OmnissaBlogBeyond IdentityMicrosoft Windows 10Omnissa Workspace ONEMicrosoft Windows DesktopOktaMicrosoftCrowdStrikeEndpoint SecurityEnd-User ComputingDigital WorkspaceSecurity
Blog • • 10 minute read

End User Computing Nerd vs the Great Firewall of China

Traveling to China for the holidays, I circumvented the Great Firewall of China to stay connected to the West. What worked and what didn't? While personal VPNs failed, using international roaming, VDI and an enterprise browser proved effective. This journey highlighted the challenges and solutions for maintaining internet access to the West in a highly restricted environment.

In this blog

  1. Background
  2. Smartphone
  3. Laptop
  4. Location mattered
  5. Summary

 Background

My wife and I decided to travel to Beijing over the Christmas and New Year's holiday because I wanted to deepen my connection with my spouse's family and experience their culture firsthand. Having only met them in the U.S. and virtually through video calls, I felt it was important to spend meaningful time together in their country and city. Beyond that, I was eager to embrace a holiday season unlike any I had known, celebrating Western festivities amid Beijing's wintry charm and looking forward to the unique customs of the Lunar New Year just around the corner. The trip offered the perfect balance: reuniting with the people who had welcomed me into their family and immersing myself in a vibrant cultural setting that I had long been curious to explore. 

While visiting, I didn't want to completely disconnect from the outside world and wanted to stay in touch with the West's news and entertainment. Having heard how restrictive and locked down the internet was in China, and being the end-user computing tech nerd that I am, I was curious to see how much connectivity was possible as well as what I could do to circumvent it. My goal was to give myself access while also keeping my devices and data as secure as I could.

For those who are not familiar, the restrictive internet in China is colloquially called the Great Firewall of China. The Great Firewall of China is an extensive system of government-imposed controls designed to regulate and monitor Internet activity within the country. Through a mixture of technologies like IP blocking, keyword filtering and deep packet inspection, China restricts access to a wide range of foreign websites, social media platforms and news sources. More than merely a technical framework, the Great Firewall includes legal mandates and industry regulations that compel Internet service providers and Internet platforms to comply with government guidelines, fundamentally shaping online experiences while within China's borders.

 Smartphone

First, let's start with cellular phones: The smartphone I use is enrolled in Workspace One, our company's Unified Endpoint Management (UEM) of choice, locked down by corporate policy and access restricted by an 8-digit PIN. The phone has an international roaming phone plan, and my corporate apps access is secured using Okta and Beyond Identity. I further secured the cell phone by installing Omnissa's Mobile Threat Defense (MTD) to protect my smartphones from various security threats—such as malware, network-based attacks and risky applications because you never know. 

What I quickly learned was that if using a cell phone with a non-Chinese SIM card and relying on international roaming for cellular data, my internet traffic was routed through my home country's carrier's network. I confirmed this by testing the same access using a Chinese SIM card that we installed on my wife's phone. This meant that my data bypassed the filtering applied within China, allowing access to my Western apps or services while my wife's cell phone's access was much more restricted. This access was especially handy when attempting to use navigation apps like Google Maps, translation applications like Google Translate, checking in on the home cameras, etc. I don't speak or read Chinese so the navigation and translation apps were most handy. By contrast, when I connected to local Wi-Fi in China, either at my in-laws or at the local Starbucks, all traffic was subject to Chinese internet regulations, resulting in most of my Western apps, sites and services being blocked or restricted. I say most because my corporate applications that are either managed by Workspace One and using an SSL certificate like Boxer, Workspace One Web and Workspace One Content, or Microsoft applications like Teams and Outlook worked fine. This was either because they had an SSL VPN back in the West or the company, Microsoft, had an agreement with China to function.

On Wi-Fi, the phone's Internet access was completely locked down and I was unable to access anything not approved in China. This was quite a hassle as I own a smartphone with the Android operating system. With this operating system so much is reliant on Google applications like Gmail. For those that are not aware Google does not do business in China. Due to the fact that with cellular, the world was my oyster, I didn't spend a lot of time trying to circumvent the Great Firewall using the Wi-Fi connection. 

 Laptop

To prepare for the trip the first thing I did was take a new laptop I procured and enroll it in Workspace One. Using machine profiles and compliance policies, I encrypted the drive using BitLocker encryption, patched it with the latest Microsoft updates, installed an Endpoint Detection and Response (EDR) solution (Crowdstrike), configured the firewall and installed software I was going to need to be productive. Now, with a laptop, I wouldn't have the luxury of connecting to the internet via cellular unless I was going to use my cell phone as a hotspot, which would have cost a fortune, so I needed to come up with a better plan.

 VPN

The first thing I tried was a personal VPN. Frankly, this failed miserably. I tried three different commercially available VPNs that I had preinstalled before leaving for China to test and all failed.

