ensure that we meet necessary compliance standards. This includes data privacy, access controls, and auditability, providing peace of mind that intellectual property is handled in a secure and compliant manner.

We’re excited about the successful enterprise-scale deployment of our Azure Virtual WAN and Azure VPN-based solution. This deployment increases our ability to safeguard intellectual property while seamlessly supporting the connectivity needs of Microsoft employees. We remain committed to supporting the internal networking needs of Microsoft and ensuring secure and seamless connectivity as our organization grows.

Contact us today to explore how our solutions can help protect your intellectual property, enable remote access at scale, and provide a robust and secure network infrastructure tailored to your organization’s unique requirements.

• Migrate to a cloud-based VPN solution. Transition your VPN and remote access infrastructure to Azure VPN and Azure VWAN for a more scalable and secure remote access solution.
• Leverage Infrastructure as Code for network management. Adopt infrastructure as code (IaC) using the Bicep language to efficiently manage and scale your network infrastructure, allowing for flexible and rapid deployment.
• Plan for scalability and user growth. Ensure your network architecture is designed to scale seamlessly with Azure Virtual WAN, accommodating additional users and resources without sacrificing performance.
• Centralize management and monitoring. Use centralized management and monitoring tools, such as the Azure Dashboard, to efficiently administer VPN settings and manage network usage.

Get started with Azure VWAN with routing intent and routing policies at your company.

• Check out our full series on moving our network to the cloud. 
• Learn more about Azure Virtual WAN.
• Get more insight on how Azure VPN Gateways work.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Deploying global remote VWAN connectivity with Azure VWAN and Azure VPN appeared first on Inside Track Blog.

In many enterprises, network security has traditionally focused on strictly secured and monitored corporate network perimeters. Today, in a mobile-first and cloud-first world, business network traffic exists outside the corporate network as much as it does within. The rate and the sophistication level of security attacks are increasing. Organizations can no longer rely on the traditional model of simply protecting their remaining internal environments behind a firewall. Adopting a Zero Trust strategy can help to ensure optimal security without compromising end users’ experiences.

Our team in Microsoft Digital (MSD) is deploying Zero Trust networking across the enterprise to support the Zero Trust model that our internal security team is implementing across Microsoft.

The Zero Trust model centers on strong identity, least-privilege access, device health verification, and service level control and telemetry across the entire IT infrastructure. The network perimeter is no longer the primary method of defense for an enterprise.

At Microsoft’s scale, with more than 600 sites in 120 countries and regions, evolving our network strategy to embrace Zero Trust networking has required alignment across the entire organization.

[Gain insight from Microsoft’s digital security team on Top 10 questions for Zero Trust. | Read more about sharing how Microsoft protects against ransomware. | Unpack the lessons learned in engineering Zero Trust networking.]

Sharing leadership lessons

Throughout our journey toward Zero Trust networking, we’ve learned valuable lessons. We’ve experienced challenges in the various stages of implementation that forced us to reassess and adjust our tactics and methods. We hope that by sharing our experiences we can help other enterprises better prepare to adopt and implement a Zero Trust networking strategy and overcome similar obstacles.

To read more about the lessons that our engineers have learned from our Zero Trust networking deployment, visit Lessons learned in engineering Zero Trust networking.

Planning and design

Plan using a broad scope

The impact of implementing Zero Trust networking is significant because of its size and scope. At Microsoft, early and big-picture planning involved all relevant stakeholders, including network teams, security teams, user experience teams, team managers, infrastructure service providers, and compliance auditors. We started with a comprehensive plan and worked toward more specific plans and goals.

Establish goals

We established several primary goals that we used as targets for the implementation process. While each of these considerations involved a finite subset of goals and discrete features that informed the specifics of Zero Trust networking implementation, they also served as high-level signposts to provide the direction that best supported our business. Our primary goals included:

