Sr. Network Engineer

RESPONSIBILITIES

TECHNICAL LEADERSHIP & ESCALATION:

• ​Serve as the primary escalation point for complex network incidents, outages, and performance issues owing problems through to resolution with clear communication to stakeholders                                           

• ​Provide expert guidance to internal engineers, MSP resources, and NOC personnel on architecture, troubleshooting methodology, and root cause analysis

• ​Lead post-incident reviews, drive root cause identification, and implement lasting remediations to prevent recurrence

• ​Evaluate complex vendor and MSP escalations; make technical decisions on design, tooling, and resolution approach

​ 

​NETWORK ARCHITECTURE & DESIGN:

• ​Work with the Director of Network & Infrastructure to architect scalable, resilient, and secure network solutions across LAN, WAN, wireless, cloud, and building infrastructure

• ​Lead the design and evolution of network segmentation strategy including zero-trust principles, VRF separation, and secure OT/IT boundary enforcement

• ​Develop and maintain network infrastructure standards, reference architectures, and design patterns for consistent deployment across properties

• ​Evaluate emerging technologies and contribute to the long-term infrastructure roadmap, particularly around Palo Alto / Panorama, Aruba, and cloud connectivity platforms

​ 

​NETWORK ENGINEERING & OPERATIONS:

• ​Design, deploy, and manage enterprise network infrastructure across BMS, IoT, Wi-Fi, PropTech, AV, security systems, corporate offices, and the Observatory

• ​Administer Palo Alto NGFWs via Panorama — policy management, threat prevention, VPN, NAT, and security profile lifecycle management

• ​Manage and optimize Aruba switching and wireless infrastructure including configuration, upgrades, RF planning, and troubleshooting via Aruba Central

• ​Own BGP, OSPF, VLANs, VPN, QoS, and DNS configurations across multi-site environments

• ​Manage WAN and ISP connectivity including failover design and carrier-level troubleshooting

• ​Support IoT and PropTech deployments in a secure manner with a focus on building systems, access control, and sustainability technology

​ 

​SECURITY & COMPLIANCE:

• ​Lead network security posture improvements including firewall policy lifecycle, ACL governance, and vulnerability remediation

• ​Administer Zscaler ZIA and ZPA — URL filtering, SSL inspection, cloud firewall rules, and app connector management

• ​Manage Proofpoint email security platform including anti-spam, anti-phishing, encryption, and threat response policies

• ​Administer BitSight to track, triage, and coordinate remediation of external security posture findings

• ​Maintain PCI-DSS and SOX compliance through adherence to and enforcement of network policies and procedures

• ​Collaborate with the MSSP on security monitoring, threat analysis, and incident response 

• ​Ensure timely application of patches, hotfixes, and firmware upgrades across all network equipment

​ 

​IDENTITY, ACCESS & CLOUD:

• ​Administer Okta for SSO/SAML/OIDC, MFA enforcement, and user lifecycle management including SCIM provisioning and deprovisioning

• ​Manage Conditional Access Policies and integrate identity platforms with Palo Alto User-ID, Zscaler IdP federation, and Azure AD

• ​Design and manage Microsoft Azure cloud networking including hybrid connectivity, VNet architecture, NSGs, and Azure Firewall

• ​Support Microsoft 365 and Exchange Online from a network and connectivity perspective including split tunneling and optimization

• ​Support IAM and PAM platforms as they relate to network access control and privilege governance

​ 

​PHYSICAL INFRASTRUCTURE & SYSTEMS:

• ​Manage physical server infrastructure, rack equipment installation, and data center operations including cabling, power, and cooling

• ​Administer building riser infrastructure and ensure secure integration of IT and OT devices on segregated network segments

• ​Support VMware vSphere virtual networking environments and server resource management

• ​Oversee SAN/NAS storage networking and business continuity / backup technologies

​ 

​MONITORING, DOCUMENTATION & GOVERNANCE:

• ​Drive network monitoring strategy and tooling to ensure proactive alerting and performance trending across the full infrastructure estate

• ​Author and maintain high-quality documentation including topology diagrams, configuration baselines, SOPs, and runbooks

• ​Contribute to business continuity and disaster recovery procedures; develop, test, and maintain failover runbooks

