STYLIGHT grew a lot – 200% in terms of employees in the last year. A lot of contracts got signed, new shops got acquired and a few more countries can enjoy the plattform. We employ people from over a dozen different countries speaking more than ten different languages, men and women and a broad age range from 18 to 41.
Those numbers are impressive on their own, but they become even more stunning if you take the circumstances into account. Our colleagues origin from five continents, some are separated from their hometowns by over 10.000 km. This intense combination and the wide variety of cultural backgrounds, interests and special needs make user management a special tasks on the daily schedule.
This fragmentation obviously can create serious confusions and cause severe troubles both for new employees as for Human Ressources, Accounting, Controlling and Legal. Let me now shed some light on two of our small gimmicks the Infrastructure-Department provides- Both are not a big deal to set up in the first place but ease some of the hassle and pain our international employees struggle with.
1. Localization
English is naturally the language of choice in the office, including Software and Computers throughout the entire company. Usually all employees are fairly quick in adapting to these new and sometimes unused conditions. Typing and a non-native keyboard, however, proves to be very difficult and time-consuming to get used to (e.g. switching from QWERTZ/QWERTY to AZERTY or vice versa).
We tackle this by categorizing users into groups representing their nationality to provide a convenient localization. To achieve so we apply keyboard layouts via GPOs based on those groups both during login and in the OS itself to play nicely along our roaming profiles. Additionally, all Microsoft Office Installations include spell check for a vast variety of languages. On the hardware-side we stock on a big range of physical keyboards to match the OS settings.
These GPOs apply a set of registry inserts on a user configuration level. All are structured in the same way. A key update is executed for every keyboard layout to be updated. This is not necessarily the most performant way but ensures a consistent layout across the whole domain since Windows 7 can reset the language settings on reboots in some cases.
For a french employee the first key to be placed looks like this:
Hive: HKEY_CURRENT_USER
Key path: Keyboard LayoutPreload
Value name: 1
Value type: REG_SZ
Value data: 0000040c
Furthermore english and german layouts are placed to help admins during onsite support. You simply increment the value name and setting the value according to the language. These codes can be found in this key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlKeyboard LayoutDosKeybCodes
2. Keep in touch
The first weeks in a new job are always the toughest. This rule of thumb even more applies if you are on the other side of the globe living on a student’s budget without broadband internet at your new flat and with little to no social connections yet.
As a caring sysadmin you can easily established a couple of measures both you and your users can benefit from. The solutions should be easy to use, even for technically less experienced users, without compromising network security for the business. After evaluating a couple of options we settled for a separate WIFI designed for BYOD – after all, skyping home from your iPad is as convenient as it can get.
A little background on our setting: we already operate a SSO-WIFI accessible to domain users exclusively by authenticating them via RADIUS during login. Aerohive offers excellent hardware for this case – controllerless cloud managed Access Points. The APs are furthermore capable of running multiple SSIDs simultaneously without performance degradation.
For the BYOD-WIFI we then leveraged these capabilities. Base is a broadcasted SSID secured by grouped WPA2-PSKs (a nifty feature Aerohive offers). And here the first issue arises: Both networks need to be completely separated from each other to ensure the AAA protocol. Obvious choice is VLANing. Business traffic flows unflagged, everything else if flagged. The Guest-VLAN terminates at the firewall where a correlating ruleset enforces further traffic separating until it reaches the gateway. In the same step a couple of rules are applied to the guest wifi to prevent abuse (copyright infringements, porn and the like). As an additional layer of security Client separation is enforced by the Access Points. Finally, IP addresses are managed by a separate DHCP issuing Class C addresses (opposed to the class b subnet we use on the business network).
But why did I choose to flag only the guest traffic? Well, first there flexibility. If there ever should arise a need to further increase granularity of our VLANs this is the route to take. Introducing further VLANs later on is easier than adjusting existing logics.
Second it eases introducing a (not yet implemented) QoS ruleset to ensure performance.
Third manageability. Both on our switches and the firewalls its just more comprehensive and therefore more failureproof.
To end this – two reports regarding WIFI utilization by time and by SSID. The graphics nicely show traffic on the guest WIFI (monaco-guest) picking up during lunch and after work.