• Understand the environment and architecture. Zero Trust networking involved fundamental changes to our network and how our business used it. We needed to understand our existing infrastructure on several different levels: what equipment was in the field, how our network was supporting critical business processes, and what network aspects we must change to support Zero Trust networking properly. This included understanding wired and wireless user-experience scenarios, evaluating traffic patterns, and measuring inbound and outbound capacity utilization. Investing in data insights and visualizations was critical to measuring current usage and modeling future usage.
• Be deliberate about implementation scope. We established scope early. We set all corporate-managed user wired and wireless networks in scope for Zero Trust networking but left dedicated engineering and services environments, like labs and datacenters, out of scope. A well-defined scope set firm boundaries for implementation tasks that followed. If our engineers could examine our scope documentation and observe that a specific device class was out of scope, they could identify that equipment easily when they encountered it in the field during implementation. Technical and fiscal limitations also directly affected the scope. If we couldn’t replace 50,000 simple IP devices in a location or region because of cost or replacement availability, we knew that those devices must be isolated from the network and addressed when a replacement was viable.
• Establish staffing and knowledge base requirements. There were many aspects of Zero Trust networking that required specific knowledge, including network security expertise, firewall and policy management, network telemetry, and foundational knowledge of traditional network functions. In addition, we identified opportunities for more in-depth automation of network configuration and deployment activity to reduce workload for our engineers and reduce the need for staffing increases.
• Embrace the internet as transport. A Zero Trust Networking implementation shifts to the internet as the default network of choice to get users and systems to their dominant cloud workloads. At Microsoft, we had been dependent on a traditional, flat corporate network model for decades. Embracing the internet meant rethinking and restructuring our network to best support the Zero Trust model. Internet-first thinking informed our decision making in all implementation areas, including perimeter security, segmentation and routing, device selection, security and policy standards, and user experience.

Teams and organization

Leadership engagement

Across any large organization, individual lines of business and departments have varying requirements. We involved leadership at all levels in Microsoft to create transparency, collect information, and gain allies and sponsors for implementing a Zero Trust network. Because we‘re also asking our customers to trust us with their critical data and workloads, our cloud offerings and services also must reflect—and support—Zero Trust principles.

We engaged executive leadership and obtained sponsorship as early in the process as possible. Visible leadership support helped drive the project forward. Effective sponsorship helped our teams overcome priority conflicts and other cultural and operational obstacles.

Governance and responsibilities

In partnership with our security team, we established governance to bring our leadership together. We addressed roles and responsibilities across teams, ensuring that we documented them. We established intake prioritization standards to ensure that our implementation teams worked on the most important tasks from a business perspective. To set these standards, we examined the business impact and implementation effort for new tasks as they arose by using an agile framework.

Planning and implementation teams

We required a broad range of business and technical knowledge across planning and implementation teams. We needed security experts that could reevaluate our network policies and standards across the implementation. We included network experts from various areas, including wired and wireless networks, virtualization and network segmentation, traffic management, quality of service (QoS), and device configuration. Understanding the potential impact on existing network team members was also important. Fortunately, we had already added software engineering expertise to our network engineering teams to drive automation, and Zero Trust accelerated that. We ensured that we placed our experts in planning and decision-making roles, thereby making the best use of our internal intellectual property. Finally, we directed as much of our high-effort, low-impact tasks, including physical infrastructure installation and maintenance, to outsourced providers.

Meetings and communication

Meeting cadence and scope

We based our meetings and communications strategy on agile methodology, a collaborative effort of self-organizing and cross-functional teams that could plan and iterate rapidly. Our core teams met briefly and often, while meetings including stakeholders and executive leadership occurred less frequently. We applied governance for how our teams worked together: how often we met, roles and responsibilities, and how we prioritized incoming work and changes to our plans. The following list reflects our meeting structure and frequency:

• Several times a week
  • Conduct brief stand-up meetings with our security, end-user experience, and business teams
  • Track feature progress
  • Track potential blockers
  • Assess overall project health
• Biweekly
  • Meet with stakeholders to provide progress updates in specific areas
• Monthly
  • Meet with steering committee, sponsors, and use-case scenario owners
• Quarterly
  • Meet with executive leadership to check alignment with business goals and plan for the future
  • Secure budget in time for fiscal planning to ensure that we could fund upcoming tasks
  • Align resource allocation for upcoming tasks

Measurement and assessment

We created and relied on process-monitoring systems and reporting dashboards to keep all team members informed on project status. We used Microsoft Power BI to build dashboards for teams at all levels, ensuring that each team, leader, stakeholder, or sponsor had an active overview of their relevant area. A partial list of useful dashboards included:

• Device inventory, to identify our install base, OS versions, and whether they could accept our new network policies and configuration standards.
• Configuration change tracking, to understand where we were on our Zero Trust journey, which devices were successfully onboarded, and which devices remained on legacy configurations.
• Usage monitoring, to understand our application patterns and help answer questions such as “Which applications still require VPN, and does each application have a roadmap to cloud adoption?”
• Internet of Things (IoT) inventory and network usage, to identify vulnerable devices such as conferencing kiosks, building-management systems, and life-safety systems. These are typically a primary focus area in a Zero Trust framework.