• ​Adhere to change management and PMO best practices for all infrastructure changes; manage project milestones with clear stakeholder communication

WHAT SUCCESS LOOKS LIKE

• ​​Complex escalations are resolved decisively and thoroughly, with clear communication throughout the team and Director trust this person to own the hardest problems

• ​Network architecture documentation, standards, and reference designs are developed and kept current, reducing reliance on tribal knowledge

• ​Security posture improves measurably: firewall policies are rationalized, vulnerabilities remediated on time, and segmentation consistently enforced

• ​Network stability and availability are maintained across all properties; incidents are detected proactively rather than reactively

• ​New technologies and architectural improvements are identified and brought forward with well-reasoned business cases

• ​Service Desk escalations are resolved efficiently with recurring patterns identified and addressed proactively

REQUIRED TECHNICAL SKILLS / ABILITIES

​​​INTERPERSONAL SKILLS: 

• ​Communicates complex technical issues, architectural decisions, and incident status clearly to both engineering peers and executive leadership

• ​Strong analytical and troubleshooting instincts works through ambiguous, high-pressure situations methodically and calmly

• ​Collaborative mindset: works effectively with internal teams, MSP, MSSP, and vendors; shares knowledge freely and raises team capability 

• ​Self-directed and highly accountable that takes ownership without waiting to be asked and follows through to full resolution

• ​Strong documentation discipline; leaves systems, configurations, and designs better documented than found

• ​Proactively monitors industry developments and brings emerging technologies and best practices to the team's attention 

​ 

​PALO ALTO NGFWs & PANORAMA:

• ​Expert-level policy management, troubleshooting, and architecture across a distributed multi-site environment

• ​Panorama: centralized policy administration, device group management, log forwarding, and operational management at scale

• ​Advanced firewall design: zone-based architecture, App-ID, User-ID, URL filtering, SSL decryption, threat prevention, and WildFire integration

• ​GlobalProtect: VPN configuration, gateway management, and site-to-site connectivity

• ​NAT policy design, security profile tuning, and firewall policy lifecycle management

• ​PCNSE certification strongly preferred

​ 

​ARUBA WIRELESS & SWITCHING:

• ​Aruba CX / AOS-CX switching — configuration, troubleshooting, and lifecycle management across multi-site environments

• ​Aruba Central management: RF planning, access point lifecycle, and performance optimization

• ​Wireless security: 802.1X, RADIUS integration, guest network segmentation, and rogue AP detection 

• ​SD-WAN architecture awareness and WAN/ISP circuit failover design

​ 

​ZSCALER ZIA / ZPA:

• ​Zscaler Internet Access (ZIA) URL filtering, SSL inspection, cloud firewall, and policy configuration

• ​Zscaler Private Access (ZPA) zero-trust application access, app connector management, and policy administration

• ​Zscaler tenant administration, log streaming, and integration with SIEM and identity providers

​ 

​OKTA / IAM & PAM:

• ​Okta SSO/SAML/OIDC configuration, MFA enforcement, and user lifecycle management including SCIM provisioning

• ​Okta integration with Palo Alto User-ID, Zscaler IdP federation, and Azure AD directory sync

• ​PAM platform familiarity and IAM integration with network access controls and Conditional Access Policies

​ 

​DNS & DOMAIN SECURITY:

• ​Windows DNS / Active Directory-integrated internal DNS, external authoritative DNS, and split-brain DNS architectures

• ​DNSSEC implementation and DNS-based threat detection and filtering

• ​Domain protection — monitoring for lookalike/spoofed domains and unauthorized SSL/TLS certificate issuance

• ​SSL/TLS certificate lifecycle management across internal and external services

• ​BitSight or equivalent EASM platform administration

​ 

​PROOFPOINT EMAIL SECURITY:

• ​Anti-spam, anti-phishing, email encryption, and threat response policy management

• ​Platform administration including quarantine management, allow/block lists, and reporting 

• ​Coordination with the security team on phishing investigations and incident response

• ​Experience with a comparable enterprise email security platform considered equivalent

​ 

​OT / BMS / IoT / PROPTECH:

• ​Hands-on experience with network design for building management systems (BMS), IoT devices, and PropTech deployments

