Viptela is now part of Cisco.

Office 365 and SaaS Optimization with SD-WAN

Gartner’s recent research revealed that 78% of organization are using or plan to use Office 365, and by 2019 half of the global deployments will face network related problems. Limited WAN optimization capability further complicate the problems and presents a major performance and productivity challenge for Office 365 and all SaaS applications.

SD-WAN provides an essential set of features that solves the networking issues related to Office 365 and SaaS applications. This webinar will cover the following major topics:

  • How traditional networks impair O365 performance, and why?
  • Why enterprises overlook the importance of strategically placing cloud gateways
  • Understanding tradeoffs among reliability, performance and user-experience when architecting the WAN for your cloud
  • Best practice architectures for different kinds of SaaS applications


Lloyd Noronha
Lloyd Norohna Head of Global Marketing, Viptela
Ramesh Prabagaran VP of Product Management, Viptela


Lloyd: Hi everyone. Thank you for joining today’s session on optimizing Office 365 and SaaS Performance with SD-WAN. My name is Lloyd Norohna, head of Global Marketing at Viptela, and I’m joined by Ramesh Prabagaran, who heads Product Management at Viptela. Now, what are we going to talk about today? Essentially, if I take you back, about 12 months back, we started seeing a surge in topics related to SaaS and Office 365.

To be more specific, we started to get questions around the fact that enterprises are moving from on-prem to cloud versions of Office 365, and they’ve seen their performance really degrade as a result. Now when you look at SaaS and Office 365, Dropbox, Salesforce, etc., across the [breadth], there are certain reasons why that the SaaS applications perform sub-optimally today.

So, if we were to look at, if we were to dial down that one layer more, if you look at the way the networks are architected today, they essentially were architected for a time when most of the applications resided in the data center. And the networks themselves were not aware of cloud applications. In addition to that, you have the aspect that the internet itself is very dynamic. The issues on the internet, the performance on the internet is very dynamic and you need to discover and work around those problems.

Now if you look at Office 365, Salesforce, and most of these SaaS applications, they are already aware of this set-up complexity. So, they’ve done a very good job on optimizing the response time on the application itself. But what they don’t have control over is the internal network of the enterprise, right? This encompasses the data center and, more importantly, the wide area network.

So, the issues that come about with the wide area network and the internal enterprise network, actually most of the reasons we have the performance problems are the erratic performance tied to SaaS and others. And Office 365 bubbles up to the top for one specific reason: because it’s one of the single applications that gets used by most of the employees in an enterprise. If you look at a large bank for example, with about 40 or 50,000 employees, almost everybody is using Office 365.

So, the complaints from Office 365 are the ones that hit the IT teams the most. Now in this session, we’re going to dig deeper into why these problems are caused, and how they can be fixed. But if you are interested in topics related to AWS, Azure, and other cloud-related infrastructure topics, we’re not going to be covering it in this session – there’s another future WAN summit session that’s going to exclusively focus on cloud infrastructure.

So, let’s dig one level deeper into why these problems are caused, right? So, if you look at the research data beyond Viptela itself, if you look at Gartner, it recently published a very good research on network-designed best practices for Office 365. And the top networking analysts Neil Rickard and Andrew Lerner were associated with it. If you read through the research, the data on it is very clear.

The, [firstly], majority, which is 78 percent of the organizations they polled, either using or plan to use Office 365. Next, if you look at the organizations that have deployed Office 365, about 20 percent of them face some kind of problems, reported as service performance challenges. But the more critical aspect is the 12 percent number that actually face service availability issues. So that’s actually issues related to wanting to use the application and not being able to, right?

And if you past forward this a few years ahead to 2019, you’re going to see about half of the global deployments going to face performance issues specifically tied to networking. And the general perception, especially with the [INS] community is that the quality of internet access is not going to be good enough for Office 365. At least the way it’s designed today, within the enterprise. So, something’s got to change and today we’re going to get into those aspects.

So, I’m going to hand this over now to Ramesh Prabagaran, and while I do the handover, I want to invite everybody to a poll to essentially test what kind of issue you face with Office 365 or other SaaS applications. If you guys can take a poll as we are going through this, and you can see the results of your peers as you’re entering your results yourself. Ramesh?