Deployment and execution

User experience assessment

User experience is one of our primary measures for organizational effectiveness across all Microsoft systems. Our users work in diverse locations, regions, and cultures, and a potentially different experience characterizes each location. Reaching out to our users and measuring experience and impact throughout the Zero Trust networking implementation helped us understand and avoid potential issues.

Situational dependencies, such as data-residency laws or telecom-systems capabilities, required us to change implementation plans. It was important to identify these dependencies and anomalies as early as possible in our deployment processes so that we could plan and adapt accordingly.

At Microsoft, a significant portion of our network workloads come from engineering teams with unique user experiences. Software and hardware engineers who build and test software and hardware systems have very different network usage profiles than typical information workers. We reached out early and often to this community to understand their current and future needs and account for them in our deployment flight planning.

Involvement of local support and users

Local IT and leadership teams were also instrumental in implementing Zero Trust networking across Microsoft. We relied heavily on local IT staff to supply information about their environment and ensure that our solutions accounted for local functionality limitations and technical considerations. These included network resources inventory, applications, and services required for productivity, and the impact of network traffic and topology changes.

Staff members’ input reduced the engineering workload and increased the overall knowledge base that our engineers had when designing each regional implementation. We used our local and regional teams’ capabilities to collect and supply information. Local staff—including technical, support, and leadership teams in each location—who were informed about and included in the planning and design process helped prevent surprise obstacles. These individuals also served as valuable advocates and advisors when we deployed Zero Trust networking; when our deployment reached their building or region, we had local support to ensure a smooth transition.

Zero Trust networking supports a model that effectively adapts to the complexity of the modern corporate environment. It supports the mobile workforce and protects people, devices, apps, and data regardless of location. In sharing the lessons that we’ve learned so far, we hope to help other enterprises adopt Zero Trust networking effectively and efficiently. As we continue to deploy the Zero Trust model across the Microsoft enterprise, we’re learning from our experience and adapting our approach to achieve our goals.

• Gain insight from Microsoft’s digital security team on Top 10 questions for Zero Trust.
• Read more about sharing how Microsoft protects against ransomware.
• Unpack the lessons learned in engineering Zero Trust networking.

The post Sharing Microsoft’s Zero Trust networking lessons for leaders appeared first on Inside Track Blog.

Our ability to respond to the crisis was greatly enhanced by how prepared Microsoft was to have its employees work from home. Having an entire company suddenly shift to remote working comes with its own challenges—it’s a lot more complex than making sure an employee’s laptop and home Wi-Fi are secure.

Jared Spataro, corporate vice president for Microsoft 365, and Nathalie D’Hers, Corporate Vice President of Employee Experience, shared nine things that our larger IT team, Microsoft Digital, is doing to enable remote work at Microsoft. What I found most interesting about their conversation is how many of those nine things tie back to our Zero Trust initiative.

Specifically, our Zero Trust strategy calls for strong identity authentication everywhere by confirming that all our users are validated using multifactor authentication (MFA). It requires that all devices employees use for work are managed and healthy. It accomplishes this by using Microsoft Intune for device management. It also relies on pervasive telemetry to monitor the performance and health of all services, applications, and networks.

Another way to think of Zero Trust is as a requirement for constant verification. Throughout the process, Microsoft continuously monitors all access to corporate services, applications, and network connections.

Our security strategy has been focused on Zero Trust security principles for a while now. The strategy helps us navigate supporting the vast majority of our employees as they work from home. Our ability to ensure that all of our employees are using MFA and continuously verifying that all devices on our network are managed and healthy has allowed us to accelerate our adoption of our Zero Trust strategy and to move away from a perimeter based security model.

For most of our users, we’ve been able to move away from using virtual private network (VPN) to access our line of business applications. We have moved most of our line of business (LOB) applications to Microsoft Azure, where they are internet accessible. Applications that we are not able to move to Microsoft Azure are being published with an internet proxy. Finally, we use virtualization via Windows Virtual Desktop to provide our employees, vendors, and guests with the ability to access Microsoft applications in a more constrained environment that restricts movement to other Microsoft resources and network resources.

