Organizations all over the world have been hit with the challenge of supporting remote working in preparation for a potentially extended period of social distancing and self-isolation to delay the spread of COVID-19. Our customers have been using 1E Nomad for years to successfully manage software deployment, primarily to remote offices without servers. We’ve had a few enquiries from our Nomad customers that want to understand how Nomad will help in this unprecedented scenario when most users are isolated from the corporate network.
This article explains:
- What you can expect when an unprecedented volume of endpoints is no longer connected directly to your corporate network.
- How Nomad behaves in that scenario to protect your network bandwidth.
- Measures you can take to ensure content continues to flow to enable software and critical updates to devices when they are being used from home.
Peerless content distribution
Nomad keeps Microsoft Endpoint Configuration Manager content delivery running smoothly by sharing content already downloaded with peers, and by protecting the WAN with bandwidth management when the content is not available on any peers and must be downloaded from a remote Distribution Point (DP). In the scenario where endpoints are on home networks without any peers, each endpoint will need to download the content from the DP (or in some cases from Microsoft Update, which is discussed later in this blog). In Nomad terms, each remote endpoint becomes its own elected master.
Increased VPN traffic
In many cases, remote users will be dependent on VPN for access to company systems. If you are still using Active Directory or haven’t implemented any form of internet-based client management in Configuration Manager, you are going to need all remote endpoints to connect through VPN in order to continue to manage them.
It is highly likely that your VPN infrastructure was not designed for the capacity that you may need it to support. For security reasons, many organizations do not implement split tunnelling (where internet traffic is routed directly onto the internet and only corporate traffic goes through the VPN). That means everything your users do on their laptop (cloud apps, video conferencing, OneDrive syncs, streaming music while they work) while working from home will be coming through your VPN.
You should speak with your security team to understand your options for split tunnelling. If you can offload internet traffic to the user’s home internet connection, then your VPN will be able to accommodate the essential business traffic more easily. If users can do most of their work on the internet (cloud-based apps, video conferencing etc.), then consider recommending users connect to the VPN only when necessary. To ensure machines can still be managed, this would include a period each day where the endpoint can check in for Group Policy updates, account synchronizations and Configuration Manager policy.
Nomad bandwidth management
Using Nomad on these endpoints will help to manage bandwidth into your VPN concentrators and onto your DPs but will not reduce the volume of data your VPN will need to handle. If you have 5,000 endpoints downloading over the same connection, they will all be competing for the available bandwidth and the network utilization will be high while endpoints simultaneously download content. Nomad will ensure that each endpoint will back off to accommodate the cumulative effect of all the other endpoints, resulting in every endpoint settling down to use an equal amount of the available bandwidth. But that available bandwidth is always going to be constrained by the volume of endpoints and the link will get very busy.
Nomad uses the workrate setting to control how much of the available bandwidth it will use. For ease of explanation, we’ll consider workrate as a percentage of the available bandwidth that Nomad will use. (Latency will skew that analogy, especially as the workrate value is reduced, so a workrate of 30 will actually use much less than 30% of the available bandwidth for typical remote users). The default workrate value is 80. Reducing this will slow down deployments but will provide a bit more bandwidth ‘headroom’ on the network.
The two charts below illustrate this effect with five endpoints downloading content. The chart on the left shows the rate at which each endpoint downloads and the chart on the right shows the cumulative effect. In this illustration, Nomad is configured to use 50% of available bandwidth; the link is 8Mbps and there is no other traffic. The first endpoint uses 50% of available bandwidth (4Mbps), while the second client uses 50% of the remaining 4Mbps and so on. But as each endpoint starts using bandwidth, the other clients start to back off and after a short period of time all clients are downloading at a similar rate.
Workrate can be set at the endpoint level (through Configuration Manager client settings for applications and software updates), or more granularly for individual packages. Refer to Distributing Software with Nomad and Configuration Manager for more information. You can also define a workrate ‘profile’ for the week, lowering it during peak hours and increasing it during quieter hours and weekends. Consider using a value of 30 during busy periods and 50 or higher during quiet periods.
Avoid content sharing between VPN clients
You don’t want endpoints connected through VPN to be sharing content with each other as this will increase VPN traffic unnecessarily. VPN implementations typically isolate endpoints in a single-node subnet (i.e. the subnet mask is 255.255.255.255, or /32 in CIDR notation). As Nomad uses a broadcast to find peers, in most cases you will not need to change Nomad configuration to prevent this, as the broadcast will not be seen by other peers and each endpoint will be elected as a master.
If your VPN subnets include multiple IP addresses (i.e. the subnet mask is less than 255.255.255.255 or /32 in CIDR notation), you should add these subnets to the InhibitedSubnets (or alternatively InhibitedADSites) configuration on endpoints. This will ensure endpoints on VPN do not share content with each other. Refer to Inhibiting subnets and sites for more information.
