A Reference Architecture for the Distributed Workforce

Note: If you have questions about solving your remote user application or network challenges or have feedback about what’s working or isn’t for your organization, please feel free to share in the comments below this article. We will do our best to respond quickly to questions about challenges you may be facing.

By: Adam Fuoss and Chris DeHoust

As businesses around the world adapt to the changing dynamics of the COVID-19 pandemic, the need for social distancing has unleashed an unprecedented shift toward remote and teleworking, creating a mass exodus of employees moving from branch offices to home offices. With thousands of businesses enabling a work-from-home strategy, millions of employees must quickly adapt to communicating and collaborating in entirely new ways to maintain business productivity.

For IT departments this shift is creating an entirely new set of challenges. The primary challenge is connecting a distributed, remote workforce to business-enabling applications and services residing in the data center and the cloud. Some users require access to VoIP systems, virtual desktops and video conferencing that require fast and highly reliable network connections. A company that had 50 branch offices yesterday, must now grapple with the idea that every user, and their home network, is a new branch they have to support, representing an exponential increase in the number of sites overnight.

Over the past few weeks, as this shift has moved from possibility to reality, we’ve had a series of discussions with customers about how to best meet these changing organizational goals. We’ve taken these requirements into account and have compiled a reference architecture that allows for non-SD-WAN and SD-WAN users alike to connect to applications and services remotely. In this blog we’ll dig into this architecture in more depth.

Architecture and Use Cases

We have identified a shared set of requirements that we have accounted for in our design proposal.

  • Remote users need reliable access to on-network applications (Data Center and IaaS)
  • Remote users need secure and direct access to cloud services (SaaS)
  • For some remote users, real-time applications have unique requirements (Voice, Video, VDI)
  • For some remote users, high-throughput applications require additional performance (Software Development, Large Data Applications, Medical Imaging)

Given the need to rapidly deploy, we’ve focused on an architecture that heavily leverages software and cloud computing wherever possible.

Connecting Remote Users

This is arguably the most difficult element of the entire solution. As businesses send employees home, they need to find a way to rapidly connect those users back into the network, and to their applications. Many enterprises can simply leverage client-based software for connections to existing security infrastructure, however for users that require additional reliability or performance such as call center technicians, users who upload and download large files, and VDI users who stream their remote desktop, IT departments may prefer to provide additional mechanisms of performance and reliability.

There are two general architectures under the client software approach. The first is to deploy a client-based VPN and a series of geographically distributed concentrators. Cloud providers such as Amazon Web Services and Microsoft Azure offer client-based VPN solutions, and technology vendors such as Check Point Software or Palo Alto Networks offer remote access VPN solutions that may work with existing enterprise infrastructure. The second option is to leverage cloud-based enforcement nodes and application connectors, through cloud-delivered security services like Zscaler ZPA. In both remote connectivity scenarios, the focus is squarely on the security of both the user and the application, however as noted there are a subset of users that may need a higher degree of performance and reliability, not offered by these approaches.

For those users who require a higher quality connection, are pushing big workloads, or need additional visibility and security, they can leverage the Unity EdgeConnect™ SD-WAN edge platform at the home office. By deploying EdgeConnect SD-WAN locally, services such as Local Internet Breakout, QoS, Path Conditioning (Packet Loss and Out-of-Order Packet Correction), WAN optimization, segmentation and a variety of other features can be applied to give users a higher quality application experience. In addition to this, IT administrators can easily manage and delegate policy across the entire SD-WAN fabric with a few simple clicks within the Unity Orchestrator™ management GUI. Remote and home users can realize the same, or better, quality of experience than they do working in the branch office.

Configuring Regional Cloud Hubs and Data Centers

There can be performance limitations introduced when forcing many users into distant, overloaded VPNs. Our recommendation is to build out a geographically distributed VPN infrastructure that leverages existing data centers or cloud services (AWS, Azure, Google Cloud or Oracle Cloud) to connect users to your network as locally as possible. Localizing the user’s connectivity to the network provides them with the absolute best last-mile experience, while connecting them into a high quality, service-provider grade network – this also reduces the risk of overloading circuits by forcing everyone into the same location.

Once users are connected into a localized hub, through VPN or SD-WAN, they can leverage the security, reliability, and performance features of a Silver Peak SD-WAN fabric. Here we recommend deploying a an EdgeConnect virtual or physical appliance to manage policy and connectivity across the rest of network. As users try to access resources in data centers or branch offices, cloud hosted IaaS services or SaaS based services such as Office365, they do so across a highly reliable and secure SD-WAN fabric.

Connectivity is easily established and policy simply delegated here through the use of business intent overlays. Mission critical applications can be prioritized and protected, routing to SaaS services can easily be optimized and cloud-delivered security services such as Check Point Software, Netskope, Palo Alto Networks and Zscaler, can easily be added. SD-WAN provides easy mechanisms for connecting branch users into the network, and it provides an easy mechanism for connecting them globally, without sacrificing performance or reliability.


While many of these problems aren’t new, businesses normally have more time to prepare for remote users to be incrementally added. Providing the same applications, services and reliable experience to thousands of users in their home offices in such a short period of time represents a herculean effort. Thankfully the cloud, combined with SD-WAN, provides an easy way to build a WAN that provides reliable access for users anywhere.

Watch this on-demand webcast to learn how to securely connect a remote workforce to business applications in the data center or the cloud.

If anyone has questions, constructive feedback about the design or is looking for advice, please feel free to post a comment below and we’ll do our best to respond to your inquiries as quickly as possible.

Leave a comment

Your email address will not be published. Required fields are marked *