Skip to content
GSISG VPN Modernization

Implementation Plan

Key Enabler: Zero-Risk Deployment

Section titled “Key Enabler: Zero-Risk Deployment”

GlobalProtect stays installed and running on all endpoints throughout the entire migration. NetBird is purely additive. If NetBird fails for any user, they continue using GlobalProtect exactly as they do today. There is no scenario where a NetBird deployment causes a user outage.

Critical Flag: --network-monitor=false

Section titled “Critical Flag: --network-monitor=false”

All NetBird clients must be deployed with the --network-monitor=false flag during parallel operation with GlobalProtect. This prevents a known coexistence conflict (GitHub issue #5077) where GlobalProtect’s network changes trigger WireGuard tunnel restarts, dropping TCP sessions. The flag is already included in the TRMM deployment script. Remove it only after GlobalProtect is fully decommissioned.

Phase 1: Pre-Work (Monday — Thursday)

Section titled “Phase 1: Pre-Work (Monday — Thursday)”

All prerequisites are staged before the migration weekend. Nothing user-facing changes during this phase.

Monday

Section titled “Monday”
#TaskDetails
1Verify Entra ID license tierP1 minimum required for SSPR with password writeback (included in M365 Business Premium or E3)
2Enable SSPR + password writebackEntra admin center > Protection > Password reset. Enable for All or targeted group. Open Entra Connect wizard > Optional features > check “Password writeback.”
3Test SSPR with one IT accountReset password at aka.ms/sspr, verify writeback to on-prem AD
4Provision Azure B2s VMUbuntu 24.04 LTS, West US 3 (Phoenix), 2 vCPU, 4 GB RAM
5Configure NSG rulesInbound: TCP 80, 443 + UDP 3478
6Assign static public IPRequired for DNS stability
7Install Docker + docker-composeOn the Azure VM
8Create DNS A recordnetbird.gsisg.com pointing to VM public IP

Tuesday

Section titled “Tuesday”
#TaskDetails
1Create Entra ID App RegistrationName: “NetBird”, Single tenant, Redirect URIs (SPA): https://netbird.gsisg.com/auth and https://netbird.gsisg.com/silent-auth, Mobile/desktop redirect: http://localhost:53000
2Configure App Registration detailsCreate application scope “api”, grant User.Read.All permission (admin consent), set accessTokenAcceptedVersion = 2, generate client secret
3Record credentialsApplication (client) ID, Directory (tenant) ID, Object ID, Client Secret
4Pre-build Honolulu routing peer VMUbuntu 24.04, 1 vCPU, 1 GB RAM on Hyper-V (DATA003 or DATA004). Do NOT connect to NetBird yet.
5Pre-build Boulder routing peer VMUbuntu 24.04, 1 vCPU, 1 GB RAM on Hyper-V (DATA001 or DATA007). Do NOT connect to NetBird yet.

Wednesday

Section titled “Wednesday”
#TaskDetails
1Finalize TRMM deployment scriptExisting: trmm-deploy-netbird.ps1. Verify --network-monitor=false flag is present.
2Test MSI install on 1 IT machineVia TRMM. Will fail to connect (management server not yet up) — verify MSI install + service creation only.
3Push AV/EDR exclusionsC:\Program Files\NetBird\ excluded on ALL endpoints via TRMM
4Push GPO firewall rulesAllow NetBird wt0 interface in Windows Firewall (prevents GPO from overriding NetBird’s auto-created rules)
5Prepare communicationsPilot user briefing (email/Slack). All-staff Monday email with SSPR instructions (aka.ms/sspr).
6Confirm DNS propagationVerify netbird.gsisg.com resolves to the Azure VM public IP

Thursday

Section titled “Thursday”
#TaskDetails
1Final pre-flight checkVM accessible via SSH, Docker running, DNS resolved, Entra app registration complete
2Brief helpdesk teamWhat NetBird is, what to tell users, escalation path
3Confirm pilot usersAvailable Saturday for testing (8-10 users across 5 scenarios)
4Prepare network route configsPrint/document subnets (10.15.0.0/24, 10.100.7.0/24), groups, ACL policies

Phase 2: Friday Evening (4 hours: 6 PM — 10 PM)

Section titled “Phase 2: Friday Evening (4 hours: 6 PM — 10 PM)”

Infrastructure deployment. No users are affected.

