Set up and monitor work-from-home VPN users

In this article you’ll learn how to monitor the network performance of work-from-home VPN users by:

  • determining where to deploy AppNeta Monitoring Points and deploying them.
  • setting up AppNeta Performance Manager (APM) to monitor a user’s network performance.
  • setting up alerting, notifications, and reporting to help locate and resolve network issues proactively.

Note: As with any major deployment, it’s best practice to test a small pilot group first to make sure everything is working as expected prior to rolling out to all users. Then, consider a staged roll out to subsets of users. For example, VIP users, a high priority team like call center users, or users in a specific geographic area.


  • An organization set up in APM.
  • A Monitoring Point for the central site (r90 or r1000 are typical).
  • A Workstation (n10) license for each user.
  • Organization Admin or Advanced user role privileges on APM for setup.
  • Administrative privileges on the work-from-home user’s computer.
  • In the Split tunnel scenario, if traffic passes through a firewall at the corporate site, it must allow ICMP traffic to the VPN gateway.

Use cases

Consider two use cases: Split tunnel, and Full tunnel. Use the one that is applicable to your environment.

Split tunnel

Network diagram showing an NMP at a user site with a path to a Monitoring Point at the central corporate site via VPN and paths to a web app and the VPN Gateway outside the VPN.

In the Split tunnel scenario, only corporate network traffic passes from the user through the VPN to the central corporate site. All other traffic is routed outside the VPN. The advantage of this scenario, from a monitoring perspective, is that we can review the performance of the non-VPN paths (P1 and P3) using tools available in APM to isolate issues with the user’s ISP infrastructure.

Full tunnel

Network diagram showing an NMP at a user site with a path to a Monitoring Point at the central corporate site via VPN and a path to a web app through the VPN to the central corporate site then from there to a web app.

In the Full tunnel scenario, all traffic passes through the VPN to the central corporate site. Traffic to external applications/services is routed from there.

What’s being measured

  • P1 - Monitoring to a web app via single-ended path measures the user’s network performance to that app.

    • Split tunnel - The measurement is of infrastructure strictly outside the VPN.
    • Full tunnel - The measurement is through the VPN tunnel and then, once at the central site, outside of it to the web app.
  • P2 - Monitoring to a central site through the VPN via dual-ended path measures the VPN performance. Applies to both use cases.

  • P3 - (Applies to Split tunnel only) Monitoring to the VPN Gateway at the central site via single-ended path measures the performance of the infrastructure the VPN operates on and shows the route the VPN traffic takes to the central site.

Note: The use cases shown above are VPN-specific but the same principles apply to non-VPN use cases. Also, your environment may have variations that you’ll need to account for. For example, you may have some traffic going directly to an application and some passing through the VPN to your corporate site and then to the application. You’ll have to adjust your configuration to take this into account.

Set up and monitor

Step 1: Deploy the Monitoring Points

One Monitoring Point is deployed at the central site and another (an NMP) is deployed on each user’s computer.

Deploy a Monitoring Point to the central site

Deploy an AppNeta Enterprise Monitoring Point (EMP) of sufficient capacity (typically an r90 or an r1000) to your central site (data center, hub, corporate head office) as a VPN performance monitoring target. See Getting Started.

Create NMP deployment packages

You must also deploy an NMP on the computer of each work-from-home user you want to monitor. To prepare for this you’ll need to create a separate downloadable package for each client operating system (Supported OS’s include Windows and macOS). The appropriate package can then be downloaded and installed on the user’s computer.

Note: If you have multiple APM organizations, you will need one downloadable package per relevant operating system specific to the organization you want the NMP to connect to. A given computer can only have one NMP instance installed and it can only be connected to one organization.

  1. Log in to APM.
  2. Select an organization (if you have more than one).
  3. If you’re setting up your first Monitoring Point, you will be taken to the first step of the Add Monitoring Point wizard.
  4. If your organization already has Monitoring Points, navigate to > Manage Monitoring Points > Add Monitoring Points.
  5. In the Platform Type field, select the NMP type you are creating (for example, “Windows (native)”).
    • Follow the instructions to download the NMP software and configuration for your operating system and organization.
    • The installer is downloaded to your computer.

Install the NMP software

There two ways to install the NMP software:

Manual install
  1. Move downloaded installer file(s) to a location your users can access.
  2. Create installation instructions for your users specific to your environment. Use the following as a basis for your instructions.
  3. If users have a firewall at their site, it needs to be configured to allow the NMP to access AppNeta Performance Manager (APM). Installation instructions need to be modified as appropriate in this case.
  4. Once the packages are available for download and you have created installation instructions for users, you can send the users the instructions.
Unattended install

To deploy to multiple user computers using a Configuration Management (CM) tool (for example, Microsoft Endpoint Manager (formerly SCCM)), see:

Step 2: Set up monitoring

In order to monitor network performance, you need to create network paths from user computers to the targets identified in the diagrams above. You also need alerts configured to define when network performance metrics are outside of acceptable thresholds. Set up the alerting configuration first so that it is available when you set up the network paths.

Create a time range for alerting

In order to alert on network issues only when users are active, we recommend creating an alerting time range called “Business Hours” that spans your typical business hours. For example, Monday to Friday 08:00 - 18:00. This time range is with respect to the time zone of each installed NMP.

See Create a time range.

Create an alert profile

In order to trigger an alert when a user is experiencing network performance issues, you need to create an alert profile that specifies the limits of acceptable network performance. This is a starting point and may need to be modified for your environment depending on whether you are receiving too many or too few alerts.