The result is that our employees can remotely access most of our LOB applications without needing to use VPN. This meant Microsoft was very well positioned when it came time to ask our employees to work from home.

We haven’t finished deploying our Zero Trust vision, but our framework is in place, and that’s helping us successfully support our remote-working employees.

If your company is transitioning its workforce to remote working and you don’t already have these same elements in place, it’s probably overwhelming to think about where to begin. We suggest you start by implementing MFA. If you don’t have the necessary hardware to leverage biometrics, you can start with an app like Microsoft Authenticator. This step is the single best thing you can do to secure your environment.

One of the benefits of our approach to Zero Trust is that it gives each company the ability to align security strategy with the cloud-first strategy that we are seeing in the industry. If you want to know more about our approach, read Using a Zero Trust strategy to secure Microsoft’s network during remote work. You’ll find more content about our Zero Trust strategy by visiting this Transitioning to modern access architecture with Zero Trust content suite and by reading this Implementing a Zero Trust security Model at Microsoft article.

The post Microsoft helps employees work securely from home using a Zero Trust strategy appeared first on Inside Track Blog.

They were cautiously optimistic—the team had just rebuilt the entire network, including the virtual private network (VPN). This network supports access to key internal servers with protected data, personnel information, and other critical assets that must be on lockdown.

“Our network has done very well for employees to working remotely,” Means says. “So far, we’ve seen a really strong performance from our network and VPN, specifically.”

The strong response has been fueled by an earlier decision the team made to reduce the workload that the company pushes through its VPN pipes. The team did that by implementing split tunneling at most of its locations worldwide, which funnels the majority of the company’s mobile workload to the internet.

Split tunneling became possible because Microsoft is nearly 100 percent in the cloud, which allows its remote workers to access core applications and experiences over the internet via Microsoft Azure and Office 365. Before the company migrated to the cloud, everything would have been routed through VPN.

“It really helps us that most of our mobile workload—including traffic to high volume and performance sensitive Office 365 and Azure applications—is securely routed directly over the internet,” Means says.

In retrospect, adopting split tunneling was a pivotal decision.

“It is allowing our employees to maintain their normal level of productivity even as they work remotely,” he says.

He pointed to how employees are now using Microsoft Teams as an example.

“Our employees have significantly increased their usage of voice and video conferencing on Teams,” he says. “We’ve been able to sustain this massive spike in Teams usage without major issues because it’s being routed over the internet—leaving our VPN capacity for just necessary connections between users and our internal resources.”

There have been challenges, however, which began when the Microsoft’s employees in China started working from home.

“Unlike here at our headquarters and other worldwide locations, when our employees in China work remotely, everything they do goes exclusively through our VPN pipe,” Means says.

That meant 100 percent of the workload of employees in Shanghai and Beijing was suddenly going through already heavily used VPN gateways.

“It was almost an overnight phenomenon,” Means says. “We were suddenly seeing usage of 85 to 95 percent of our network bandwidth and our VPN capacity.”

Already tight before the spread of COVID-19 began, VPN was quickly becoming a bottleneck in China.

“We started asking ourselves a lot of questions,” Means says. “Can we handle the expected number of concurrent VPN sessions? How is bandwidth holding up for employees? What’s their experience like? Are they all being successful?”

Quick action was needed.

“We had data to answer all the questions, but what we didn’t have was a single pane of glass where we could quickly look at everything to see what was happening across the company’s infrastructure,” Means says. “And company leaders were trying to figure out how to respond to the crisis—they needed data from us, and they needed it quickly.”

The answer was to identify the data that mattered the most and aggregate it into a Microsoft Power BI dashboard, which the company now uses to track all its VPN systems as the COVID-19 situation evolves.

As for the offices in Shanghai and Beijing, Means’s team worked with local internet providers to increase VPN capacity by 50 percent so they had enough headroom to handle the new usage safely.

“That was a budget decision,” Means says. All they had to do was sign some contracts—no new hardware was needed. “Once we agreed that it was the right thing to do, we were able to remove that bottleneck in less than a day.”

[Explore using a Zero Trust strategy to secure Microsoft’s network during remote work. Unpack enhancing VPN performance at Microsoft. Discover how Microsoft Sentinel protects Microsoft from cybersecurity attacks.]

