Using Your Corporate VPN with Evolphin Managed Cloud based Zoom Servers

By /

Context

Corporate VPNs are used by customers to access their corporate resources behind their firewalls including workstations, network shares, printers. When you turn on your corporate VPN on your workstation there are two ways the traffic from your desktop is routed to the Evolphin Cloud services on AWS:

  1. All traffic including Evolphin Cloud requests are routed through your corporate VPN to your corporate VPN service and then from their are re-routed to the Evolphin Cloud. In other words an extra hop was added by your VPN. In other words an exclusive rule to send all IPs including your corporate IPs as well as any IP on the Internet such as Evolphin Cloud service through your VPN.
  2. Only your corporate traffic is sent to your corporate VPN service, rest of the traffic including Evolphin Cloud requests is bypassed from your corporate VPN and are send directly over the Internet. In other words an inclusive rule to only send your corporate IPs through your VPN.

This is controlled by your corporate security team that manages your VPN and not Evolphin.

Recommendations

We strongly recommend that you have your corporate security team configure your VPN service to use option 2. Why is that? The reason is very simple. Evolphin uses the standard AWS S3 service extensively for transferring your high-res media to its cloud. The AWS S3 service does not have a static of fixed IP address. Rather AWS S3 uses a load balancer to route transfer request to the best server in its cluster at any time. In other words there is no way for Evolphin to guarantee that all your S3 traffic will be routed to a static IP.

In contrast to the the AWS S3 traffic, the standard Evolphin Zoom cloud services are routed by default to a well know static IP. This IP is mapped to the DNS host name you use to connect to the Evolphin Zoom Cloud.

If your corporate security team insists on using option 1 from above, they might be under the wrong assumption that they can just configure their VPN service to bypass the Zoom static IP by whitelisting it and they will be done. They might not realize that AWS S3 traffic will not be bypassed with option 1. There is no easy way to whitelist AWS S3 traffic as the dynamic IP keeps on changing at Amazon’s side.

Now if you do not do videos or use our S3 client hub to transfer large media from your workstations you could use option 1, but longer term as your needs grow to encompass video or high-res media, you will need option 2. That is why we recommend option 2. For option 1 your corporate security team can easily obtain the Zoom services static IP by using a DNS tool like dig or nslookup or even any number of websites that can check the DNS hostname to IP mapping.

If your corporate security team still insists on using option 1, they will need to ensure the speed and connectivity problems such as lost TCP packets through VPN connection do not occur. This is easier said than done. Your best bet might be to turn off your corporate VPN when using the Evolphin Zoom Cloud services in this case unfortunately.