Ramesh: Thank you Lloyd. All right. So, Lloyd spoke quite a bit about the challenges that IT and enterprises face today with respect to O 365. They were an excellent set of data points that really spoke about what the challenges are and what people are kind of doing about it. Now let’s double-click on why they are experiencing some of those challenges.

The first thing to really understand is Office 365 is not a single application. It’s a suite. It is a whole host of applications that involves Exchange, SharePoint, Skype, Yammer and that list continues to grow. And as we can imagine, different applications designed for different types of use-cases have different requirements. Microsoft Exchange, as an example, is extremely latency-sensitive, and so is SharePoint.

Real-time communications using Yammer for example, is not as much latency-sensitive. So, naturally, as a network architect, and as the head of network infrastructure, you are faced with a very interesting challenge of “how do I architect my wide area for Office 365 when it is not a single application?” Now add this to the fact that there are latency – not just latency considerations, but also loss considerations, so the problem gets a lot more acute.

Especially as you start to bring internet into the mix. The graph that you can see on the right really shows you how [Unintelligible 0:07:01] degrades as a result of loss in the infrastructure. So, if the underlying network shows even a one percent or a two percent packet loss, and you have PCP-based applications, you’re [Unintelligible] really goes down dramatically. And so, all the more reasons for you to build a highly resilient wide area infrastructure in order to overcome these problems.

Now, on top of this, access to Office 365 does not mean I can go over private connections, access Office 365, and call it done. There are a whole bunch of software downloads that are exchanges with respect to DNS, there’s cache content, and a whole bunch of other things that really drive the need for internet, and that’s one of the reasons you will hear Microsoft say you need to access Office 365 over internet.

And so, fundamentally, the problem boils down to “what does this mean”, “how do you architect a wide area for Office 365 given that you have conflicting requirements. I need to cater my applications towards loss, towards latency, towards performance, toward user experience and so forth.” The short answer is, that’s exactly why you need software-defined [constructs] and software-defined wide area, in particular, helps you overcome all of these and fine-tune your infrastructure to provide ultimately what all you employees care about: the best O365 experience for collaboration.

Now, let’s look at, what does this really mean. Why are some of these things not possible with a traditional wide area infrastructure? The first thing, and I love the quote that one of our customers provided – this is a Fortune 500 manufacturing customer that said, before they moved to O365 and AWS, roughly 60 percent of their traffic was going towards the internet. The other 40 percent bound towards their own, on-prem data centers and so forth.

With O365 and applications moving to infrastructure as a service, that number jumped up to almost 98 and some cases 99 percent. Now, the traditional wide area was built with the assumption that you take traffic from your branch campus and your remote sites and whatnot, backhaul them all the way up to the data center, and it’s from that location that you access the internet.

So, some of the challenges naturally are, if 99 percent of my traffic is bound to either the internet or SaaS or intra-[Unintelligible 0:09:34] service, then why do I need to backhaul all my traffic and take care of essentially the U-turn problem, or the traffic tromboning problem. That really is the crux of it, what the problem is all about. Now coupled with the fact that traditionally, enterprises have used a really low bandwidth in the form of T1’s and [two-by] T1’s, you really can’t put a high bandwidth application on top of it.

If you’re trying to download a 10 megabyte or a 20-megabyte file as part of your exchange, then you can really see that spinning wheel, and nobody likes to see that spinning wheel. So right at the outset, you have traffic tromboning problems, suboptimal access problems, bandwidth problems as well. There are a couple more things that really are top-of-mind for many of the enterprises as they start to onboard O365.

One of them is really around application awareness. The wide area traditionally has not been application-aware. You really took care of prioritization using [QS] – you said there’s a gold set of applications, there is a silver set of applications, and there is a bronze set of applications. You have not really fine-tuned it to [Unintelligible 0:10:54] applications. Some of them are transactional, some of them require radio, some of them are email, and so forth and really architect the network based on that awareness.

