Webinar – Remote working solutions for local government units

Paweł Deyk:

Hello everyone, welcome to the webinar on remote working solutions for local government units. My name is Paweł Deyk and I am a Project Manager in the Sales Team. Today I am accompanied by my teammate, Przemek Śleszyński, who will talk about the Zoom video conferencing solution and Michał Dębowski, who is the Key Account Manager and who will talk about Fortinet solutions.

Przemysław Śleszyński:

Hello everyone, my name is Przemysław Śleszyński and I am a Project Manager in the Sales Support Team. Today I will tell you about a solution offered by the Zoom platform and its capabilities.

Zoom was founded by Cisco engineers who also worked on the Webex product. The company launched their solution on the market in 2013 and so far approximately one million entities have used it. At present, it is safe to say that it is used in many more companies as well as individual users, not only institutional ones. So far Zoom, next to Cisco and Microsoft, has been one of the three leaders of the video conferencing solution, however, at the moment we might go as far as to say that when it comes to usage, it may turn out to be on the top thanks to the largest number of users.

Zoom is a typical cloud solution in which we use the company’s servers located around the world. We can use Zoom on laptops, desktops, smartphones, as well create dedicated video conferencing rooms, just like in the case of solutions presented by Cisco. In Zoom it is usually done by using a dedicated Zoom Client for Meetings that we can install on our computer or smartphone. Zoom Client can be also accessed directly through your browser.

Zoom technically supports all systems currently available on the market (Windows, macOS, Linux, iOS, Android), has a dedicated solution for conference rooms, useful when we want to create separate conference rooms – and the transmission of video and audio is conducted in HD quality. Depending on the license, the number of users is limited to 100, 300 or 500. For basic licenses, the number of users can be increased by purchasing additional licenses. Zoom’s solution also enables to record individual meetings. This can be done either via local or cloud recording. Depending on the license, we have a certain capacity of cloud storage space that can be increased. The application is used not only for video conferencing between individual users. It allows for sharing audio and video streams or documents such as PowerPoint presentations, Word or Excel documents (the share screen option). Zoom also allows you to use a white board.

Joining a video conference is very simple. As a host, we can schedule a meeting and generate an invitation. There are two possibilities to create an invitation – either through an invitation link that contains passcode in a hidden form or, alternatively, by requesting from each participant joining the video conference to provide such password, regardless of the device from which they will be accessing the meeting. While sharing the screen, Zoom makes it possible for you to interact with other participants of the meeting. When sharing e.g. a PowerPoint presentation, you can grant another participant of the video conference control over your computer so that they can work interactively on your document.

In terms of additional functionality, there is the possibility to join not only from devices equipped with Zoom applications, but also through phone dial-in (only in the form of audio conference). In that instance we need to include Polish telephone numbers in the invitation. For most countries these calls are usually free, however, in some cases you have to purchase an additional license to make phone calls. This is not applicable to most countries in the European Union or United States. Additionally, Zoom allows you to conduct webinars. In order to do that you need to purchase an additional license. Depending on the plan, the number of users is limited.

Paweł Deyk:

What if we already have some different solutions for video or audio? Can we somehow integrate them into Zoom?

Przemysław Śleszyński:

Yes, absolutely. Zoom, just like any other application, has been equipped with an integration functionality. For example, we can easily synchronise Exchange with Zoom to use the built-in calendar within the company and send invitations directly from the host account. If you have Cisco and Polycom video conference room solutions, it is possible for you to add these rooms to the Zoom system within your company by purchasing additional licenses. Furthermore, if Zoom cannot synchronize with other systems directly, it still has integration functionality via standard H.323 and SIP protocols. If you have in your company some other systems than Cisco and Polycom, you can purchase the appropriate license and perform the integration with Zoom using standard protocols. Zoom comes with Skype for Business integration as a standard part of every license due to the fact that it has been the standard communicator used in many companies and institutions (including Polish ones) for a very long time.