We recommend creating an alert profile called “WFH Users” containing the following conditions:

  • Data Loss - violates when data loss is above 2% for 2 minutes and clears when it is below 2% for 2 minutes.
  • Voice Loss - violates when voice loss is above 2% for 2 minutes and clears when it is below 2% for 2 minutes.
  • MOS - violates when MOS is below 3.7 for 2 minutes and clears when it is above 3.7 for 2 minutes.

Note: The recommendations for violating and clearing times (2 minutes) should be used as a starting point. If you are encountering too many violations, consider increasing this time (for example, to 5 minutes).

See Create a custom alert profile.

Create a Path Template Group and path templates

To simplify network path creation from each user’s NMP to the selected targets (for example, a web app, central site, and potentially your VPN Gateway’s public IP), create a Path Template Group with a separate path template for each target.

  1. Create a Path Template Group called “WFH users”.
  2. Create a path template for each target (“Web app”, “Central site via VPN”, and “VPN Gateway”).

Use default configuration options except as follows:

  • Path template for the Web app.
    • Specify the hostname or IP address of the web app to monitor. For Microsoft services, see Monitoring Microsoft services.
    • Group - Create a group called “Web app”. This will provide more flexibility in reporting.
    • Network Type - Set to WAN.
    • Target Type (data and voice traffic) - Set to Auto.
    • Target Type (data traffic only) - Set to Client: WAN to reduce monitoring overhead.
    • Alert Settings / Time Range - Set to “Business hours”.
    • Alert Settings / Alert Profile - Set to “WFH Users”.
  • Path template for the Central site via VPN.
    • Specify the hostname or IP address of the AppNeta Monitoring Point deployed at the Central Site.
    • Group - Create a group called “Central site via VPN”.
    • Dual Ended Path - Check the checkbox.
    • Network Type - Set to WAN.
    • Target Type (data and voice traffic) - Set to Auto.
    • Target Type (data traffic only) - Set to Client: WAN to reduce monitoring overhead.
    • Alert Settings / Time Range - Set to “Business hours”.
    • Alert Settings / Alert Profile - Set to “WFH Users”.
  • Path template for the VPN Gateway (create this only for the Split tunnel use case).
    • Specify the hostname or public IP address of the VPN Gateway deployed at the Central Site.
    • Group - Create a group called “VPN Gateway”.
    • Network Type - Set to WAN.
    • Target Type - Set to Client: WAN.
    • Alert Settings / Time Range - Set to “Business hours”.
    • Alert Settings / Alert Profile - Set to “WFH Users”.

Add NMPs to the Path Template Group

As the NMPs come online, they will appear on the Monitoring Points page.

  1. When an NMP comes online, its status will appear as OK (Green circle with white check mark). If it doesn’t appear as Green circle with white check mark, you’ll need to troubleshoot the issue.
  2. License it, update its location, and add it to the “WFH users” Path Template Group.
    • If you are deploying at scale, work with your AppNeta Technical Account Manager (TAM) to create a script to automate this step.
  3. Confirm that its network paths are being monitored on the Network Paths page.
  4. Once monitoring starts, you can check out a network path’s performance.

Set up alert notifications

If you want to be notified via email or via SNMP when an alert is triggered, you need to set up notifications.

See Notifications.

Step 3: Find users with poor network performance

The Application Quality Detail Report is a great tool to find the users experiencing the worst network performance. To use it:

  1. Create a Saved List for each target (“Web app”, “Central site via VPN”, and “VPN Gateway”).
    • Use the Groups filter to add the appropriate network paths to each Saved List.
  2. Navigate to Reports > Report List > Application Quality Detail Report
  3. Configure the Application Quality Detail Report.
    • Saved List - Use the list containing the network paths you want to report on.
    • Update (button) - Specify the time range you are interested in.
    • Performance Data - Set to Network Path only.
    • Location - Set to Most Specific unless you are interested in a different level of grouping.
    • Sort By - Set to Violation Duration (recommended).
    • Limit Paths/Location - Set to 5 (typical).
    • Limit Locations - Set to All (typical).
  4. Review report results. If the report has not run, click Run Report.
    • Review the By Location section. The results are sorted by Violation Duration, so the worst performing location appears first. Click “+” to expand the location you are interested in.
    • The Violation Details column describes the violations.
    • Violations (red bars) indicate violations of the alert profile you created.
    • Service Outage (black bars) indicate service outages (for example, the Monitoring Point was turned off). This metric is not useful in this use case as we are monitoring work-from-home users and they can turn off their machines (and by extension, their NMPs) at any time.
  5. To follow up on user sites with poor network performance, see Troubleshooting Network Problems.

Step 4: Troubleshoot network problems

In addition to detecting poor network performance using the Application Quality Detail Report, alerts are generated when network performance outside of the limits specified in the alert profile.

If notifications are configured these violations result in alert notifications being sent via email or via SNMP.

To troubleshoot network performance issues, see Troubleshooting Network Problems.

Managing the Monitoring Points

Once Monitoring Points are installed, the procedures to stop, restart, upgrade, and uninstall software on them vary by model.

Monitoring Microsoft services

AppNeta single-ended monitoring uses ICMP to measure performance to the remote target. The default configuration of Microsoft services including Azure, Office365, Teams, and Skype for Business is to block ICMP to most targets. Often, however, there are specific anycast servers recommended for monitoring. For example:

Service Single Ended Monitoring Target
Microsoft Teams
Skype for Business
Sharepoint & OneDrive

A full listing of the addresses used by various Microsoft services available at Office 365 URLs and IP address ranges.