So, that’s also a pretty important challenge that you’ll have to overcome as you make that transition. Not to mention, the larger the enterprise, and the more regulated the industry, security is always, always top-of-mind. And so once again you have those wide variety of things that you need to consider, and traditional wide area networks neither provided the bandwidth, didn’t provide the optimal experience to the applications, did not provide the service level, the security, or the resiliency.

And so, many of the enterprises are looking to refresh their wide area – and we have over a few hundred of these deployments with large enterprises that have gone past this point, have gotten to a state where their O365 gives them multi-fold performance and user experience as well. And we’ll talk about one such use-case as well, in the context of a large U.S. food distributor.

Now, let’s talk a little bit about what are the different ways of accessing O365. So, Office 365 is, once again, not a single application, it’s a wide variety of applications. And use can access them in a few ways. Microsoft, on their website, clearly calls out “come to Office 365 over internet and call it done”. Now that’s great if you have a Tier 1 access, but not as much if you don’t have a Tier 1 ISP, there are some locations, especially where you do have challenges with respect to internet access.

And so, one of the ways to reach O365 is at the branch location, or at the site, you have an ISP connection, you can split tunnel out to O365 directly, and the rest of the traffic can either use the internet infrastructure or the private infrastructure, in order to go back to a centralized point where the applications reside. So, that’s one way of accessing, and that’s what you see marked as number one.

The second one that is increasingly becoming popular, is this notion of an intermediate point, like an internet exchange. So, from the branch you can go to a carrier-neutral facility and a carrier-neutral facility like Equinix has direct internet access peering to some of the most popular SaaS applications. And so, you can naturally be, really, one hop away as soon as you reach the carrier-neutral facility, and so as long as you aggregate traffic from your various locations into the [cooler] facility or the carrier-neutral facility, you get most optimal experience for these SaaS applications.

Now certainly you do have last-mile distance to worry about, so if your site is geographically quite far away from the carrier-neutral facility, and you do not have a wide enough footprint of the CNS, then you do have some challenges to worry about. But that’s really where SD-WAN can help, whereby you can get the underlying telemetry of the network, i.e., loss, latency, jitter characteristics and so forth, and then access the SaaS application in the most optimum way.

The other option is also you can aggregate it to a carrier-neutral facility and use what Microsoft calls the ExpressRoute, which is a private peering connection from the carrier-neutral facility directly into O365. Now even if you use ExpressRoute, there is an internet pipe or a sub-pipe within that big pipe, and so you need to be wary of the fact that there’s not just an all-private connection, it is a combination of a private and a public connection.

So, there are, again, a variety of mechanisms that you can use to access Office 365, and some of the enterprises choose to go down not just one route, but a combination of them. The most popular being the direct internet access and the middle option, which is the regional internet access as well. Within the Viptela infrastructure, we do provide the ability and technology so you can choose the most optimal path based on your characteristics.

So, you can say hey, I want to access Office 365, SharePoint, and wanted to make sure it gets less than 25 milliseconds of latency. And so, as long as I have a path that meets that criteria, you’ll be able to get to that intermediate point in the most optimal way possible. From there, we do have this notion of a cloud express that takes in telemetry all the way up to the application. So, from the cloud gateway all the way up to the application, incorporate that into the network infrastructure in order to choose the most optimal path.

So, again, this is the guts of how things work. From a user standpoint, all you need to care about is hey, I need [axial-radial] access. And there’s a single button that you press from the management dashboard that gives you the most optimal user experience for Office 365 and underneath the covers, the technology figures out what is the most optimal way to access that. Now, in addition to the three options that we just spoke about, there are also a couple of others.

If you have an all-MPLS network for example, you can take your MPLS structure, use some of the carrier peering mechanisms in order to access O365, or, if you’re a large enough enterprise and you have a pretty fat pipe, multiple gigs or traffic going to Microsoft, then you can do some direct bearing with Microsoft as well. Once again, a variety of options, and we’ll compare and contrast what those options look like as well.

