Skip to content
GSISG VPN Modernization

Implementation Plan

Phase 1: Infrastructure Setup (Week 1)

Section titled “Phase 1: Infrastructure Setup (Week 1)”
  1. Deploy Azure B2s VM (2 vCPU, 4 GB RAM, Ubuntu 24.04 LTS, West US 2)
  2. Configure NSG: TCP 80/443 + UDP 3478 inbound
  3. Point netbird.gsisg.com DNS A record to VM public IP
  4. Install Docker + docker-compose, deploy NetBird stack
  5. Create local break-glass admin accounts
  6. Configure Entra ID as external OIDC provider (App Registration with User.Read.All, Group.Read.All)
  7. Enable JWT group sync in NetBird settings
  8. Test admin login via both local and Entra ID SSO

Phase 2: Site Routing Peers (Week 1-2)

Section titled “Phase 2: Site Routing Peers (Week 1-2)”

Boulder — Netgate 6100 pfSense+ (Intel Atom C3558, AMD64):

  1. SSH into pfSense, download x86_64 NetBird packages (v0.66.4) from GitHub releases
  2. Install: pkg add -f netbird-*.pkg && pkg add -f pfSense-pkg-NetBird-*.pkg
  3. Configure via Web UI (VPN > NetBird): setup key + management URL
  4. Assign wt0 interface, add firewall rules, configure outbound NAT with static port
  5. Configure as routing peer for 10.15.0.0/24 with masquerading enabled

Honolulu — Linux VM on Hyper-V (DATA003 or DATA004):

  1. Create Ubuntu 24.04 VM (1 vCPU, 1 GB RAM, 20 GB disk) on 10.100.7.0/24
  2. Install NetBird agent: curl -fsSL https://pkgs.netbird.io/install.sh | sudo bash
  3. Connect with setup key, enable IP forwarding, enable systemd service
  4. Configure as routing peer for 10.100.7.0/24 with masquerading enabled

Access Control Policies:

PolicySource GroupDestinationProtocols
All Staff - DC AccessAll UsersDCs at both sitesTCP/UDP 53, 88, 123, 135, 389, 445, 464, 636, 3268, 3269
Hawaii EngineersHawaii-EngineersHonolulu networkAll
Boulder EngineersBoulder-EngineersBoulder networkAll
IT Full AccessIT-AdminsAll networksAll

Phase 3: Enable Microsoft SSPR (Week 2-3, parallel)

Section titled “Phase 3: Enable Microsoft SSPR (Week 2-3, parallel)”
  1. Enable SSPR in Entra ID portal (Authentication methods > Password reset)
  2. Enable password writeback in Entra Connect configuration
  3. Configure MFA methods (Authenticator app, phone)
  4. Test end-to-end: reset password off-network with NetBird connected, verify cached credentials update

Phase 4: TacticalRMM Deployment (Week 3)

Section titled “Phase 4: TacticalRMM Deployment (Week 3)”
  1. Create setup key for “Company Laptops” group in NetBird dashboard
  2. Add TRMM deployment script (see TacticalRMM Deployment Script)
  3. Critical: Include --network-monitor=false flag during parallel operation with GlobalProtect
  4. Add AV/EDR exclusion for C:\Program Files\NetBird\ via TRMM before deployment
  5. Deploy to 3-5 IT machines, verify DC access, SSPR, SMB shares, RDP
  6. Add GPO firewall rules for NetBird wt0 interface (prevents GPO from overriding NetBird’s auto-created rules)

Phase 5: Phased Rollout (Week 4-8)

Section titled “Phase 5: Phased Rollout (Week 4-8)”
WaveWeekTargetCountNotes
Pilot3-4IT team5-10Full validation of all use cases
Wave 14-5Office workers (Honolulu)30-40Primary site first
Wave 25-6Office workers (Boulder)20-30Secondary site
Wave 36-7Remote/home workers20-30
Wave 47-8Field/cellular workers5-10Monitor relay usage

During this phase:

  • GlobalProtect remains installed and functional — users can fall back if needed
  • All clients run with --network-monitor=false (GP coexistence workaround)
  • Monitor NetBird dashboard for connectivity issues
  • Communicate SSPR instructions to all users
  • Helpdesk team briefed with troubleshooting guide

Phase 6: Decommission GlobalProtect (Week 8-10+)

Section titled “Phase 6: Decommission GlobalProtect (Week 8-10+)”
  1. After 2+ weeks of stable operation with all users on NetBird:
  2. Disable GP auto-connect on endpoints (do NOT uninstall yet)
  3. Remove --network-monitor=false flag (GP removal eliminates the trigger)
  4. Continue monitoring for 30 days of sole NetBird operation
  5. Uninstall GlobalProtect client from all endpoints via TacticalRMM
  6. Back up PA-2020 configuration, power down (retain 90 days before disposal)
  7. Remove vpn.gsisg.com DNS record
  8. Notify cyber insurance broker of migration to ZTNA
  9. Document final architecture

Timeline Summary

Section titled “Timeline Summary”
WeekPhaseMilestone
1Phase 1Azure VM + NetBird Management Server
1-2Phase 2Routing Peers (Hawaii VM + Boulder pfSense)
2-3Phase 3SSPR + Entra Connect (parallel)
3Phase 4TRMM Deployment Script + IT Testing
3-4Phase 5aPilot (IT team, 5-10 machines)
4-5Phase 5bOffice workers Honolulu (30-40)
5-6Phase 5cOffice workers Boulder (20-30)
6-7Phase 5dRemote workers (20-30)
7-8Phase 5eField workers (5-10)
8-10Phase 6GP deactivation + 30-day parallel
10+DecommissionDecommission GlobalProtect

Total implementation time: ~10 weeks (conservative, with 30-day parallel operation)