As far as presentation possibilities are concerned, for example, by sharing a PowerPoint presentation as well as Word or Excel files, we can provide the participants with the possibility of interactive collaboration when working on a given document. If the host decides to use this tool, each participant will have access to a panel (called Annotate) on they can point to elements, write additional text, draw (using the Draw function). The host is able to put marks when a given point is approved. Moreover, Zoom offers a function that turns your cursor into an arrow that may be used to point out a given element in the presentation. It also features standard editing tools, i.e. format, colour, undo, redo, clear. Another feature is the so-called Whiteboard, which can come handy during remote classes. Thanks to it, the teacher can conduct lessons just like on a regular school blackboard. Even if the schools do not use it very frequently, I know teachers conducting extracurricular classes using this functionality.

We currently have four types of license plans for the Zoom application: Pro, Business, Education and Enterprise. Depending on the form of license, specific options and costs are associated with it. As far as the first option is concerned, the number of licenses is the minimum number of licenses we need to purchase to use this form of licensing. However, these are not licenses for participants, but for people who will be so-called hosts, meaning users who can set up such meetings. For a Business plan we have to purchase a minimum of 10 licenses and indicate 10 people to whom they will be assigned. A license cannot be associated with a generic e–mail account such as recepcja@urzadmiasta.pl. It is usually expected that these will be named e-mails addresses. The next item is the number of participants and this number can be increased by purchasing the “Large Meetings” add-on which increases the number of attendees to 500, just like in the case of the Enterprise license. Therefore, we do not need to buy an Enterprise license if we have 500 users. It is enough to purchase a Pro license together with the “Large Meetings” add-on. Another option is the personal link, which allows you to change the URL address in the invitation. The link of a standard invitation always starts with zoom.us, whereas in case of customization it may start, for instance, with urzadmiastawarszawa.zoom.us. The next functionality – one that I have already mentioned – is the possibility to record. Here we must consider the cloud recording storage capacity, which can be increased by purchasing an additional storage. The basic license increases this storage capacity to 100 GB, but you can also record locally via Zoom app. By default, this option is available to the host of the meeting (they can also enable other participants to record). Another function is the so-called Recording Connector. Zoom, despite being a typical cloud application, also allows you to install two servers: a media server and a recording server. All audio/video connections are streamed through these servers and a session is recorded. The Zoom cloud contains only information (aka metadata) related to participants, hosts, the host that set up the meeting and information within the recording. We can browse these recordings later from the host level, even if they are recorded on the local server. The next item is the Admin Dashboard, which is not available on the Pro license, but only on the higher ones. The Admin Dashboard allows you to check each user – what system they are using, whether they logged in from a smartphone or a laptop, cheater, latency. Zoom also offers the users to create webinars, which are available only in Enterprise license. However, they can be also purchased in other licensing options. The basic webinar license allows you to create a webinar for 100 users, other licenses enable 300 and 500 users. The Zoom app is by default compatible with Skype as it has been (and still is) one of the most widely used video-voice calling apps to date. The length of meetings is usually unlimited (the longest meeting we can set in the system is for 24 hours).

Paweł Deyk:

There are many solutions when it comes to the selection of licenses and optional add-on plans that can be purchased, so we have tried to prepare a short and comprehensible example of how a remote version of the city council meeting could be implemented in your municipalities and offices. Let’s start with the benefits. As far as the functionality of video conferencing with interaction between participants is concerned, it is quite obvious that each participant can speak. There is also an option to vote by roll call, which is certainly very useful at these types of meetings. What is more, you can share a screen to collaborate on a document. There is no need to install apps, you can connect via browser or mobile apps. It is essential that the meetings are protected by passwords, so people who could possibly interfere with the meetings are prevented from connecting without first receiving an invitation. Zoom offers end-to-end encryption, which can be important for call confidentiality. Additionally, in case you also decide to purchase the Basic level support service, we will help you with all the technical and functional issues of this platform. In the Basic level of support, we offer help on weekdays. In order to get these benefits you only need to purchase 5 Pro licenses, which will allow you to host up to five meetings for up to one hundred participants. Of course, more licenses can be purchased. The example provided shows how to comply with the basic requirements. These licences can be shared with sub-units (e.g. schools).