It looks like the poll results are in and there’s quite a few folks who said they already do experience challenges. Some have said no, and some are really on the fence. And this is quite typical. When we talk to an enterprise customer during the early phase and figure out if they really have an issue, they kind of fall in the yes or not sure bucket. This is exactly where we can go in, you can test the technology out, and you’ll see a multi-fold improvement in performance right off the bat.

All right. So now, having looked at the various options, let’s look at it from the lens of what is it that you really care about. So, going back a couple of slides, we spoke about user experience being the most important criteria for Office 365 access. You also have elements of reliability, mainly because this is the way that all your employees access email. And we all know what happens when email goes down, and so, reliability is absolutely a huge concentration.

The larger enterprises and more-regulated, we spoke about security, and also, as you start to deploy this infrastructure, as you start to – not just Office 365, but rather [SD-WAN-izing] the infrastructure, what does that mean with respect to knowledge, right? Can I use some of the things I’ve learned from traditional networking here? What does this mean with respect to complexity and so forth.

So, as you start to evaluate the options, our recommendation, back to the customer, is essentially, look at it from these lenses and there’s no one-size-fits-all. Once again, you can have a variety of these options as well. But choose the one that most optimally suits your environment. We won’t go through all of the options in detail, but I’m just going to take on the first two. If you look at direct internet access, from an Office 365 standpoint, because Microsoft has a huge coverage across the globe, that would be the best option to connect into O365.

Essentially, you do a split-tunnel locally at the site and you line that Microsoft through the front door and Microsoft takes care of taking you from that front door to various data sites in the most optimal way. Now, obviously, if you have all internet connections, and all your internet connections are spic-and-span, then this was a great option. But obviously, we all know, having access to a variety of applications form our home and also from the office, this is not the most optimal option.

But at the same time, it also gives you a decent amount of reliability. Internet is inherently considered unreliable, but if you put in elements of path optimization, with respect to loss, latency, jitter, and then data mining the actual telemetry all the way up to the user application, then reliability can be addressed. So, if it’s doing a simple split-tunnel and doing a spray-and-pray, you can actually SD-WAN-ize your infrastructure, use some of the capabilities, and then bring in additional elements of reliability.

You’re still bound to the best possible reliability of your underlying infrastructure, so can use a couple of them. Many of our customers use a combination of a private connection, augment that with a broadband connection or an ISP connection – some of them use dual broadband, and augment that with an LTE. So, you have a variety of choices, but at the same time, if all of them fail, then you do have issues with respect to reliability that you need to just consider.

The other element in all of this is security. With the DIA approach, or the direct internet access approach, you do have to split-tunnel at every single site, which means now, if I have multiple thousands of these locations, every single one of those points are an [attack] vector, because it’s just exposed out to the internet. So, it’s something for you to be aware of. Now, we’re not recommending that you aggregate traffic from there, send that through an intermediate point for scrubbing before traffic goes out to the internet, but it’s just something to be wary of.

The other two elements of the DIA approach is that you can really, quickly deploy this. DIA is not new. Many enterprises have been doing split tunnels and sending traffic that is either deemed less-critical or guest Wi-Fi and so forth, off to the internet and so you can use kid of the same mechanisms here. And at the same time, deploying this really comes at low operational complexity. So, this is an option if you really want to test something quickly, see what kind of an access you get, see if some of the sites are problematic before you go down to the rest of the options as well.

The more popular one as I mentioned, across a few hundreds of deployments that we have, is really the regional hub model. The regional hub model is really simple. I place an element of SD-WAN inside of a carrier-neutral facility. At that location, I have internet peering directly to the SaaS applications and so I do not have to worry about the last-mile vagaries of internet. So, I can go over a less reliable connection. If I have one connection that works reliably, when I have two or three of those, then I am always sure that I use the carrier-neutral facility in the most optimal way.

So, from an experience standpoint, it’s definitely much better than DIA. Also, you have plenty of bandwidth to play with and you’re not doing a spray and play. So, from that standpoint, the regional hub model tends to be providing a good mix of reliability with performance. Security is also pretty high because you’re aggregating to a fewer number of locations. So even if you have thousands of sites, you would probably aggregate them to maybe a handful of locations, and then you can actually have maybe a firewall or a [SWIG] before traffic goes out to the internet.