• ​Network segmentation for OT/IT boundaries including VRF separation and secure access control

• ​Experience supporting access control, CCTV, AV systems, and sustainability technology in a commercial real estate or multi-family residential environment

• ​Awareness of OT security principles and protocols relevant to building infrastructure

​ 

​PHYSICAL INFRASTRUCTURE & DATA CENTER:

• ​Physical server management, rack installation, and data center operations including cabling, power, and cooling

• ​VMware vSphere, virtual networking and server resource management

• ​Microsoft Windows Server 2019/2022/2025 and Linux administration

• ​Microsoft Active Directory, DNS, and DHCP infrastructure management

• ​SAN/NAS storage networking and business continuity / backup technologies

​ 

​PCI-DSS & SOX COMPLIANCE:

• ​Working knowledge of PCI-DSS and SOX requirements for network segmentation, access control, and audit logging

• ​Firewall ACL governance, policy review cycles, and evidence collection for compliance audits

• ​Experience in a regulated industry (real estate, financial services, or similar) preferred

​ 

​CLOUD & HYBRID NETWORKING:

• ​Microsoft Azure — VNet design, hybrid connectivity (ExpressRoute / VPN Gateway), NSGs, Azure Firewall, and Azure AD / Entra

• ​Hybrid DNS resolution, cloud-to-on-premises connectivity patterns, and identity federation

• ​Microsoft 365 and Exchange Online — network requirements, split tunneling, and connectivity optimization

EDUCATION & EXPERIENCE

• ​​​8–10 years of progressive, hands-on enterprise network engineering experience with demonstrated depth in complex, multi-site environments

• ​At least 3 years in a senior or lead capacity managing complex, multi-site infrastructure

• ​Proven experience serving as a technical escalation resource or informal architect on an infrastructure team

• ​Experience in Real Estate, Financial Services, or a similarly regulated industry preferred

• ​PCNSE (Palo Alto Networks Certified Network Security Engineer) strongly preferred; Panorama hands-on experience is a firm requirement

• ​Aruba/HPE (ACSA/ACCP), Zscaler (ZCCA-IA/PA), Azure (AZ-104), or Okta Certified Administrator are a plus

• ​CCNP Enterprise or equivalent routing/switching certification considered; demonstrated production depth matters most 

• ​Associate's or Bachelor's Degree in Computer Science, Information Technology, or related field preferred; equivalent professional experience considered

PHYSICAL REQUIREMENTS

• Prolonged periods of sitting at a desk and working on a computer
• Must be able to lift up to 15 pounds at times

WHAT YOU CAN EXPECT

At ESRT, like our tenants, our employees come from everywhere. We foster a collaborative work environment that captures top talent and cultivates the best ideas. As a Great Place to Work® Certified employer, we are committed to maintaining our positive work culture where employees are engaged and can grow and develop. In addition, ESRT employees embody our Company Culture & Success Factors -
• Adaptable – you are a self-starter who’s able to quickly digest and execute new processes to work both collaboratively and independently
• Dynamic – you are solutions-oriented, aim to improve processes and implement efficiency, and offer insightful feedback to improve ESRT
• Dependable – you take a strong sense of ownership and accountability over your work
• Passionate – you keep up with industry trends and are excited about the potential to propel the industry forward with a “roll-up-your-sleeves” attitude
• Curious – you consistently look for new ways to work smarter, not just harder
• Ethical – you treat others with respect, act with integrity in how you perform your work, and embrace our collaborative culture
• Positive – you possess a service-oriented attitude with excellent follow through

BENEFITS

• Competitive base salary and bonus
• Health/Dental/Vision insurance
• Company sponsored Life, AD&D, STD (with Salary Continuation), and LTD Insurance
• Voluntary Enhanced LTD Program
• Voluntary Hospital, Accident, and Cancer Programs
• 401(k) with 100% match up to 5%
• Paid parental leave
• Pre-tax transit accounts
• Employee Assistance Program for emotional, financial, and legal support

WELL-BEING

• Generous paid time off
• Flex remote work time
• Flex Summer Fridays
• Employee engagement programs
• Volunteer time off
• Continuing education
• Complimentary Empire State Building Observatory access
• Complimentary gym membership and other wellness benefits
• Employee Discount Programs