Investments in VPN infrastructure paying off

The notion of Microsoft’s employees and vendors frequently working remotely was daunting, but Means was confident that its VPN infrastructure would support that sudden spike in demand.

Three years ago, he would not have been so optimistic.

“We were in a tough spot a few years ago,” Means says. “We had multiple and complex reasons for why our employees’ end-to-end VPN experience wasn’t very strong—it was a complicated stack that had multiple potential failure points.”

The team ran into issues on the Windows side, there were challenges with the network, and the company was using several different VPN clients at once, which created confusion and complexity for employees. Means’s team worked closely with the Windows team, and through direct partnership and engagement, helped drive significant stability improvements in the Windows native VPN client.

“We saw a connectivity success rate in the 60 to 65 percent range, which is very low,” Means says. “That meant that a third of people would run into an issue every time they tried to work remotely.”

A fix was needed.

“We knew this could become a problem if we had a situation where we needed many of our employees to work remotely,” Means says. “So, we invested heavily in strengthening our VPN service by focusing on the user experience and partnering closely with internal teams.”

“We built the new system so it could support over 200,000 concurrent sessions,” Means says. “In an extreme situation, we could support that many people on VPN at the same time.”

Microsoft has 221,000 employees and a large contingent of vendors who work on the company’s network. They don’t all work at the same time, but the goal was to cover the worst-case scenario and to future-proof the solution.

“Across the world, we normally have about 55,000 employees connect via VPN on a given day,” Means says. “With everyone working remotely, that has climbed as high as 128,000 employees and vendors per day, including about 45,000 per day at our headquarters in Redmond.”

Previously, employees used a large number of gateways to access the company’s internal network, but many of those gateways provided poor connectivity.

“We consolidated the gateways to data centers and locations with reliable and plentiful bandwidth,” Means says. “This shrunk the number of gateway sites, but increased overall reliability and made it so we could handle more concurrent connections.”

The hybrid design that the team put together uses Microsoft Azure Traffic Manager to geolocate VPN users. “That allowed us to send them to their nearest gateway and to meet scale demands,” he says. “We used Azure Active Directory (AAD) to authenticate our users and to validate the status of their device before allowing them on VPN.”

The team also began using servers that can handle 30,000 or 60,000 users each, much more than the old servers that could only handle 750 to 2,000 users. “Theoretically, we could now handle 500,000 concurrent VPN connections worldwide,” Means says.

Means says the improvement in the company’s VPN service was substantial, so much so that employees forgot it was working behind the scenes when they worked remotely.

Despite being worked harder than ever before, the company’s VPN infrastructure is performing at a high level. “Knock on wood, there have been no major incidents,” Means says.

Importantly, VPN is allowing employees to get their work done.

“Today, even as many of our employees work remotely, our success rate is at 92 percent,” Means says. “That’s one of the highest rates we’ve ever recorded—the only reason it isn’t at 99 percent is because that number includes drops because of reboots during patch updates, getting disconnected from Wi-Fi, and home network or internet service provider issues.”

Employee productivity also has held strong.

“We measure employee productivity, and the productivity of our software engineers in particular,” Means says. “We look at pull requests, commits per day, and other indicators—so far, we haven’t seen any measurable drop in work performance.”

Means says the situation is creating a learning moment for his team.

“One thing that we’re learning is it’s really about the data,” he says. “There are so many things we can measure—finding the right things to measure so we can take the right actions is critical.”

The team’s data-centric approach to VPN and networking also has allowed it to make smart investments, like provisioning capacity only when required. It also helps the team respond quickly when needed—as was the case when Italy tightened its remote working restrictions.

“We doubled capacity in London, which is where we run the VPN connection for our employees in Italy,” Means says. “Having good data allows us to quickly take proactive action when needed and to stay ahead of the game at all times.”

The team also saw the potential for a bottleneck at its headquarters in Redmond, Washington, where the number of concurrent sessions that VPN needed to support was climbing close to capacity. The company addressed this concern by adding another VPN gateway.

“This has caused us to reflect on our readiness efforts overall,” Means says. “We’ve used this as an opportunity to improve how we do things.”

The team expects to keep learning and adding to the VPN capabilities.