And so, it becomes a lot more secure from that standpoint. There is a bit of a learning curve, mainly because carrier-neutral facilities, even though they have existed for quite some time, are not that popular. You do have to worry about exchange peering and running [Unintelligible 0:23:28] and so forth. Not horribly complex, but at the same time it’s not as simple as click a button and off you go.

And so, those are kind of the two options I wanted to go through in detail. Essentially giving you a balance between really, really low complexity with this more regular complexity but giving you much better performance as well. And so, we have a blueprint, Viptela does provide a blueprint for each one of these options, and a combination of these, all the way from “What do you have to do in order to size your infrastructure” to “what do you have to do to architect it so that you place appropriate cloud gateway.

And also, “how do you measure ongoing infrastructure improvements as well. And so, we can certainly get into quite a bit of detail there.” So, now, we spoke a little bit about security. I just want to double-click on what that means. Once again, you have a few options to play with. And there’s no, again, one-size-fits-all. It really depends on the infrastructure and what you already have, and what you’re familiar with.

So, some of the customers, instead of doing a split tunnel directly from the branch and accessing O365, like to go through a SWIG like Zscaler and access O365 using that. That’s one of the options. You could, essentially, place an on-prem firewall. Now certainly the more number of endpoints that you have, the management complexity of those on-prem firewalls also grows in size and so you have to worry about that.

Those are kind of your option one, so to speak. Option number two is essentially place an on-prem firewall at the regional facility, or from the regional [caller] facility, you can use a SWIG like Zscaler to access Office 365 for secure access. And certainly, the same thing for the ExpressRoute – if you’re using an all-private connection to access Office 365. And so the punchline here is that you do not have to completely re-architect and change your infrastructure in order to access Office 365 in a secure fashion.

You just need to be aware and you just need to be able to enforce policies based on that. And so, it becomes an easier conversation. We’ve seen application folks and we’ve seen networking folks have this conversation in a really easy way with their security counterparts and so it becomes hey, how do I SD-WAN-ize my infrastructure, and at the same time, how do I provide the most optimal application experience as well.

All right. So I want to kind of bring everything together in the context of an actual deployment. And this is a Fortune 500 food distributor. And the footprint looks something like this. So, way at the bottom you see Branch 1 and all the way up to Branch n, they did have multiple hundreds of branches. They had reliability and redundancy at each one of those branches. Initially, they were dual-connected over MPLS providers – one-point-five meg connection going east and one-point-five meg connection going west – and so a net aggregate of about three megs going into the branch.

They had multiple types of branches as well. So, some of them got three megs, some of them got six, some of them got 12 megs. And so, they were looking at, okay how do I on-board O365? And so, the initial version of this project really was: don’t change anything in infrastructure; keep the two MPLS networks exactly the same; aggregate all the traffic from my branch to the data center that you see – data center A and data center B at the top – and then access O365 from there.

Now this obviously had all of the challenges that we just spoke about – the tromboning problem, the spinning wheel problem, and so forth. And naturally, the customer said hey you know what, maybe I should bring ISP connections into each one of these branches, and do a split tunnel out of that. And so, they did go down that cloud to, whereby through a simplified policy manager, they were able to say hey, Office 365, just do a split tunnel out of my branch, go out to the internet, and access Office 365.

If for some reason, the telemetry and the ongoing performance enhancements and measurements determine that the path is bad, then make sure that it has a fallback back to my MPLS. So, that way, I get a pretty fat pipe going out to the internet to access Office 365, and I also have a fallback to maybe a skinny pipe, but at the same time I’m able to prioritize my applications over that skinny pipe.

So, that was the thought process that they went with since they had multiple hundreds of sites. They converted a couple of them and then expanded out to a dozen, and then went to about 30 sites, let that run for a couple of months, figure out the actual performance improvements. The unanimous feedback from the various employees was the access to O365, and the experience, was at least four times – in some locations ten times – better.

