Knowing when you have outgrown your SSL VPN appliance

Scaling an SSL VPN appliance takes careful planning and out-of-the-box thinking to ensure secure remote access to users across the globe.

SSL VPN solutions offer enterprises a simplified way to connect remote users securely. Users can verify their identity and the security of their device through a Web browser login. But like any other service on the enterprise network, demand for SSL VPN access can quickly overwhelm the appliance that supports it. WAN engineers can watch for signs of trouble, as well as experiment with a number of unique approaches to scaling their SSL VPN appliance and meeting the demands of remote users, wherever they may be.

Reaching capacity on the SSL VPN

By using traditional capacity planning metrics, an enterprise can get its first clue that it may be time to upgrade an SSL VPN appliance. CPU utilization, the number of active users and WAN bandwidth utilization are all good leading indicators that might suggest an appliance is reaching its maximum capacity. If WAN engineers can determine how fast these indicators are ramping up, they will be able to plan upgrades to ensure that the SSL VPN appliance scales to meet the needs of an increasingly mobile and remote workforce. There are two easy routes to scaling upward: upgrading the appliance to more capable hardware or deploying multiple appliances that can balance the heavier workload between them.

One less obvious metric to consider when evaluating your current SSL VPN appliance is to compare the number of simultaneous user logins per second the appliance is processing to the maximum number of connections it is rated for. While an appliance may be large enough to support thousands of users connected to it throughout a day, if it is not able to handle hundreds of users all logging in at once first thing in the morning, for example, the end-user experience is still adversely affected.

A changing workforce can also cause spikes in demand on an SSL VPN appliance. Many enterprises offer even desk-bound employees the ability to occasionally work from home, with many choosing to split time between home and office. These policies can make it difficult for WAN engineers to predict SSL VPN usage. Likewise, inclement weather and traffic congestion can also cause a surge in VPN access, as users work from home on days when their commute promises to be unreasonable.

To address these types of volatile spikes in demand, many SSL VPN vendors now offer virtualized appliance options, which allow WAN engineers to scale their capacity for peak demand by spinning up additional virtual machines in the data center, rather than upgrading to the next tier of hardware appliance.

Supporting a dispersed workforce with an SSL VPN

Poor SSL VPN performance is not always an issue of capacity. It can also result from a remote workforce that is too geographically spread out for a centralized appliance to support it. The routes that traffic generates by remote users living or traveling abroad follow over the Internet to a central SSL VPN appliance. These routes are unpredictable and can result in erratic or slow access. In these cases, deploying distributed physical or virtual appliances in different regions or using cloud VPN services can offer much closer and direct SSL VPN connections to dispersed users. Deploying a WAN optimization tool along with one of these distributed VPN solutions will give remote users a quick connection to log into and an optimized path back to the organization’s network resources.

Eliminating the need for the SSL VPN appliance

It is also possible that an enterprise may grow out of the need for a VPN altogether. Software as a Service (SaaS) solutions, such as those offered by, are moving many enterprise applications out of the data center to third-party hosts. Many applications even use Web portals to interface with users. Likewise, many users are accessing corporate email through webmail or mobile clients. All of these applications are taking a load off of the enterprise WAN and minimizing the need for users to first connect to a VPN. While corporate policies vary and might still require logging in to the virtual private network, enterprises that have embraced the notion of SaaS and public cloud computing may actually retire their SSL VPN appliances in order to simplify remote access. Even if your enterprise is not ready to completely cut the cord on your SSL VPN, a hybrid approach that offers a mix of SaaS and traditional application services could help offload some of the VPN traffic and save your organization from the next appliance upgrade.

This was last published in June 2011

Dig Deeper on WAN technologies and services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.