If you are using the Nomad Single Site Download (SSD) feature, then you may need to check that your VPN subnets are not included in any location definition in ActiveEfficiency. If Nomad determines that the interface type is Point-to-Point Protocol (PPP) or it is in a /32 subnet, then for the purpose of SSD it will not register itself as a content provider in 1E ActiveEfficiency (the optional server component of Nomad), so will not be returned in any SSD queries. If your VPN subnets include multiple IP addresses, you will need to ensure these subnets are not included in any location definition in ActiveEfficiency.
Some of our customers have enabled Local SSD on endpoints to allow them to share content on wireless networks where broadcast is disabled. If you have done this and you have VPN subnets that include multiple IP addresses, then you have two options:
- Disable Local SSD on these devices
- Ensure the VPN subnets are inhibited (as noted above) and add the registry value NoSsdReqOnInhibitedSubnets=1 to all endpoints.
The second option provides more flexibility when COVID-19 is under control, normal service is resumed, and the endpoints return to wireless networks in the office networks.
Recommendations for software updates
You will need to deploy applications to users at home, and there may be a spike in this activity as users set up camp at home for the first time and identify apps that weren’t installed when their laptop was provisioned. However, software updates are likely to be the biggest contributor to network traffic while users work remotely, as they are typically required on every endpoint.
If you can implement split tunnelling for VPN endpoints, then you can set up Configuration Manager to download content from Microsoft Update when users are remote, instead of DPs on your corporate network. This will entail the following steps:
- Ensure you have a Boundary Group for your VPN endpoints and one or more boundary groups for your corporate network. If you don’t already have these defined and have loads of subnets or AD sites, you might find IP Address Range boundaries easier.
- Your VPN Boundary Group should reference one or more DPs dedicated to your VPN endpoints and your corporate network Boundary Group(s) should reference DPs dedicated to your corporate network. If you haven’t already, create a VPN Distribution Point group and a corporate network Distribution Point group.
- When you deploy software updates, do not add them to the VPN DP group (as you want the content to come from Microsoft Update), but add them to the corporate network DP group. Deploy the update with the following download settings:
The effect of these settings is as follows:
- The deployment options are set to “do not install software updates” to prevent the VPN clients falling back to corporate DPs.
- Endpoints in the corporate network will get the content from their referenced DPs to which the updates have been added.
- Endpoints on the VPN will get the content from Microsoft Update because the updates were not added to the VPN DPs and the highlighted option is enabled to download content from Microsoft Update when not available on any DPs.
Note that this configuration should only be used if you can implement split tunnelling and route the Microsoft Update traffic to the internet and not through the VPN.
Can Delivery Optimization help?
If users have other household members that have Windows 10 devices, then Delivery Optimization may give some relief to the corporate network for software updates. If you are running Configuration Manager 1910 and you enable delta content download for software updates as indicated below, then the CM client will use Delivery Optimization to find local peers that have the content.
If other home users have already downloaded the update, and your corporate endpoints have Delivery Optimization Download Mode configured to 1 (LAN, which is default for Windows 10 Enterprise), then DO may be able to get the content from those other peers on the home network. If no DO peers with the content cached are available on the local network, CM will pass the download to Nomad and Nomad will download it from the DP (or Microsoft Update if that option is enabled).
Managing endpoints on the internet
The ideal scenario is to manage your endpoints directly over the internet and remove the need for VPN altogether. If you have cloud-attached in your CM environment, then endpoints at home will get content directly over the internet using the Cloud Management Gateway (CMG). Software updates will be downloaded from Microsoft Update when the endpoint is on the internet. However, if the user requires VPN for any other services, you will need to ensure split tunnelling is implemented to get any benefit from this.
If you are using legacy internet-based CM, where you have DPs in the DMZ connected to your corporate network, then you may need to consider increasing the number of internet-facing DPs according to the number of endpoints they will need to service simultaneously.
The key point is that your VPN is going to be a bottleneck and you should seek opportunities to alleviate this through the following strategies:
- Discuss options for implementing split tunnelling with your security team. If you can’t offload at least some traffic to the user’s home internet connection, you are going to need to increase the capacity of your VPN.
- Consider reducing the Nomad workrate to reduce the cumulative bandwidth that multiple simultaneous downloads will consume. Nomad will always leave some headroom, and will back off to other traffic too, but with thousands of clients downloading simultaneously, the network will be running at capacity for extended periods.
- If you are using Single Site Download, ensure it is configured to prevent endpoints on VPN sharing content with each other.
- If you can implement split tunnelling, offload your software update content to Microsoft Update when endpoints are connected to VPN.
- Plan for internet management of endpoints by cloud-attaching your Configuration Manager environment.
- If users are likely to have other devices running the same version of Windows 10 on their home network and you are running Configuration Manager 1910, consider enabling delta downloads for software update content in Configuration Manager and enabling DO to get content from other devices on the same LAN.
No one knows how long we are going to need to support this scale of remote working. If users and companies get used to it, it could become more normal than before!