Michał Dębowski:

Hello, my name is Michał Dębowski and I am a Key Account Manager. This part of the presentation is dedicated to secure remote working using Fortinet technology. If we consider the situation on the market, a very large group of people – probably you as well – may have FortiGate devices. Therefore, I have prepared the presentation based on this solution and Fortinet’s capabilities. Many of my clients in times of crisis and remote work encounter problems regarding effective security. They wonder what technologies and mechanisms should be used in order to authenticate the employee and give them a secure access to company resources. I divided my presentation into two parts. The first part of the presentation is devoted to working remotely using Fortinet capabilities. I have considered two scenarios here: basic and advanced. Let me explain exactly what both scenarios are about. The second part of the presentation pertains to two-factor authentication, meaning securing communication of VPN tunnel in the form of two-factor authentication using mechanisms that I will present – FortiToken and FortiAuthenticator.

Let’s discuss the basic scenario of remote working first. I am not sure if you use all FortiGate functions, but it has one very interesting feature called VPN Gateway. The VPN Gateway is free of charge, which is interesting as it does not require any additional licensing fee to create a VPN tunnel. A VPN client agent is also needed to connect this VPN with an employee who will work remotely. We recommend the manufacturer’s dedicated software, i.e. FortiClient VPN; please note that this client is free of charge. To sum up the basic scenario allows you to create a VPN tunnel with the employee and the company. You can do that completely free of charge using the available mechanisms offered by Fortinet.

Paweł Deyk:

The basic scenario seems very simple and clear. What about the advanced one, is it somehow more complicated?

Michał Dębowski:

I have not referred to any aspect of security and administrator management here. FortiClient VPN is really only aimed at VPN tunnel functionality, there are no additional mechanisms for either security or manageability. It is the advanced scenario that takes care of that. It offers a VPN gateway as FortiGate and a VPN client as FortiClient, but in this case I encourage you to go with the paid version of FortiClient. The difference is that it has a management mechanism between FortiClient and FortiGate, called FortiClient EMS (Enterprise Management Server). What is EMS? It is the FortiClient’s centralised management of multiple endpoints. Before the FortiClient logs into the FortiGate, it reaches EMS. In fact, FortiClient EMS supports a very large network as it can handle up to 100,000 endpoints (which actually happens rarely on the Polish market), integrates with Active Directory, enables the admin to easily create security policies and – what is particularly interesting from the point of view of security – enforces endpoint compliance and monitors the situation on the endpoint. The paid FortiClient, in the form of an advanced scenario, has security and management solutions. As far as security is concerned, the paid version includes protection against threats – we have a classic antivirus software with vaccines and all subscriptions, a classic firewall (we can define application access policies, etc.) and the third element dealing with the protection against threats – a vulnerability scanner. The vulnerability scanner allows us to verify if the given endpoint is secure from our (organization’s) perspective, including if it has up-to-date software, what kind of software is on the endpoint, if it is properly patched, whether the system is up-to-date, if the antivirus has an up-to-date vaccine, or maybe the antivirus is from a different vendor at all. EMS Central Management, which I have already briefly mentioned, is in the centre of the presentation. However, I must yet add that the dynamic endpoint grouping is the common ground of a vulnerability scanner and EMS. Dynamic endpoint groups allow us to create quarantine groups restricting endpoints’ access to network resources. That may concern endpoints that do not have up-to-date software or operating system, or have subtle deviations from company standards. For example, if someone uses their own anti-virus software or does not have it installed at all, then you can use FortiClient and run it remotely. In such a case, the administrator can automatically move a given user to the quarantine group via FortiClient EMS and verify whether they can be introduced to the company’s resources and utilize them in a proper, safe way. The other feature, interesting from the EMS perspective, is that you can use a single console to manage all platforms. This means that it is possible to create a VPN tunnel not only on a Windows PC workstation, but also on tablets and smartphones. All platforms are managed from one place. Coming back to the protection against threats, there is standard web filtering, i.e. all content filtering policies from the FortiGate are moved to the FortiClient. This means that a user, who will be working remotely, outside the company or in another country and will be connected via the VPN tunnel will still be protected and filtered as if they were inside the organization. Therefore, there will not be any concerns that such users will access undesirable websites. The Sandbox is the final and additional element in threat protection. Precisely we mean integration with FortiSandbox, which is an additional functionality available in the FortiClient paid client.

The administrator of an organization should focus not only on security and management but also on monitoring endpoints. What would employee security and control be without monitoring? In this case we are dealing with a very important aspect – patching of programs that the employee has on his computer as well as endpoint software inventory. From vulnerability scanner, through dynamic endpoint grouping and to endpoints monitoring – all these elements tie together into one security aspect. We want to control a computer that is outside of the organization and we are not sure if it complies with our security policies.

