A Reference Architecture for the Distributed Workforce

By Adam Fuoss, Vice President, Pre-Sales Consulting, Aruba
Share Post

As businesses around the world adapt to the changing dynamics of the COVID-19 pandemic, the need for social distancing has unleashed an unprecedented shift toward remote and teleworking, creating a mass exodus of employees moving from branch offices to home offices. With thousands of businesses enabling a work-from-home strategy, millions of employees must quickly adapt to communicating and collaborating in entirely new ways to maintain business productivity.

For IT departments this shift is creating an entirely new set of challenges. The primary challenge is connecting a distributed, remote workforce to business-enabling applications and services residing in the data center and the cloud. Some users require access to VoIP systems, virtual desktops and video conferencing that require fast and highly reliable network connections. A company that had 50 branch offices yesterday, must now grapple with the idea that every user, and their home network, is a new branch they have to support, representing an exponential increase in the number of sites overnight.

Over the past few weeks, as this shift has moved from possibility to reality, we’ve had a series of discussions with customers about how to best meet these changing organizational goals. We’ve taken these requirements into account and have compiled a reference architecture that allows for non-SD-WAN and SD-WAN users alike to connect to applications and services remotely. In this blog we’ll dig into this architecture in more depth.

Architecture and Use Cases

We have identified a shared set of requirements that we have accounted for in our design proposal.

  • Remote users need reliable access to on-network applications (Data Center and IaaS)
  • Remote users need secure and direct access to cloud services (SaaS)
  • For some remote users, real-time applications have unique requirements (Voice, Video, VDI)
  • For some remote users, high-throughput applications require additional performance (Software Development, Large Data Applications, Medical Imaging)

Given the need to rapidly deploy, we’ve focused on an architecture that heavily leverages software and cloud computing wherever possible.

Connecting Remote Users

This is arguably the most difficult element of the entire solution. As businesses send employees home, they need to find a way to rapidly connect those users back into the network, and to their applications. Many enterprises can simply leverage client-based software for connections to existing security infrastructure; however, for users that require additional reliability or performance such as call center technicians, users who upload and download large files, and VDI users who stream their remote desktop, IT departments may prefer to provide additional mechanisms of performance and reliability.

There are two general architectures under the client software approach. The first is to deploy a client-based VPN and a series of geographically distributed concentrators. Cloud providers such as Amazon Web Services and Microsoft Azure offer client-based VPN solutions, and technology vendors such as Check Point Software or Palo Alto Networks offer remote access VPN solutions that may work with existing enterprise infrastructure. The second option is to leverage cloud-based enforcement nodes and application connectors, through cloud-delivered security services like Zscaler ZPA. In both remote connectivity scenarios, the focus is squarely on the security of both the user and the application, however as noted there are a subset of users that may need a higher degree of performance and reliability, not offered by these approaches.

For those users who require a higher quality connection, are pushing big workloads, or need additional visibility and security, they can leverage the Aruba EdgeConnect platform at the home office. By deploying EdgeConnect locally, services such as Local Internet Breakout, QoS, Path Conditioning (Packet Loss and Out-of-Order Packet Correction), WAN optimization, segmentation and a variety of other features can be applied to give users a higher quality application experience. In addition to this, IT administrators can easily manage and delegate policy across the entire SD-WAN fabric with a few simple clicks within the Aruba Orchestrator management GUI. Remote and home users can realize the same, or better, quality of experience than they do working in the branch office.

Configuring Regional Cloud Hubs and Data Centers

There can be performance limitations introduced when forcing many users into distant, overloaded VPNs. Our recommendation is to build out a geographically distributed VPN infrastructure that leverages existing data centers or cloud services (AWS, Azure, Google Cloud or Oracle Cloud) to connect users to your network as locally as possible. Localizing the user’s connectivity to the network provides them with the absolute best last-mile experience, while connecting them into a high quality, service-provider grade network – this also reduces the risk of overloading circuits by forcing everyone into the same location.

Once users are connected into a localized hub, through VPN or SD-WAN, they can leverage the security, reliability, and performance features of an Aruba SD-WAN fabric. Here we recommend deploying an EdgeConnect virtual or physical appliance to manage policy and connectivity across the rest of network. As users try to access resources in data centers or branch offices, cloud hosted IaaS services or SaaS based services such as Office365, they do so across a highly reliable and secure SD-WAN fabric.

Connectivity is easily established, and policy is simply delegated using business intent overlays. Mission critical applications can be prioritized and protected, routing to SaaS services can easily be optimized and cloud-delivered security services such as Check Point Software, Netskope, Palo Alto Networks and Zscaler, can easily be added. SD-WAN provides easy mechanisms for connecting branch users into the network, and it provides an easy mechanism for connecting them globally, without sacrificing performance or reliability.


While many of these problems aren’t new, businesses normally have more time to prepare for remote users to be incrementally added. Providing the same applications, services and reliable experience to thousands of users in their home offices in such a short period of time represents a herculean effort. Thankfully the cloud, combined with SD-WAN, provides an easy way to build a WAN that provides reliable access for users anywhere.

Silver Peak was acquired by Aruba, a Hewlett Packard Enterprise Company.