As most of you already know, administrators frequently demand access to all end-devices. They either want to access them from the headquarters or from the management system. From their perspective, this demand is completely legitimate. On the other hand, however, it’s easier to exclude the branch offices’ IP networks and to mask them for communications with the headquarters. Masking means, they are hidden behind an address. But the problem is, these two demands are contradictory.
If administrators have to access all branch office networks transparently, it is essential that each branch office network receives its own, unique IP address range (if it does not have one, yet). At the same time, this means that all installed routers and end-devices have to be configured again. This might be feasible for small networks. But in larger network environments, the time and money IT administrators have to spend on this task is enormous. The administrator has to take care that the corresponding routes are known at the central side. Some VPN gateways dynamically publish the routing information, when a connection is set up.
If transparent access is not absolutely essential, masking the IP addresses via Network Address Translation (NAT) is a viable solution. This means, the IP address is changed into a VPN tunnel IP address, which the host or the central VPN management system recognizes and automatically allocates to the branch office – not to the end-device. This significantly reduces time and money spent on configuration and rollout.
This means, companies have to choose between masking and access to all end-devices. The latter comes with increased administration effort for the branch offices. Of course, a mixed operation is possible, too.
Contact us if you have questions on masking. Next week, we’ll be live blogging from Interop but after the following week, we’ll pick up this series with a post about Fragmenting and Maximum Transmission Units.