Help me optimize Internet on Satellite in remote locations

pushpull

Honorable
Oct 27, 2013
21
0
10,510
Difficult to find the most appropriate subforum here since my question is a mix of hardware, software & Internet connectivity/networking. Feel free to move to more appropriate forum if needed.

General
I work for a humanitarian organization/NGO with locations in 37 countries worldwide. A lot of these countries are countries with ongoing conflicts or post-war countries with little or no infrastructure. So our only option for connectivity is Internet through satellite, which is expensive. Insanely expensive (roughly $1000 USD per Mbit). Being an NGO it's difficult to justify spending a lot of money on bandwidth so we can have 50 employees sharing 1% of the bandwidth an average family in the western world have. Due to lack of dedicated IT staff on each location and lack of electricity 24/7 in several locations there is no local server setup (computers run in workgroup).

Areas to optimize
After having visited a few locations and ran network statistics over a few days I see 3 areas of improvement:

1) Windows updates
Hence no server infrastructure/Windows server update service each client is grabbing updates directly from Microsoft, which generates a lot of traffic. Most clients are on Windows 7 but we are planning upgrade to Windows 10
2) QoS
There's the issue of non-work-traffic jamming up the line.
3) Caching
With very little bandwidth all traffic we can avoid pushing through the satellite will be beneficial

Possible solutions
This is basically what I'm hoping for input on. There are solutions like Riverbed boxes but they cost $6000 or so in hardware and another $5000 in licenses. This is gonna be too much on all our satellite locations. Plus I'm pretty certain we should be able to get the same functionality cheaper and simpler, possibly by rigging something ourselves. Ideally the solution we pick should cover all 3 above in the same box, should require as little maintenance as possible (hence no local IT staff) and should require little investments (hence NGO).

QoS is funtionality most cheap routers come with so this part is probably easiest to solve. A lot of proxies come with caching functionality (with varying degrees of how "smart" the caching is) so this part is probably also something we should be able to sort out. On Windows updates ideally I would have a fairly simple box that I could set clients to download from. I know Windows 10 has the "update over LAN" feature where clients can share Windows updates and I'm not sure if this is something we can benefit from. I don't have in-depth knowledge on this but the first thing that strikes me is this scenario: Say 50 people arrive at work at the same time and an update has been launched at nighttime. Initially no client on the LAN will have the update and all of them will start downloading it, right?

Anyway all input on best way to reach our goal is much appreciated.
In advance, thank you.
 
I would force all the traffic though a proxy server. This will reduce your bandwidth to a small extent because of caching of common data. Unfortunately most things are now https so the caching does not work as well as it used to. It is fairly easy to block web sites that are not business related. There are free lists of sites and categories. Not as good as commercial ones but these subscriptions get costly....have to pay the poor guys who find all those porn sites :).

I am not sure anyone has a complete list of the mircosoft servers. I have tried to block them but is constantly changes. Even if I block huge blocks of microsoft controlled ip it still finds others.

Now if you were to ensure all your machines only run on wireless you can use a option in windows 10 to mark the connection as metered. Your situation is exactly what I have seen people ask micosoft. I am using a ethernet connection to my router on a satellite which is metered. Why can't I set my connection to metered. Basically they said buy commercial licenses if you want that feature.....basically too bad we don't care.

Used to be some registry hacks to prevent it but they "fixed" those with the anniversary update. Not sure you would think that if people have the skills to hack the registry they also have the skills to know which updates they really need.

The lan stuff does not appear to work real well, not sure why maybe the machines all need to be on at the same time. Mine seem to each pull data from microsoft.

......a added thought. We force all our traffic from remote offices to the central internet connection. This is mpls but you could build vpn tunnels to a central location, maybe a hosted server. You could then buy and maintain only 1 firewall/server whatever. The remote device would be simple routers with a vpn configuration forcing all traffic to the central vpn server.