Tips for retooling VPN at your company

For enterprises and organizations looking to optimize and scale out their VPN capabilities, some of the best practices shown above and recommended by Microsoft are:

• Consider saving the load on your VPN infrastructure by using split tunnel VPN, send networking traffic directly to the internet for “known good” and well-defined SaaS services like Teams and other Office 365 services, or optimally, by sending all non-corporate traffic to the internet if your security rules allow.
• Collect user connection and traffic data in a central location for your VPN infrastructure, use modern visualization services, like Power BI, to identify hot spots before they happen, and plan for growth.
• Utilize Azure Sentinel to organize log collections, including user connection and traffic data, in a central location for VPN infrastructure.
• If possible, use a dynamic and scalable authentication mechanism, like Azure Active Directory, to avoid the trouble of certificates and improve security using multi-factor authentication (MFA) if your VPN client is Active Directory aware, like the Azure OpenVPN client.
• Geographically distribute your VPN sites to match major user populations, use a geo-load balancing solution such as Azure Traffic Manager, to direct users to the closest VPN site and distribute traffic between your VPN sites.

Finally, and probably most important, know the limits of your VPN connection infrastructure and how to scale out in times of need. Things like total bandwidth possible, maximum concurrent user connections per device will determine when you’ll need to add more VPN devices.

If your devices are physical hardware having additional supply on-hand or a rapid supply chain source will be critical. For cloud solutions, knowing ahead of time how and when to scale will make the difference.

Azure offers a native highly-scalable VPN gateway, as well the most common third-party VPN and SDWAN network virtual appliances in the Azure Marketplace.

For more information on these and other Azure and Office network optimizing practices please see:

• Office Connectivity Principles
• Network considerations for Teams
• Azure VPN Gateways
• Azure Point-to-site VPN
• VPN Network Virtual Appliances in the Azure Marketplace
• Updates for improving work-from-home employee access

• Explore using a Zero Trust strategy to secure Microsoft’s network during remote work.
• Unpack enhancing VPN performance at Microsoft.
• Discover boosting Microsoft’s response to cybersecurity attacks with Microsoft Sentinel.

The post Running on VPN: How Microsoft is keeping its remote workforce connected appeared first on Inside Track Blog.

Most people don’t give much thought to printing.

In the best-case scenario, you select a button and your paper comes out. Other times, you might have to fiddle with locating printers, driver installations, and of course, the occasional paper jam. There are good reasons why this most humble of office essentials is also a common symbol of office frustrations.

IT administrators like Kathren Korsky think about printers a lot more than most.

As a senior service engineering manager for End User Services at Microsoft, Korsky oversees their organization’s printing strategy and infrastructure. That means maintaining print servers, ensuring connectivity, managing security permissions, and staying on top of compatibility issues with a broad network of third-party hardware partners.

It also means dealing with the security risk printer servers create.

How do printers create such challenges?

Before, anyone who wanted to print in a Microsoft office had to connect to Microsoft’s corporate network. That meant giving them VPN access just so they could print something.

“Corpnet is a very precious corporate asset, and VPN access ends up being a security liability,” Korsky says. “We must eliminate our print service dependency on VPN to achieve our strategic Zero Trust goals.”

Adding to these acute pains were the everyday aches of Microsoft branch offices without corpnet connections at all, where employees were severely constrained when attempting to print to a shared printer, not to mention the maintenance and high energy costs that physical servers consume.

Then about four years ago, Microsoft Digital began migrating all of its internal servers to the cloud, a project that transitioned 95 percent of its physical servers to Microsoft Azure virtual machines (VMs).

[Learn how Microsoft used Azure to retire hundreds of physical branch-office servers. Find out how Microsoft enabled secure and compliant engineering with Azure DevOps. Unpack seamless and secure cloud printing with Universal Print.]

Connecting printers to the cloud

Korsky’s team joined that cloud migration, and over four years they reduced the company’s 320 on-premises print servers around the world to around 80 Microsoft Azure print server VMs. The team benefited from Microsoft Azure’s security and management capabilities while achieving a print server uptime improvement to nearly 100 percent.

Korsky says the 70 hours per month their team formerly spent patching servers has been reduced to seven.

While the move to Infrastructure as a Service (IaaS) delivered great benefits for the print service, that was not enough. The team needed a solution that could work completely in the public internet space and draw on the advantages of becoming a Platform as a Service (PaaS) approach, which was going to be the next step in the print service transformation.

