skip to Main Content
VPN Connection

Case Study: Isolating VPN Connections

We had a client approach us about an interesting connectivity dilemma. In short, their users were asked to connect to various networks using client provided VPN tools at the same time. Each VPN setup was unique and had specific setup requirements. Some of the connections required a specific version of CISCO’s AnyConnect and would not work with the newer versions. Others used Palo Alto or Fortinet VPN installs. Most of the connections were not setup for split tunneling for security reasons, which made the user lose connection to network resources as long as the tunnel was up. (this was before solutions like VMWare Horizons or Citrix XenDesktop were as broadly used for WFH as they are now).

It was determined early on, that we would need to use a VDI infrastructure to isolate the VPN connections to dedicated virtual machines, however, most VDI solutions relied on the VMs connectivity options like RDP for user access. This was problematic however, as the connectivity to the VM would drop the moment the user established the VPN tunnel. The only way to connect to the VM after that was through the console, which is designed for admin access and not user connectivity (clunky, slow and requires admin access to the server)

We did some digging and found out that Oracle’s VirtualBox hypervisor allowed for RDP console access to the VM via the host IP:port. This meant that the user could connect to the VM via standard RDP, connect to the VPN tunnel and not loose connectivity to the VM. This was just what we needed, but management of the VMs quickly became difficult as we had a number of VirtualBox servers each with a large number of VMs and snaphots. That’s when we found VirtualBox Extensions.

VirtualBox Extensions allows for custom code and control of the VMs via API. This allowed us to build a user interface that made it simple for our users to request a VM, connect to it and shut it back down at will from the browser without any knowledge of what was going on underneath the hood. VBox extensions licensing were reasonably priced and easily purchased from our Oracle rep.

Thus far users have spun up over 53K VMs and the solution has delivered up to expectations. Check out the basic UX to accomplish this behind-the-scenes VM manipulation to keep our users productive. 😊

Users select the client configuration to generate a VM for in Step 1. After about 3-5 seconds the VM is generated and is available by clicking the Connect button. After that, it’s RDP as usual.
User had individual VM caps set in the user setup process, so that they did not have too many VMs open simultaneously. sorry about the black line redactions. wanted to make sure the client remained anonymous.

If you have any questions about the setup, feel free to reach out!

Wrote my first application on an Apple IIe. Been hooked since. After graduating I started in finance and then moved to insurance. Now I'm an entrepreneur, building technical infrastructures for clients that connect and empower.

This Post Has 0 Comments

Leave a Reply

Back To Top