They were able to quantify that as well across the various O365 applications. And once they determined what that was and really got comfortable with the operations of it, then they actually went en masse and converted their entire infrastructure. So, the end-state architecture looked somewhat different. They were able to essentially get rid of one of the MPLS clouds that you see, so instead of having just two, MPLS1 and MPLS2, they got rid of one of the MPLS infrastructures and we all know that means essentially a lot of savings back into the various lines of business and the IT teams.

They augmented the bandwidth at the site, in many cases ten-fold if not at least 20-fold in many of the locations. They got optimal access out to Office 365, and they were able to take care of all the security as well, locally at the branch. The SD-WAN infrastructure provided by Viptela that you see in the blue boxes, both at the branch and at the data center – inherently provides some level of firewalling, so we were able to do a split-tunnel, make sure that in-bound access control from the internet does not attack their infrastructure.

So they were able to get a huge buy-in from the security teams, and they were able to deploy this. And this is actually a private [Unintelligible 0:30:30] customer, so somebody’s interested, let us know, we can go through what the before and the after picture looked like and put you in touch with the customer as well so that you can hear first-hand from them as well. So this is again bringing in many of the things that we spoke about with respect to user experience, with respect to a hybrid [WAN] infrastructure, where you’re able to go from an all-private dual MPLS to a combination of MPLS and internet, and at the same time, get much better application performance, better access to O365 and take care of the security as well.

And so the journey lasted roughly about 90 days from initial outgoing and pitching to the customer the value of SD-WAN, all the way up to the initial deployment. And from there, the large-scale deployment really happened over a few weeks. Because that’s one of the values that you get with SD-WAN-izing your infrastructure as well. So, I want to leave this with a few takeaways, and not too complicated – it’s a rehash of many of the things that we spoke about.

The first thing being, just make sure that your infrastructure is cloud-ready. There is a huge difference between consuming the SD-WAN infrastructure as a service, versus making the infrastructure cloud-ready. Ideally, you want both, and so make sure that you emphasize on, is my wide area going to be cloud-ready so that I can on-board fast, I can onboard IAS and so forth. At the same time, make sure that you optimally choose the exit points, there is enough juice in the technology so you can prepare a few of these boxes and pieces of software across your infrastructure, and you’ll be able to identify the most optimal cloud exit points.

And, balance that with the ease of operations and the learning curve and so forth. And at the same time, involve your security teams right at the start. Make sure that you really involve them right from the start so that through the whole process of network architecture to Day Zero to Day Two operations, they’re involved in making sure that your network does not become complex after the fact. So, with that, we’ll pause and…Lloyd?

Lloyd: Yeah. So, we have a few questions coming in. We want all of you to send your questions by the chat box there. So, the first question is “Other than Office 365, what kind of optimization can you do for the other SaaS applications?”

Ramesh: Yeah, so many of the things – that’s a big question – so many of the things that we spoke about here are not exclusive to Office 365. It’s just that O365 seems to be a beast by itself, being a suite of products as opposed to a single product. Many of our customers have realized a similar if not better benefits for things like Box and Dropbox file sharing applications. At the same time, for and so forth.

It’s just the applications – [Unintelligible 0:33:42] applications, file-sharing applications tend to be a lot for frequently accessed. And so, the benefits are a lot more apparent and immediate, but the very same architecture and the very same blueprint can be established across your entire SaaS footprint.

Lloyd: The next question is: “In a mid-size to large-size enterprise, how many regional hubs would you expect to have worldwide?”

Ramesh: Yes, that’s a very good question. So, there is unfortunately, no one-size-fits-all. We have customers that have thousands of sites – I’ll take a couple of examples. One really large manufacturing firm has about 12 hundred sites. They have four locations that they regionally aggregate. Mainly because their footprint is such that they can afford to just have four. We do have another large retailer that, again, has a few thousands of sites but they have a lot more locations because they have presence in multiple countries. They have regionalization requirements and whatnot.

And so, that would be one of the first things that we would look at. Look at your footprint and determine where should you place your cloud exit points. An interesting thing is, the amount of effort required to spin up one cloud exit point is exactly the same – whether you do one or you do 20. And so, complexity really is not that big a factor. Cost is, and so we can guide you through that. It’s often a trade-off between the most optimal performance and the liability that you get. And so it’s an exercise that we can go through.