TimeTaskDuration
6:00 PMDeploy NetBird management serverdocker-compose up -d on Azure VM. Verify dashboard loads at https://netbird.gsisg.com.15 min
6:15 PMConfigure Entra OIDC integration — Populate setup.env with Entra variables (client ID, tenant ID, secret, OIDC endpoint). Run configure script, restart containers. Test SSO login.30 min
6:45 PMCreate break-glass local admin account5 min
6:50 PMCreate setup keys + groups — “Routing-Peers” (no expiration), “Company-Laptops” (with expiration), “IT-Admins”, “Hawaii-Engineers”, “Boulder-Engineers”15 min
7:05 PMDeploy routing peers (PARALLEL):45 min
Honolulu — SSH to pre-built VM, install NetBird, connect with routing peer setup key, enable IP forwarding (sysctl -w net.ipv4.ip_forward=1), enable systemd service
Boulder — Install NetBird on Hyper-V VM (gsi-nb-bld-01), connect with routing peer setup key, verify peer in dashboard
7:50 PMConfigure network routes — Honolulu: 10.100.7.0/24 via Honolulu peer (masquerade ON). Boulder: 10.15.0.0/24 via Boulder peer (masquerade ON). Distribution group: “Company-Laptops”.20 min
8:10 PMConfigure access control policies (see ACL table below)15 min
8:25 PMIT team self-test — Install NetBird on 2-3 IT laptops. Test: ping DCs at both sites, SMB share access, RDP to a test VM, netbird status, SSPR password reset + cached credential update.90 min
9:55 PMGo/No-Go decision for Saturday pilot — All routes working? OIDC login working? SMB/RDP verified? If No: debug or postpone to next weekend. Zero user impact.5 min

Access Control Policies

Section titled “Access Control Policies”
PolicySource GroupDestinationProtocols
All Staff — DC AccessAll UsersDCs at both sitesTCP/UDP 53, 88, 123, 135, 389, 445, 464, 636, 3268, 3269
Hawaii EngineersHawaii-EngineersHonolulu networkAll
Boulder EngineersBoulder-EngineersBoulder networkAll
IT Full AccessIT-AdminsAll networksAll

Phase 3: Saturday Pilot (8 hours: 9 AM — 5 PM)

Section titled “Phase 3: Saturday Pilot (8 hours: 9 AM — 5 PM)”

Deploy to the pilot group (8-10 users) via TRMM. Validate all 5 scenarios.

TimeTaskDuration
9:00 AMDeploy to pilot group via TRMM — push script to pilot users’ machines, monitor for successful installs30 min
9:30 AMContact pilot users — brief each on what to test, provide direct Slack/Teams/phone support30 min
10:00 AMScenario 1: Hawaii remote to Boulder SMB — map drive to \\10.15.0.x\share, copy 100 MB file, compare performance to GlobalProtect60 min
11:00 AMScenario 2: Maryland to Boulder RDP — RDP session, assess input lag, run CAD/GIS/SAGE applications60 min
12:00 PMLunch break60 min
1:00 PMScenario 3: Honolulu field to local Sage on cellular — access Sage at 10.100.7.40 from cellular, walk between locations to test handoff60 min
2:00 PMScenario 4: Boulder office to Honolulu files — access \\10.100.7.15\share via routing peers60 min
3:00 PMScenario 5: Password reset (SSPR) — navigate to aka.ms/sspr, reset password, Win+L, unlock with new password, verify cached credentials updated through NetBird tunnel60 min
4:00 PMCollect pilot feedback — connection failures? DNS issues? Performance problems?30 min
4:30 PMGo/No-Go decision for Sunday full deployment — if all 5 scenarios pass: proceed. If issues found: fix and re-test, or postpone. Postponing has ZERO user impact (GP still works).30 min

Pilot Group Design

Section titled “Pilot Group Design”

Recommended size: 8-10 users — large enough to cover all 5 scenarios with redundancy, small enough to provide hands-on support.

ScenarioUser ProfileSelection CriteriaCount
1. Hawaii remote to Boulder SMBHawaii-based worker who regularly accesses Boulder file sharesTech-comfortable, good at reporting issues, tests hairpin elimination1-2
2. Maryland to Boulder RDPEast Coast worker who RDPs to Boulder VMs for CAD/GIS/SAGETests maximum latency improvement, likely to notice and report performance difference1-2
3. Honolulu field to local SageField worker on cellular accessing Sage (10.100.7.40)Tests cellular handoff, WireGuard roaming, relay performance1-2
4. Boulder office to Honolulu filesBoulder office worker accessing FILES server (10.100.7.15) or GIS dataTests site-to-site via routing peers1-2
5. Password resetAny general staff user (the 90% group)Tests the primary use case for the majority of users; needs only SSPR + tunnel to DC2-3

Selection criteria for all pilot users:

  • Tech-savvy enough to report issues clearly (able to describe what happened vs. what they expected)
  • Good communicators — willing to provide feedback, respond to Slack/Teams messages
  • Variety of OS versions — include at least one Windows 10 and one Windows 11 machine
  • Variety of hardware ages — include at least one older machine to catch edge cases
  • At least 1-2 IT staff members for deep troubleshooting
  • Voluntary participation — interested and engaged, not coerced

Phase 4: Sunday Full Deployment (4 hours: 10 AM — 2 PM)

