In this article you’ll learn how to use the AppNeta Performance Manager (APM) along with AppNeta monitoring points to monitor the network performance of work-from-home VPN users. It describes the process of deploying the NMP to a work-from-home user’s PC and a data center monitoring point at a central site then setting up APM to monitor the user’s network performance. It also describes how to set up alerting, notifications, and reporting to help locate and resolve network issues proactively.

Prerequisites

  • APM and appropriate licensing
  • A monitoring point for the central site (r90 or r1000 are typical)
  • An NMP for each user
  • Organization Admin or Advanced user role privileges on APM for setup

Set up and monitor

Two use cases are considered: Split traffic, and All traffic through VPN. Use the one that is applicable to your environment.

Network diagram showing an NMP at a user site with a path to a monitoring point at the central corporate site via VPN and paths to a web app and the VPN Gateway outside the VPN.

In the Split traffic scenario, only corporate network traffic passes from the user through the VPN to the central corporate site. All other traffic is routed outside the VPN. The advantage of this scenario, from a monitoring perspective, is that we can review the performance of the non-VPN paths (P1 and P3) using tools like the Route pane and Diagnostics to isolate issues with the user’s ISP infrastructure.

Network diagram showing an NMP at a user site with a path to a monitoring point at the central corporate site via VPN and a path to a web app through the VPN to the central corporate site then from there to a web app.

In the All traffic through VPN scenario, all traffic passes through the VPN to the central corporate site. Traffic to external applications/services is routed from there.

Monitoring to a web app (P1) via single-ended path measures the user’s network performance to that app. In the Split traffic use case, the measurement is of infrastructure strictly outside the VPN. In the All traffic through VPN use case, the measurement is through the VPN tunnel and then, once at the central site, outside of it to the web app.

Monitoring to a central site through the VPN (P2) via dual-ended path measures the VPN performance.

In the Split traffic use case, monitoring to the VPN Gateway at the central site (P3) via single-ended path measures the performance of the infrastructure the VPN operates on and shows the route the VPN traffic takes to the central site.

Set up and monitor work-from-home VPN users as follows:

Step 1: Deploy the monitoring points

A monitoring point is deployed at the central site and an NMP is deployed on each user’s computer.

Deploy a monitoring point to the central site

An AppNeta Enterprise Monitoring Point (EMP) of sufficient capacity (typically an r90 or an r1000) must be deployed to your central site (data center, hub, corporate head office) as a target for VPN performance monitoring. See EMP Setup to learn how.

Create NMP deployment packages

An NMP must also be installed on the PC of each work-from-home user you want to monitor. To prepare for this, you’ll need to create a separate downloadable package for each client operating system (OS). Supported OS’s include Windows, Mac OS, and Linux. The appropriate package can then be downloaded and installed on the user’s PC.

Note: If you have multiple APM organizations, you will need one downloadable package per relevant operating system specific to the organization you want the NMP to connect to.

To create an NMP deployment package:

  1. Log in to APM.
  2. Select an organization (if you have more than one).
  3. If you’re setting up your first monitoring point, you will be taken to the first step of the Add Monitoring Point wizard.
  4. If your organization already has monitoring points, navigate to > Manage Monitoring Points > Add Monitoring Points.
  5. Click the button for the operating system you are creating the package for (for example, Windows).
    • Follow the instructions to download the NMP for your operating system and the configuration for your organization.
  6. Create a .zip file with the files that were downloaded (for example, AppNeta-Windows-<orgname>.zip)
  7. Move .zip file(s) to a location (<file download location>) accessible by your users.

Create installation instructions for users

You need to create installation instructions for your users specific to your environment. Use the following as a basis for your instructions. Note that this is a Windows example.

Instructions for installing AppNeta network monitoring software on your Windows machine

  1. If you are a VPN user, make sure that you are connected via the VPN prior to installing the AppNeta NMP.
  2. Download the .zip file from <file download location>.
  3. Unzip the .zip file.
  4. Double-click the installation file (“Sequencer<unique number>.exe”) and follow the instructions.
  5. Confirm that the AppNeta NMP is running.
    • Within “Services”, the “AppNeta Sequencer Service” should have a status of “Running”.
    • If the software is not running, call network support at <IT/network support number>.
  6. Update the firewall rules on your computer. See Configuring for an NMP on Windows.
  7. Determine your computer name.
    • This can be found in Settings > About > Device Name.
  8. Send an email with your computer name and your contact information (first name, last name, location (city/state/country), email address, and phone number) to <IT/network support email address> to confirm that you have installed the software and that it is running.

Inform users

Once the packages are available for download and you have created installation instructions for users, you can then send the users the instructions.

Step 2: Set up monitoring

In order to monitor network performance, you need to create network paths from user PCs to the targets identified in the diagrams above. You also need alerts configured to define when network performance metrics are outside of acceptable thresholds. Set up the alerting configuration first so that it is available when you set up the network paths.

Create a time range for alerting

In order to alert on network issues only when users are active, we recommend creating an alerting time range called “Business Hours” that spans your typical business hours. For example, Monday to Friday 08:00 - 18:00. This time range is with respect to the time zone of each installed NMP.

See Create a time range for details.

Create an alert profile

In order to trigger an alert when a user is experiencing network performance issues, you need to create an alert profile that specifies the limits of acceptable network performance.