Lloyd: The next question is: “Do you have any data points on before-after performance with user experience?”

Ramesh: Yeah, absolutely. So, the tested performance improvements that we have with Cloud Express points in the direction of about four to five x at the minimum. And so, take a file share application or an Office 365 email exchange application, you will get at least a four to five forward improvement in performance. Now if you architect the network so that you have a good footprint, you have the best reliable connections going out to these carrier-neutral facilities and so forth, we are seeing in some cases over ten x improvement as well.

And so, it largely depends on the footprint and the placement of the cloud gateways, but at a minimum, we would expect four to five x improvements. Yeah.

Lloyd: Next question is – I think it’s a follow-on to what you just answered – so basically what Viptela is offering is an application [Unintelligible 0:36:28] mission that enables simple application-specific split-tunneling out from the site. [Forever] understood it wrongly.

Ramesh: Yeah, so the short answer is, Viptela provides a whole lot more than simple split-tunneling based on applications. Specifically, in the context of O365, you have elements of split-tunneling out of a site. Now if internet is highly unreliable, and you need to fall back to a defense circuit, then you do need to do path optimization, path measurements, figure out the most optimal routed path to the other end-points that can give you the most optimal experiences.

So, the short of it is the Viptela SD-WAN architecture gives you underlying transport diversity, a whole host of capabilities with respect to routing security, segmentation, service insertion and so forth. And then all of the application-aware capabilities – the cloud on-ramp capabilities and so forth on top. What we have probably talked about today is about 10, 15 percent of what the technology provides, but specifically for Office 365, this is kind of the main ingredient.

Lloyd: Okay. Next question is: I’ve heard from Microsoft that they suggest you avoid any sort of web-secure gateway, or web-[Unintelligible 0:37:54] Zscaler on traffic to O365. Is that common?

Ramesh: Yeah, that’s a great question. And the short answer there is, from a Microsoft standpoint, they want to make sure they’re as close as possible to your user. Which means, from the site, access the internet, go to Microsoft, and they’ll take you to as deep of the infrastructure as needed. They do provide elements of application-level security, but they really do not have a control over the underlying network. And neither do they have control over regionalization.

So, if you’re a site out in France for example, and you need to access your internet out of Germany, then you can certainly understand the challenges associated with that. And so, the short answer is, from their standpoint they do not, but what we see from a deployment standpoint is customers are kind of mixed, right? You have some that have a good enough footprint, and so can access Office 365 directly from their metro regions, some where you need to go through a cloud security gateway and access Office 365.

So, it does not break the architecture; it becomes a choice. And actually, some of the customers eventually completely avoid any kind of firewalling and access Office 365 as well. So you have a choice, but at the same time, it depends largely on your footprint whether you need this or not.

Lloyd: Next question is: “Is the connection to Office 365 an HA, or a high availability configuration?

Ramesh: That is right, yes. So, using the Cloud Express functionality that Viptela provides, and also the regional aggregation to a carrier-neutral facility, you inherently achieve a high availability. What I mean by that is there are a constant set of probes that run through the infrastructure, all the way up to the application server that determines if the path that you’re currently taking is optimal. And there are some [heuristics] that go behind what does optimal mean, that’s native to the application platform.

And based on that, we figure out hey, is this the most optimal way? Or is there another way? In many cases, you would be surprised that even if you have a single internet connection out, you will be able to access Office 365 in probably three or four different ways. And Viptela can help you make that choice automatically, so all you need is to enable the functionality and we take you, in a highly available way, all the way up to Office 365.

Lloyd: So, the next question is: “What are your customers doing for sites in China that have a 300-millisecond latency due to the great firewall there? Especially the latency to 365 hosted in either Europe or North America?

Ramesh: Yeah, so this is a webinar by itself. But the short of it is, you can choose to exit out of locations like Hong Kong to access Office 365 if that’s a little more palatable. Otherwise what we have seen can be successful as jointly go with Microsoft to the customer in those regions or to the subsidiary of the enterprise in those regions and figure out what is the most optimal way. But the analysis is spot-on. If you have to go through the great firewall, then you will incur additional latencies.