Paweł Deyk:

The whole environment seems secure. We have the infrastructure and security of the endpoints, the customer’s devices. What can we do in order to prevent unauthorized access to such a secure environment of an unwanted guest who will crack the login and password? We know, after all, that passwords do not grant enough security these days. Are there any additional security features similar to two-factor authentication?

Michał Dębowski:

In the second part of my presentation, I am going to introduce the two-factor authentication feature. I would like to present two products from Fortinet’s portfolio. The first one is FortiAuthenticator. As you can see in the picture, FortiAuthenticator is behind FortiGate, but communicates with it. It is also in front of the Active Directory – the server that enables permission assignment and communicates via this Active Directory with the FortiClient EMS – the FortiClient management center. FortiToken is the only additional thing on the user side to authenticate the person logging in with FortiClient to our internal network. FortiToken offers two versions – mobile and physical. The mobile version, installed on an iOS or Android smartphone, allows you to generate one-time codes to log into your company network. There is also a physical version that generates a code number on a small screen. The physical FortiToken is equipped with a refresh timer so the code is not visible at all times and, as far as security is concerned, an element of confidentiality is maintained. FortiAuthenticator’s management is also a very useful feature, which is related to FortiTokens. For example, you can manage who will have a FortiToken – either as a mobile or physical. A physical FortiToken is an extra piece of equipment that is kept somewhere in our pocket or bag and, as a consequence, may get lost. In such a situation, using Authenticator, you can simply cut it off from authorization to the internal network. Moreover, FortiAuthenticator has a user authentication and authorisation feature. An administrator can authenticate an external user that does not work in the company. This can be done in a detailed manner, taking into account which resources they can access and for how long. The third functionality is the single sign-in feature. For example, logging in to a computer with FortiClient and using the FortiToken two-factor authentication solution, you can get permission to access the company resources with this single login. You do not have to log in every time to each application and system in the organization. FortiAuthenticator allows us to log in once to all resources and locations to which administrator granted us permission. The last element, pertaining to the whole functionality of FortiAuthenticator rather than remote working, are guest portals and device deployment. Guest portals are used for authorisation in wireless solutions, whereas device deployment is simply assigning permissions and introducing new products that we are going to deploy in the organisation. FortiAuthenticator allows us to appropriately assign permissions and manage access.

Q&A

Paweł: Is it possible to use text messages (SMS) for two-factor authentication?

Yes. An external SMS gateway and authenticator integration is needed, however we encourage the use of mobile tokens, which are also more convenient for the parties interested.

Michał: Keep in mind that there may be all sorts of mobile malware. ZeuS, for example, was able to steal all of the SMSes and one-time codes associated with them.

Paweł: Is it possible to set a customised background while working from home?

Przemysław: Zoom allows users to set a virtual background, but a lot depends on our computer due to the fact that it is a very processor-intensive process. Each user will have to test it. We can set a customised virtual background, however, depending on the type of computer we have, this functionality may or may not work.

Paweł: In our company we are still testing this solution and we are quite satisfied. We use this during daily conferences and it seems to work very well, which does not change the fact that it needs to be tested for each environment individually.

Paweł: There is increasing media coverage on disruptive intrusion into teleconferences or so-called Zoombombing. How can we protect ourselves from this?

Przemysław: Usually such situations are a result of either pranking someone or sending the invitation to an inappropriate person. In order to protect against such situations, the host who creates videoconference can establish that the joining user is automatically connected without video and audio. Every user who wants to turn on the webcam will be able to do so, but if a user connects, turns on the webcam and displays inappropriate content, the host may remove that user from the meeting. Even though the user will have an invitation, they will not be able to join the meeting again from a given computer. There is also a Lock Meeting feature but it only enables to control the number of users and allows only invited participants. Zoombombing comes from the fact that users who have an invitation, either pass it on to other people or display inappropriate content on their own device by accident (or on purpose). Additionally, the host can block all users from sharing and then only the person who creates such a meeting has the ability to display, for example, their desktop.

Paweł: Is there training available for employees?

Yes. We can arrange and conduct training on both Zoom and Fortinet solutions.