We recommend creating an alert profile called “WFH Users” containing the following conditions:

  • Connectivity - violates immediately on loss of connectivity to the target and clears immediately when connectivity is restored.
  • Data Loss - violates when data loss is above 2% for 2 minutes and clears when it is below 2% for 2 minutes. This is a starting point and may need to be modified for your environment depending on whether you are receiving too many or too few alerts.
  • Voice Loss - violates when voice loss is above 2% for 2 minutes and clears when it is below 2% for 2 minutes. This is a starting point and may need to be modified for your environment depending on whether you are receiving too many or too few alerts.

See Create a custom alert profile for details.

Create a Path Template Group and path templates

To simplify the creation of network paths from each user’s NMP to the selected targets (for example, a web app, central site, and potentially your VPN Gateway’s public IP), create a Path Template Group with a separate path template for each target.

  1. Create a Path Template Group called “VPN users”.
  2. Create a path template for each target (“Web app”, “Central site via VPN”, and “VPN Gateway”). Use default configuration options except as follows:
    • Path template for the Web app
      • Specify the hostname or IP address of the web app to monitor. For Microsoft services, see Monitoring Microsoft services.
      • Group - Create a group called “Web app”. This will provide more flexibility in reporting.
      • Network Type - Set to WAN.
      • Target Type
        • For data and voice traffic, use Auto.
        • For data traffic only, use Client: WAN to reduce monitoring overhead.
      • Alert Settings
        • Time Range - Set to “Business hours”.
        • Alert Profile - Set to “WFH Users”.
    • Path template for the Central site via VPN
      • Specify the hostname or IP address of the AppNeta monitoring point deployed at the Central Site.
      • Group - Create a group called “Central site via VPN”.
      • Dual Ended Path - Check the checkbox.
      • Network Type - Set to WAN.
      • Target Type
        • For data and voice traffic, use Auto.
        • For data traffic only, use Client: WAN to reduce monitoring overhead.
      • Alert Settings
        • Time Range - Set to “Business hours”.
        • Alert Profile - Set to “WFH Users”.
    • Path template for the VPN Gateway (create this only for the Split Traffic use case)
      • Specify the hostname or public IP address of the VPN Gateway deployed at the Central Site.
      • Group - Create a group called “VPN Gateway”.
      • Network Type - Set to WAN.
      • Target Type - Set to Client: WAN.
      • Alert Settings
        • Time Range - Set to “Business hours”.
        • Alert Profile - Set to “WFH Users”.
Monitoring Microsoft services

AppNeta single-ended monitoring uses ICMP to measure performance to the remote target. The default configuration of Microsoft services including Azure, Office365, Teams, and Skype for Business is to block ICMP to most targets. Often, however, there are specific anycast servers recommended for monitoring. For example:

Service Single Ended Monitoring Target
Microsoft Teams world52.tr.teams.microsoft.com
Skype for Business global.tr.skype.com
Office365 outlook.office365.com
Sharepoint & OneDrive 13.107.136.9

A full listing of the addresses used by various Microsoft services available at Office 365 URLs and IP address ranges.

Add NMPs to the Path Template Group

As the users deploy the NMPs and they come online, they will appear on the Manage Monitoring Points page.

  1. When an NMP comes online, license it and add it to the “VPN users” Path Template Group.
  2. Confirm that its network paths are being monitored on the Network Paths page.
  3. Once monitoring starts, you can check out a network path’s performance.

Set up alert notifications

If you want to be notified via email or via SNMP when an alert is triggered, you need to set up notifications.

See the Notifications page for details.

Step 3: Find users with poor network performance

The Application Performance Detail Report is a great tool to find the users experiencing the worst network performance. To use it:

  1. Create a Saved List for each target (“Web app”, “Central site via VPN”, and “VPN Gateway”).
    • Use the Groups filter to add the appropriate network paths to each Saved List.
  2. Navigate to Reports > Report List > Application Performance Detail Report
  3. Configure the Application Performance Detail Report.
    • Saved List - Use the list containing the network paths you want to report on.
    • Update (button) - Specify the time range you are interested in.
    • Performance Data - Set to Network Path only.
    • Location - Set to Most Specific unless you are interested in a different level of grouping.
    • Sort By - Set to Violation Duration (recommended).
    • Limit Paths/Location - Set to 5 (typical).
    • Limit Locations - Set to All (typical).
  4. Review report results.
    • If the report has not run, click Run Report.
    • Review the By Location section. The results are sorted by Violation Duration, so the worst performing location appears first.
    • Click “+” to expand the location you are interested in.
      • The Violation Details column describes the violations.
      • Violations (red bars) indicate violations of the alert profile you created.
      • Service Outage (black bars) indicate service outages (for example, the monitoring point was turned off). This metric is not useful in this use case as we are monitoring work-from-home users and they can turn off their machines (and by extension, their NMPs) at any time.
    • To follow up on user sites with poor network performance, see the Troubleshooting Network Problems page.

Step 4: Troubleshoot network problems

In addition to detecting poor network performance using the Application Performance Detail Report, alerts are generated when network performance outside of the limits specified in the alert profile. If notifications are configured these violations result in alert notifications being sent via email or via SNMP. To troubleshoot network performance issues, see the Troubleshooting Network Problems page.