Just moved a Filemaker solution inhouse and it works SO great and fast, but when we VPN it's SUPER slow even with a T1. We're looking at upgrading out Firewall in case that's the problem, but I'm wondering if people have had good experiences using VPNs with Filemaker.
I see some treads here which talk about having bad experiences, are all experiences with VPNs and Filemaker bad? Do we have to refactor our code to compensate? 98% of our use cases are inhouse, so this might just be a "deal with it" situation.
Working from home for different customers / projects has me using VPNs for several years. Depending on the tasks setups change but what I like best is logging into a computer on the remote site and executing FM there.
There are no drawbacks and work is done almost like being on-site.
For usage for more then one user I could think of different approaches like setting up a terminal server
- MS has it in its portfolio
- Citrix is quite common
- I have heard of Parallels also selling one for macOS but yet to see one in the wild
All these solutions are based on the principle of not using the FM TCP connection on port 5003 via Firewall - Internet - Firewall setup - they come with additional costs, especially for terminal services and you will need approval and support from IT - but it's worth the effort.
Using the local FM Client to connect to and work on the remote server is OK for data entry jobs, look ups and stuff that does not put to much stress on network traffic.
All the same the architecture of your solution should make transfer light in the sense of avoiding heavy layout rendering and instead using vector graphics, avoid unstored calculation fields and circumvent loading bigger data sets etc. - but it can be done.
2 cents from Holger
Ok that's kinda what I figured. I'm using a Remote Desktop and it's a minor pain, but not horrible. Things like screen resolution and easy copy-past, importing and downloading files, there's some lag when selecting things and so it's hard to change the size of an enclosing part, but overall it's "ok". Not as good as connecting directly. I don't think the staff at this client's location is savvy enough for a bunch of virtual machines though.
They're spending $10k on a new firewall and I figured if someone here said "oh it works great, I use the ABC firewall with the XYZ VPN with almost no lag" it might be worth picking a firewall brand based on that.
FM is very chatty and can be very slow over VPN.
Refactoring can improve performance to some degree but does not resolve the problem of FM constantly sending internal messages back and forth. Scrolling through lists shows that the same unchanged data is reloaded again and again. I haven’t found a solution how to overcome this limitation.
Throwing more bandwidth at it may help to a certain degree.
You may consider adding a separate UI file for users accessing the file via VPN. It could be a slimmed down version of the internal version that is designed for speed.
We kicked around a slimmed down version but I think at this point we're going to go with a DMZ so we don't need a VPN. The cost to make a slimmed down version, both development and ongoing maintenance) as well as the cost of staff time working with a slimmed down version makes a DMZ a more cost-effective solution.
That makes sense.
The separate UI is a great option when the external users will only have a few actions to perform.
if you are on the path of separation model with the UI in different files you might even consider distributing the application file to the users remote computer to reduce the impact of loading graphic et al... but I haven't tried it yet, just a thought
We use a SonicWall 4700 appliance for VPN. This is a pretty heavy duty device that can handle 10GB network connections. We previously had the FM databases directly accessible. Adding the VPN/Firewall appliance doesn’t seem to add much overhead. I didn’t measure the effects, just my perception. Having said this, we do have most users using RemoteApp to access the dB’s. RemoteApp is from Microsoft and runs on top of Remote Desktop services. So, very similar to Citrix, etc.
There is clunkiness to using RmtApp/Citrix/RDP as you point out. This trade off works for us though given the security of the VPN/Firewall.
depends on how much traffic/network speed
we are currently working as much as possible 'remote'. Scripting, layout-work, is quite good and safe via vpn. Changes on the structure.. I prefer a local machine using teamviewer/anydesk - or cirtix/VMWare Horizon, etc.
Curious, if the VPN works well why bother with Remote Desktop?
That's really promising that your Firewall doesn't choke it. I created a script to benchmark it and loading half a dozen screens took 11 seconds when hosted remotely at Amazon Web Services. Once we moved the client in-house on a Mac Studio that went down to around 5 seconds... but remotely through the VPN it was taking over 250 seconds. Things like scripting didn't have the same lag, but testing my scripts literally was taking me 25 times as long once we put in the VPN.
I'm using a Remote Desktop now, and it's clunky but viable, but we have other users who are not very tech savvy and they tried the VPN and gave up.
I'm feeling some confidence that the new firewall (I don't have the quote for it yet) will maybe give us the same experience? That would be awesome if so.
It’s about latency as much as or more than bandwidth.
What is the ping time through the VPN?
Also, consider using PSoS for scripts where the results can be asynchronous.
Yeah I run scripts on servers when I can, but the speed is unusable. I'll wait for the new Firewall and if it's getting close to use able might look at tweaking the ping time.
The VPN was mandated for security. All systems - FileMaker and otherwise - are behind it. The dB was slow to use prior to the vpn and as I mentioned, it felt like there was a bit of slowdown when it was added. Therefore, the RemoteApp/RDP setup was added. The RemoteApp server is in the same rack as the FM server, so it is pretty speedy. I forgot to mention that our solution is hosted by a smaller company data center in New York. Our users are spread out across the U.S.
just to add what I have seen "in the wild" in a small sketch
with bigger customers I have a No.2 setup with a MacMini in their DMZ to work on test - and prod - systems
from my point of view the lower part of the picture shows no-go-setups
Thanks for this.
Forgive my naivety but what's the difference between 1 and 2? I had understood a "Terminal Server" being some sort of remote desktop situation, which feels the same to me as a "client" in DMZ, except more expandable.
Remote desktops add a lot of training and support overhead, and my client's not open to that. They want users to connect using a client on their machine directly from home, the same way they do in house, but it's unusable. A page that loads in 1-2 seconds locally takes 50 seconds to load through VPN, and if they have to go to 20 screens they just give up.
Right now they're just staying in the building later, but people are "unhappy" with that and want to get home.
Also, if I'm understanding this correctly you're saying you'd never use a hosted solution (which I think is basically 7) under any circumstance, and I'm just trying to wrap my head around the cost-benefit of that.
I understand that the VPN adds a layer of security and not having one increases risk, which needs to be qualified in dollars and cents, but with data that's not highly sensitive, the only real risk to that is downtime, right? And so trading hundreds of hours of cumulative staff time over the course of a year to limit (but not remove) risk of some sort of hack or loss of data, just feels like a bad ROI.
This particular client DOES have sensitive data, but not in Filemaker and that IS behind their firewall. The Filemaker database is an operations database with little or no risk to the organization if it was somehow hacked and leaked. Up until this summer we hosted remotely and everything worked fine, but by moving it inhouse they saw speeds double when onsite. It was already pretty snappy but if 30 staff members save 2 seconds 50 times a day that's like 18 hours of cumulative savings over the course of a month.
So the model we're looking at is: Remote client => Firewall without VPN = > Filemaker Server on separate IP from internal network. Are you saying that's something you wouldn't ever consider?
@JasonMark here are some more ideas you should test before making decisions:
- Try accessing the database through VPN and without VPN ("direct"). If the speed is dramatically different, you know VPN is to blame.
- Try accessing the database remotely using WebDirect. The way WebDirect works, it renders most of the pages on the server, and then sends them to the client. By comparison, FileMaker Pro sends most of the data to the client, where it's rendered.
- Try some simple tests: Ping your FileMaker server machine with, and without VPN.
- You mentioned having a "T1" - this is probably a DS1 which may be as slow as 1.5 MBit/s. That's not fast, it's super duper slow (many people have fiber Gigabit connections, which are 1000 MBit/s or faster).
It sounds like you are not the "networking person" for the organization - can you loop them in and get some advice?