Working together with Microsoft’s Azure + Edge Computing team, they experimented with a previous offering, Hybrid Cloud Print, but felt that more was needed to simplify the administrator’s experience.

Seeing an opportunity, Korsky and their team knew the moment was ripe for a major transformation that would not only greatly reduce their administrative overhead, but also eliminate those pesky corpnet dependencies while enabling public internet connectivity in a safe and secure way.

Working together, Microsoft Digital and Azure + Edge Computing teams built in robust management capabilities and easily accessible data insights and reporting, and a new printing experience called Universal Print was born.

As Universal Print began to roll out to groups across Microsoft, beginning with the Azure + Edge Computing team, one of the challenges was the wide variety of different brands, makes, and models of printers that would need to integrate with the service.

“We as a product group wanted to support a broad set of currently available printers in market, and some of them are quite old,” says Jimmy Wu, a senior program manager for Azure + Edge Computing who worked with Korsky’s team to deploy Universal Print into the Microsoft infrastructure. “The challenge was how do we do that when our service isn’t even publicly available at the time.”

As a solution, they created a piece of connector software that served as a communication proxy between the physical printer and the cloud service. It’s now available to customers as part of their Universal Print subscription.

With the migration and product rollout complete, Universal Print was validated in private preview by Microsoft customers who also saw a need for a cloud print service. It then moved into public preview in July.

Printers are now being published in Microsoft Azure Active Directory through a centralized portal, with little need for on-premises infrastructure or maintenance.

What’s more, the elimination of on-premises servers and all the physical space, energy consumption and cooling systems that go with it help support Microsoft’s commitment to achieve carbon negativity by 2050.

For branch office managers grappling with whether to invest in costly corporate network setups, Korsky says, “it solves for some real business decisions that companies have to make about branch office locations.”

And the employee who just needs to print? They can think about it even less.

“What’s really great is that our users benefit from a seamless, familiar print experience,” Korsky says. Users click a button and their paper comes out—without all the interference of printer discovery, network permissions and driver installations standing in their way.

Universal Print in a remote world

The ability to print via the cloud has proven to be an unexpected boon to businesses and organizations who have had to quickly adapt to operating remotely.

Alan Meeus, a product marketing manager for Microsoft 365 Modern Work, says that of the more than 2,000 external customers currently testing Universal Print, many have accelerated their adoption amid COVID-19.

“Even with people working remotely, there are many use cases for why print is still important,” Meeus says. “There’s a lot of printing going on in critical industries like healthcare, manufacturing, distribution and education. In schools, some kids don’t have access to computers and they still rely a lot on printed materials.”

Universal Print has also helped enable Microsoft 365 users to perform work functions at home that they previously couldn’t.

“If our HR or payroll department needs to run checks, they can do that from home,” says Scott Hetherington, a senior systems analyst for the Wild Rose School Division in Alberta, Canada. “Being able to give them Universal Print right now has been a lifesaver. And it’s been able to help keep people safe in the face of a pandemic by keeping them home as much as possible.”

As more organizations ramp up adoption, the Universal Print team and their partners are looking forward to cultivating a circular feedback loop where they’re gathering feedback from the community and delivering the kinds of improvements customers want. They’re also working towards a longer-term vision of evolving from the IaaS cloud service model for the connector software to going completely serverless, requiring no infrastructure management at all.

For Korsky, it’s all about the growth mindset.

“This has been an amazing journey of experimentation to learn what works well and where changes are required. And we’re partnering in a more collaborative way,” Korsky says. “We took our learnings from Hybrid Cloud Print and came up with this whole new approach that is even better than we originally envisioned, and we’re having great success.”

The printing transformation is making a difference with Korsky’s peers across Microsoft.

“My team’s amazing partnerships with engineering teams across Microsoft allow us to develop impactful internal solutions that also benefit our customers,” says Dan Perkins, a principal service engineering manager in Microsoft Digital’s End User Services. “Universal Print simplifies how we manage our work and reduces the time we spend maintaining our infrastructure. It also improves the security of our print service. We are excited about what the future holds for this transformational offering.”

• Unpack seamless and secure cloud printing with Universal Print.
• Learn how Microsoft used Azure to retire hundreds of physical branch-office servers.
• Find out how Microsoft enabled secure and compliant engineering with Azure DevOps.

The post Jamming to a new tune: Transforming Microsoft’s printing infrastructure with Universal Print appeared first on Inside Track Blog.