Aerohive Branch on Demand – Bring Your Own Office

Bring Your Own Device (BYOD) is enabling people to provide their own equipment for work.  But what happens when people aren’t just satisfied bringing their own Macbook to the party?  What happens if they want to bring their office to your office as well?  With the large surge in teleworkers and contractors being brought on inside companies and their ability to do the majority of their jobs without having to step foot into the corporate office, the need to provide connectivity and security for a home workspace is now becoming paramount if the Bring Your Own Office (BYOO) movement is going to take off.

The current solutions to this problem either involve using some off-the-shelf consumer product to address the issue or buying an enterprise grade solution to implement.  Both have their strengths and weaknesses.  Consumer-grade devices are dirt cheap and get the job done.  However, there is very little in the way of scalability and configuration management.  Unless your remote worker is good at configuring Linksys or D-Link, you could be in for a fight.  Also, consumer grade equipment doesn’t have the service and support necessary to run an enterprise on a regular basis.  On the flip side, enterprise equipment does have a great degree of manageability and support to provide robust service for your teleworkers.  Provided, that is, you are willing to invest the large amount of money that it takes to get it setup.  In fact, the investment is usually so high that reclaiming the equipment is top priority in the event that the teleworker leaves the company or completes the contract.  How then do we as network rock stars balance our need for cheap remote connectivity with our desire to have manageability and security?

Enter Aerohive.  I saw Aerohive at Wireless Field Day back in March of this year and was pretty impressed by their HiveManager product that they use to provide configuration and management for their controller-less access points.  They’ve also given me a briefing about the 4.0 release of their HiveOS firmware.  They were kind enough to give me a sneak peak at their Branch on Demand product that was announced November 15th.

Aerohive Branch on Demand utilizes Aerohive’s experience with creating cloud based management for devices and couples it with a new branch router device that can provide simple connectivity for your branch/remote offices or teleworkers.  All of the provisioning for these devices is done in HiveManager, so the only instructions your remote workers need is “plug the yellow cable into the yellow slot and plug the other end into the Internet”.  I think even my mom could do that.  Afterwards, the router checks in with HiveManager and pulls down the configuration so your teleworker can connect back to the home office.  Your user connects via SSL IPSec VPN to allow any device to access corporate resources, whether it be a desktop, laptop, tablet, or smartphone (EDIT – Stephen Phillip was kind enough to notice that I mixed up SSL and IPSec in my notes on this.  The BR series use IPSec to connect back to the central site due to the increased performance for special traffic like voice).   The same polices that you have in place in your corporate office are extended to the remote worker as well.  You can either choose to tunnel all traffic back to the home office to be scanner and permitted, or you can split tunnel the traffic so that non-corporate packets exit locally.  There is a bit of apprehension on the part of most network rock stars for a setup like this, as splitting the traffic does introduce the capability for nasty things to infect the remote machine and then be introduced back into the corporate network.  Aerohive thought of this too and uses a cloud proxy to redirect the split tunneled traffic to a filtering service such as Websense or Barracuda to ensure that all those packets are “cloud washed” before they are permitted back into the network.  That alleviates the stress of not knowing where your branch users are going as well as preventing large amounts of traffic from being needlessly tunneled back to the corporate sites just to go out to the Internet.

All of these features come with HiveOS 5.0, which means that current users of the AP 330 and AP 350 gain the ability for those devices to function as routers.  You can even connect a 3G/4G USB modem to the USB port on the device and turn it into a backup interface for connectivity in the event the primary WAN link goes down for some reason.  At launch, the branch routers will support a small list of USB modems such as the AT&T Shockwave or Momentum, but as the software matures and drivers become available a wider variety of these devices will be supported.  This would be a great idea for those that live in areas where solid Internet connectivity isn’t always a given or for a user that spends a lot of time on the road and needs corporate VPN capabilities where they aren’t always available, such as in the middle of an oilfield or a parking lot.  No need to setup a cumbersome VPN client or worry about usernames and passwords and tokens.  Just give them an Aerohive branch router and let them go.

There are two models of branch routers available.  The BR100 is a 10/100 5-port device that includes a 2.4GHz 802.11n radio and a USB port for 3G/4G backhaul.  It retails for $99, or if you’d like to use the Network-as-a-Service subscription, you can get the device for the same $99 price point, only it includes software updates as well as tech refreshes for two years, so when a new update to the BR100 comes out, you’ll get that device for nothing.  There is also a BR200 that will have 5 GigE ports and dual 2.4/5GHz 3×3:3 802.11n radios as well as two PoE ports and crypto acceleration.  The BR200 will be out sometime next year.

Tom’s Take

I think Aerohive has finally found a good use case for the cloud.  Having your hardware managed by a cloud-based application means that you can always find it no matter where it might be.  If you are already an Aerohive customer that finds yourself in need of a branch router solution, this is a no-brainer.  The same management platform now allows you to control your access points as well as your branch users.  The ability to push the same policies from desktop to Destin, FL is very powerful and cuts down on a lot of stress.  If you aren’t a current Aerohive customer but know that you are going to need to add some teleworking capacity in the future, you can’t go wrong looking at this solution.  For $99 a device (and $999 for the VPN termination software) the solution is very inexpensive and gives you a lot of flexibility to build out instead of needing to worry about scaling straight up.  After all, letting your users bring their own office should cost you yours.

If you’d like to learn more about Aerohive’s new solutions, head over to  There’s also a nice short introduction to the product over at the Packet Pushers site.


Aerohive provided me with an advanced briefing on the Branch on Demand product for the purposes of preparing this blog post.  The did not ask for nor were they promised any consideration in the creation of this article.  Any and all opinions expresses within are mine and mine alone.

5 thoughts on “Aerohive Branch on Demand – Bring Your Own Office

  1. Pingback: Wireless Field Day 1: The Links

  2. Excellent writeup,Tom!

    This definitely seems to bridge the gap between Aerohive’s architecture and what was possible using the Cisco/Aruba controller based architecture. The cool thing with using Aerohive’s HiveManager as the configuration point is that the end devices don’t have to be pre-provisioned or configured at the user’s site with the IP/hostname of the corporate controller to connect to … it just connects to the HiveManager…one more optimization than previous solutions.

    My question, then, is how does the corporation control/configure how this SSLVPN traffic comes into the corporate network? If the old way was to point the OfficeExtend/RAPs to a DMZ controller, what corporate device do these branch office APs tunnel back to? They grabbed configurations from the hosted Hive Manager, do they SSLVPN tunnel the user’s corp traffic through the Hive Manager to get to corporate as well, or the config that’s pushed down pointed them to a VPN anchor of some sort at the corporate network?

    For price-sensitive SMBs, it sounds like a total Branch-in-a-box solution could be a cheap way to network sites.

  3. Pingback: Aerohive – Wireless Field Day 2 | The Networking Nerd

  4. Pingback: Aerohive Is Switching Things Up | The Networking Nerd

  5. Pingback: Wireless Field Day 1: The Links - Tech Field Day

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s