Section titled “Phase 4: Sunday Full Deployment (4 hours: 10 AM — 2 PM)”
TimeTaskDuration
10:00 AMUpdate TRMM script with any changes from pilot feedback — adjust setup key, management URL, flags if needed15 min
10:15 AMFull deployment via TRMM — bulk execution to all remaining ~90 agents. Monitor for install success/failure. Expect ~90% success on first push.30-60 min
11:15 AMTroubleshoot failures — re-run script on failed endpoints. Check for AV blocking, network issues, disk space.60 min
12:15 PMVerify dashboard — peer count matches expected, routing peers healthy, spot-check netbird status on endpoints via TRMM30 min
12:45 PMSend Monday communication — “A new always-on network service (NetBird) has been deployed to all company laptops. No action needed. For password resets, use aka.ms/sspr. Contact helpdesk if you experience any connectivity issues.”15 min
1:00 PMConfigure monitoring — Zabbix alerts for Azure VM, Docker restart policies (unless-stopped), login expiration policy (24h recommended)30 min
1:30 PMFinal status check — document issues encountered and resolutions, update helpdesk troubleshooting guide30 min

Phase 5: Monday — Monitor and Support

Section titled “Phase 5: Monday — Monitor and Support”
  • Monitor NetBird dashboard throughout the day — watch for disconnected peers
  • Check TRMM for any endpoints that failed to install
  • Be available on Slack/Teams for user questions
  • Track helpdesk tickets related to NetBird (expect very few since it is a silent install)
  • Verify field workers on cellular have connectivity
  • Run netbird status spot checks via TRMM on random endpoints
  • Address stragglers (machines that were off during Sunday deployment)
  • Schedule follow-up TRMM task to catch machines that were offline

Phase 6: Decommission GlobalProtect

Section titled “Phase 6: Decommission GlobalProtect”

Begin after 2+ weeks of stable operation with all users on NetBird.

StepTaskNotes
1Disable GP auto-connect on endpointsDo NOT uninstall yet
2Remove --network-monitor=false flagGP removal eliminates the coexistence trigger
3Monitor for 30 days of sole NetBird operationConfirm stability without GP fallback
4Uninstall GlobalProtect client from all endpoints via TRMMBulk execution
5Back up PA-2020 configurationPower down, retain 90 days before disposal
6Remove vpn.gsisg.com DNS record
7Notify cyber insurance brokerMigration to ZTNA architecture
8Document final architecture

Rollback Plan

Section titled “Rollback Plan”

The fundamental safety net: NetBird is additive. GlobalProtect stays installed, configured, and running on all endpoints throughout the migration and beyond. There is no scenario where a NetBird failure causes a user outage.

Level 1: User Self-Remediation (0 minutes)

Section titled “Level 1: User Self-Remediation (0 minutes)”

User simply uses GlobalProtect as before. No action needed — GP is still installed and running.

Level 2: Individual Endpoint Removal via TRMM (5 minutes)

Section titled “Level 2: Individual Endpoint Removal via TRMM (5 minutes)”

Run as Administrator via TRMM on a single machine:

Terminal window
Stop-Service "NetBird" -Force -ErrorAction SilentlyContinue
Start-Sleep -Seconds 2
& "C:\Program Files\NetBird\netbird_uninstall.exe" /S
Start-Sleep -Seconds 5
Remove-Item -Path "C:\ProgramData\Netbird" -Recurse -Force -ErrorAction SilentlyContinue
Write-Host "NetBird removed. GlobalProtect remains active."

Level 3: Mass Uninstall via TRMM (15-30 minutes)

Section titled “Level 3: Mass Uninstall via TRMM (15-30 minutes)”
  1. Create the uninstall script above in TRMM
  2. Create an Automation Policy targeting all clients/sites
  3. Run as “Fire and Forget” on all agents
  4. Verify removal via TRMM script that checks for the NetBird service
  5. GlobalProtect continues to function — users experience zero disruption

Level 4: Infrastructure Teardown

Section titled “Level 4: Infrastructure Teardown”
  1. Stop NetBird containers on Azure VM: docker compose down
  2. Remove Honolulu routing peer: sudo netbird down && sudo apt remove netbird
  3. Remove Boulder routing peer: sudo apt remove netbird on the Hyper-V VM
  4. Delete Azure VM to stop billing (optional)
  5. Remove netbird.gsisg.com DNS record

Timeline Summary

Section titled “Timeline Summary”
DayPhaseHoursMilestone
Mon-ThuPhase 1: Pre-Work~8 hrs totalAzure VM, DNS, Docker, Entra App Registration, SSPR, TRMM script, AV exclusions, GPO rules, communications
FridayPhase 2: Infrastructure4 hrs (6-10 PM)Management server, OIDC, routing peers, routes, ACLs, IT self-test, Go/No-Go
SaturdayPhase 3: Pilot8 hrs (9 AM-5 PM)8-10 pilot users, 5 scenarios validated, Go/No-Go
SundayPhase 4: Full Deploy4 hrs (10 AM-2 PM)TRMM bulk deployment to ~90 remaining endpoints, monitoring configured
MondayPhase 5: SupportFull dayMonitor dashboard, catch stragglers, support users
Week 3+Phase 6: Decommission30+ daysDisable GP, remove --network-monitor=false, uninstall GP, decommission PA-2020

Total active deployment time: ~24 hours across one week (pre-work + weekend). The compressed timeline is possible because NetBird deployment is silent, additive, and GlobalProtect provides a complete fallback for every failure scenario.