ExpressVPN was advertised (Google search) as the best solution for getting around the Great Firewall but that was not the case. I tried every setting they recommended and even chatted with tech support. They candidly said that it was an issue and recommended I attempt the connection again at a later time. Prior to leaving for China, I had the most hope for this VPN solution because it supports multiple VPN protocols, some of which use the IPsec protocol. It also works with other secure protocols as well—such as their proprietary Lightway protocol and OpenVPN for encryption.

NordVPN was another well-advertised solution in the West that did not work. In their defense, they and my Google research did not state that they would work, so this is not a knock on them by any means.

HMA is a VPN I used while in Singapore several years back and thought, why not give it a go. Unfortunately, it had the same success rate as the other two which is to say, no success.

While I didn't try a corporate VPN, the failure of these commercial VPNs leaves me with little confidence that they would work either.

 VDI

Having failed with the VPN option, I turned to the tried-and-true solution of VDI. In the end, for anything work-related, I wound up relying on this as I wanted to keep data at rest on the laptop to a minimum. For this, I utilized Omnissa's Horizon suite. Frankly, this worked great. In fact, I was surprised at how well it worked, considering that I was in a private home on local Wi-Fi and experiencing over 380ms latency (at one point, I observed the latency as high as 498ms!) when connecting to the virtual desktop located in Saint Louis, MO. 

Screenshot of the observed latency using the Omnissa Horizon Performance Tracker.
Observed latency using the Omnissa Horizon Performance Tracker

I was able to access everything I needed workwise with great performance and even watched some tech-related YouTube videos. While the videos did not stream perfectly, with some chop at times, the experience was more than acceptable with only minor glitches. While in full-screen mode, I couldn't really tell I was on a virtual desktop. In short, I came away very impressed with Omnissa's Blast protocol. 

In my capacity at WWT, I often consult with large corporations with overseas developers and staff in countries like China, India and the Philippines, to name a few, that need access to information in the continental U.S. It was comforting to see first-hand that my consulting them on the value of VDI was proven out via one of the most challenging circumstances. 

 Enterprise browser

The next solution I tried was an enterprise browser. Prior to leaving for the trip, I installed the Island browser onto my PC and guess what, Island enterprise browser for the win! I had only recently become aware of Island and as of the writing of this blog, I am still building out this solution in our ATC demo center, but I am now super jazzed to finalize this. The Island browser has a feature called the Island Anonymizer. This feature allowed me to bypass the Great Firewall and access all the websites I needed, like Google Maps, CNN, Washington Post, etc.

For those unaware, the Island Anonymizer feature in the Island Enterprise Browser provides a robust layer of privacy by obscuring the users' digital footprints and preventing external parties from collecting identifiable information. It operates by masking sensitive data, such as IP addresses and session details, ensuring that browsing behaviors remain private and protected from monitoring tools or malicious actors. Seamlessly integrated with the browser's policy enforcement engine, Island Anonymizer helps enterprises maintain regulatory compliance and safeguard proprietary information. By providing fine-grained control over which details are shared (or withheld) during online sessions, it empowers businesses to confidently navigate the web without compromising data security.

While the Island Anonymizer feature does offer a privacy and anonymity layer, it isn't a traditional VPN. Instead of creating a fully encrypted "tunnel" that reroutes all network traffic through a separate VPN server, Island Anonymizer focuses on masking or obfuscating specific identifiers—such as IP addresses or browser fingerprints—within the Island Enterprise Browser session. As a result, it provides targeted anonymity and data minimization but does so through the browser's built-in policy and enforcement mechanisms rather than functioning as a standalone network-layer VPN.

A screenshot of a computer
The Island Browser 
A screenshot of the Island Browser Anonymizer feature
Highlighting the Island Browser Anonymizer feature

I've read that some personal browsers like Tor, Brave and Opera have features similar to the Island Anonymizer. While I didn't test them all, I did have the Opera browser installed on my PC and could not get it to work in a way that would give me access to the websites that had been blocked on Wi-Fi. That being said, I didn't spend too much time tinkering with this as I had a vacation to enjoy, so your mileage may vary with one of these browsers and you will either have to wait for my next trip or do your own testing to find out the results.

 Location mattered

Another thing I noticed while in China was that location mattered. While in my in-laws' home or at hotels in X'ian and Hebei, the Great Firewall was a fearsome creature that was hard to get around. However, the night before we left, in a hotel at Beijing airport, the Great Firewall was apparently off, and therefore, the normal Western Internet worked. My guess is that this hotel was treated as an exception and not a rule.

 Summary

So what did I learn from this trip technically? The Great Firewall's security is well designed, and their technical expertise in blocking access is sound, but where there is a will, there is a way, and a nerd will always find a way around security. Personal VPN's are useless for bypassing the Great Firewall. For general web searches and browsing, the Island browser worked fantastic as long as I utilized the Anonymizer; and for work-related tasks, VDI is the king.

In conclusion, could the average person get around the Great Firewall? It would be tough and frustrating for them. Could an EUC nerd? Yep, and he or she would take great pride in saying they did it.

Technologies