Employees no longer work only at the office — they work from home, on a business trip, or from another city. The question is how to connect them to company systems so work continues without leaving the door open to everyone. Too often the answer is painfully simple: hand the employee a server address and a password, and call it done. That isn't remote work — it's an open door. ONYX builds remote access as a layered approach: VPN, multi-factor authentication, endpoint protection and least-privilege access. This post explains the difference and the correct setup, concretely.
Two different VPNs: are you connecting offices or people?
The word "VPN" covers two completely different jobs, and confusing them leads to mistakes in both security and budget.
Site-to-site VPN — connects offices
A site-to-site (S2S) VPN links two fixed locations — say a head office and a branch — with a permanent, encrypted channel. Here it isn't a person connecting, but entire networks. ONYX built exactly this for MobilGroup: 120 users across 5 branches connected to each other over site-to-site VPN, plus domain, mail and server infrastructure delivered. The branches are physically separate, yet they work as one network.
Remote-access VPN — connects one person
A remote-access VPN is different: it connects a single user's laptop or phone to the corporate network. The employee is at home, in a cafe, or in another country — and their device reaches company systems through an encrypted tunnel as if they were in the office. This is what people actually mean when they talk about remote work. ONYX builds it at the firewall level — with its own product Onyx Firewall and with Fortinet FortiGate. For a non-bank credit organization in Baku, ONYX set up exactly this remote-access VPN on FortiGate firewalls.
Why "just give them the password" is dangerous
The most common mistake is to hand an employee a direct address and a password and consider the job finished. In practice this opens several serious gaps.
- Passwords get stolen. Phishing, reused passwords, or a leaked database — a single password is enough for an outsider to walk in as the employee.
- The device is uncontrolled. If the employee's personal laptop is infected, that infection becomes a guest on your network directly.
- Everyone sees everything. If one user can reach all systems, a single stolen account opens the whole company.
Proper remote access is not one password — it is several independent layers, so that if one breaks, the others still hold.
ONYX's layered approach
Secure remote work isn't a single product — it's four complementary layers working together.
Encrypted VPN tunnel
All traffic between the employee's device and the company passes through an encrypted tunnel on the firewall. Onyx Firewall or Fortinet FortiGate controls both the entry point and the rules of that tunnel — nothing is readable over the open internet.
Multi-factor authentication (MFA)
A second confirmation is added on top of the password — a code on the phone or in an app. ONYX builds this on Microsoft 365 and Active Directory identity, so even a stolen password gets nowhere without the second factor.
Endpoint protection
The device connecting to the network must itself be clean. Antivirus, updates and baseline policies are enforced so an infected laptop doesn't carry a threat into the network through the tunnel.
Least-privilege access
Each employee reaches only the systems they need for their job, not everything. Even if one account is stolen, the damage is limited to that account's access.
Identity sits at the center of everything
In remote work, "who is logging in" matters more than "where from." ONYX builds user identity on Microsoft 365 and Active Directory — work also carried out in the MobilGroup and Aselsan projects. Centrally managed identity means that when an employee leaves, all their access is revoked in one move, MFA is applied to every user, and who can reach what stays under control. The VPN opens the path; identity confirms who is standing at the other end of the tunnel.
Who should set this up
When remote access is built wrong, the problem isn't visible right away — it stays silent until an incident happens. ONYX builds the firewall, VPN, identity and device policies as one whole, with ongoing support. For concrete options, explore Onyx Firewall, our full services and ready-made business solutions.
Let's connect your employees securely
If your team works from home or on the road, remote access should be built in layers, not with a password. Contact ONYX — we'll review your current setup and propose the right VPN, MFA and identity plan.