But both Viptela and Microsoft have a way to not circumvent that, but rather optimally access Office 365 as well.

Lloyd: Okay. The next question is: “Some competitors of Viptela and VeloCloud, which are [Unintelligible 0:41:41] and Aryaka, have a [Unintelligible 0:41:42]-friendly approach to mitigating latency on SD-WAN. What is Viptela’s view, particularly for sites in China accessing Office 365, SharePoint, and Exchange?

Ramesh: Yeah, so the [unintelligible]-friendly approach – you have to look at the [unintelligible] in a certain context, right? How much of transactional traffic do you have, how much can you actually cache, and how much of real-time do you really have on top of it, right? And so, if you break down your applications into real-time versus cacheable, this is an easily-answered question. The short of it is [Unintelligible 0:42:21] can help you to some extent, but ultimately, at the end of the day, there are path-optimization, wide area enhancements – especially some of the visibility, some of the policies that you really need to have inherent in your infrastructure in order to access these applications in the most optimal way.

So, the short of it is, the policies can just be simply split across regions, so you can say for China, I want to have these kind of thresholds on latencies and whatnot, for America this is kind of what I need, and for Europe, this is what I need. Bear in mind that Office 365 data store is also in a single location for your SharePoint and whatnot, which means if you have a headquarters out of America’s region, and you have a site out in Europe, then you need to make sure you have the most optimal access into Microsoft.

What I would say is, do not do anything unnatural, i.e., optimize it so that you as close as possible to the data. What we have seen work really, really well is access Microsoft. So as long as you think about how to access Microsoft in the most optimal way, these problems are easily addressed.

Lloyd: Okay. So, we are running out of time. We have time for two short questions. The first one is: “Can there be dual drops for resiliency at the branch level?”

Ramesh: So, if I understand this question correctly – so, at the branch level, you can address resiliency by essentially putting another device there and connecting another ISP connection, or a private connection, into that. So, that’s one way of addressing it. At the same time, if you have multiple different circuits, you can connect all of them into a single device, then you should be able to address that. So, I need to understand that question a little bit more before we provide the full answer.

Lloyd: Yes, and I guess people can reach Ramesh at –

Ramesh: Yes.

Lloyd: – for further questions. The last question is: “Are you planning on leveraging your relationships with Verizon and the other carriers that you offer this service with routing, to cloud gateways and other exit points?

Ramesh: Yeah, absolutely. So, the short of it is yes, mainly because you want to have as rich a presence as possible. And so, many of the carriers have already developed really good relationships and peering arrangements with Microsoft, and we naturally want to be able to use that in the most optimal way. So once again, through the Cloud Express functionality, we will able to determine is split-tunnel the best option?

Is a connection through Verizon into O365 the best option, or is it through a carrier-neutral facility and so forth? And so, the short answer is, we want to make sure that we have well-identified and defined points of peering into Microsoft and we are able to use that in the most optimal way.

Lloyd: Wonderful. So, we are running out of time and we have a few more questions we’ll respond to you personally after this session. I want to leave you with – I hope you enjoyed this session today. I want to leave you with four other interesting sessions that you might check out that are related to this one. One is [Yvonne] [Unintelligible 0:45:40] from Kindred Healthcare presenting her complete SD-WAN transformation, and she herself reported about 4x improvement in performance in some of her applications and she’ll share details on that.

The next is a related session on actually, optimizing AWS and Azure migration, the [unintelligible] migrations using SD-WAN. Another interesting session coming up. And for those wanting to understand [unintelligible] and Zscaler and cloud security, that session’s coming up too, later this week. And we have Seamus, who presented earlier today, and his session is available on demand. He’s presented his entire research on people who are either considering SD-WAN migration or have already done it.

So, all these sessions are available free. You should consider checking all these sessions out, on demand. So, with that, we want to really, really thank you for joining this session today and we hope you got educated on the subject and please reach us for any questions.

Ramesh: Thank you everyone.

Watch Now