Sr. Network Engineer

COMPANY SUMMARY

Empire State Realty Trust, Inc. (NYSE: ESRT) is a NYC-focused REIT that owns and operates a portfolio of well-leased, top of tier, modernized, amenitized, and well-located office, retail, and multifamily assets. ESRT's flagship Empire State Building, the "World's Most Famous Building," features its iconic Observation Deck, ranked the #1 Top Attraction in New York City for the fifth consecutive year in Tripadvisor's 2026 Travelers' Choice Awards: Best of the Best Things to Do. The Company is a recognized leader in energy efficiency and indoor environmental quality. As of March 31, 2026, ESRT's portfolio is comprised of approximately 8.0 million rentable square feet of office space, 0.8 million rentable square feet of retail space and 743 residential units. More information about Empire State Realty Trust can be found at esrtreit.com and by following ESRT on Facebook, Instagram, TikTok, X and LinkedIn.

The dedicated team at ESRT is a collection of diverse individuals with a shared passion for excellence and a keen eye toward future growth. Headquartered in New York City, we harness the energy of the city in everything we do. We care for one another, work hard, and have a lot of fun doing it! We are Certified™ as a Great Place to Work® by the global authority, Great Place to Work®, on workplace culture, employee experience, and leadership behaviors. We prioritize and invest in the health and wellness of employees to attract, develop, and retain top-tier talent. ESRT values continuous employee development and encourages colleagues to excel in their roles and adapt to emerging business needs. From our crown jewel, The Empire State Building, to incredible buildings modernized for the 21st century, to outstanding customer service, and our decade-long leadership position in sustainability and energy efficient portfolio that is 100% fully powered by renewable wind electricity, we take pride in our work. ESRT seeks an equally passionate colleague to join the team, understand the vision and help achieve that vision.


RESPONSIBILITIES

TECHNICAL LEADERSHIP & ESCALATION:

• Serve as the primary escalation point for complex network incidents, outages, and performance issues owing problems through to resolution with clear communication to stakeholders
>

• Provide expert guidance to internal engineers, MSP resources, and NOC personnel on architecture, troubleshooting methodology, and root cause analysis
>

• Lead post-incident reviews, drive root cause identification, and implement lasting remediations to prevent recurrence
>

• Evaluate complex vendor and MSP escalations; make technical decisions on design, tooling, and resolution approach
>

NETWORK ARCHITECTURE & DESIGN:

• Work with the Director of Network & Infrastructure to architect scalable, resilient, and secure network solutions across LAN, WAN, wireless, cloud, and building infrastructure
>

• Lead the design and evolution of network segmentation strategy including zero-trust principles, VRF separation, and secure OT/IT boundary enforcement
>

• Develop and maintain network infrastructure standards, reference architectures, and design patterns for consistent deployment across properties
>

• Evaluate emerging technologies and contribute to the long-term infrastructure roadmap, particularly around Palo Alto / Panorama, Aruba, and cloud connectivity platforms
>

NETWORK ENGINEERING & OPERATIONS:

• Design, deploy, and manage enterprise network infrastructure across BMS, IoT, Wi-Fi, PropTech, AV, security systems, corporate offices, and the Observatory
>

• Administer Palo Alto NGFWs via Panorama - policy management, threat prevention, VPN, NAT, and security profile lifecycle management
>

• Manage and optimize Aruba switching and wireless infrastructure including configuration, upgrades, RF planning, and troubleshooting via Aruba Central
>

• Own BGP, OSPF, VLANs, VPN, QoS, and DNS configurations across multi-site environments
>

• Manage WAN and ISP connectivity including failover design and carrier-level troubleshooting
>

• Support IoT and PropTech deployments in a secure manner with a focus on building systems, access control, and sustainability technology
>

SECURITY & COMPLIANCE:

• Lead network security posture improvements including firewall policy lifecycle, ACL governance, and vulnerability remediation
>

• Administer Zscaler ZIA and ZPA - URL filtering, SSL inspection, cloud firewall rules, and app connector management
>

• Manage Proofpoint email security platform including anti-spam, anti-phishing, encryption, and threat response policies
>

• Administer BitSight to track, triage, and coordinate remediation of external security posture findings
>

• Maintain PCI-DSS and SOX compliance through adherence to and enforcement of network policies and procedures
>

• Collaborate with the MSSP on security monitoring, threat analysis, and incident response
>

• Ensure timely application of patches, hotfixes, and firmware upgrades across all network equipment
>

IDENTITY, ACCESS & CLOUD:

• Administer Okta for SSO/SAML/OIDC, MFA enforcement, and user lifecycle management including SCIM provisioning and deprovisioning
>

• Manage Conditional Access Policies and integrate identity platforms with Palo Alto User-ID, Zscaler IdP federation, and Azure AD
>
• Design and manage Microsoft Azure cloud networking including hybrid connectivity, VNet architecture, NSGs, and Azure Firewall
>

• Support Microsoft 365 and Exchange Online from a network and connectivity perspective including split tunneling and optimization
>

• Support IAM and PAM platforms as they relate to network access control and privilege governance
>

PHYSICAL INFRASTRUCTURE & SYSTEMS:

• Manage physical server infrastructure, rack equipment installation, and data center operations including cabling, power, and cooling
>

• Administer building riser infrastructure and ensure secure integration of IT and OT devices on segregated network segments
>

• Support VMware vSphere virtual networking environments and server resource management
>

• Oversee SAN/NAS storage networking and business continuity / backup technologies
>

MONITORING, DOCUMENTATION & GOVERNANCE:

• Drive network monitoring strategy and tooling to ensure proactive alerting and performance trending across the full infrastructure estate
>

• Author and maintain high-quality documentation including topology diagrams, configuration baselines, SOPs, and runbooks
>

• Contribute to business continuity and disaster recovery procedures; develop, test, and maintain failover runbooks
>

• Adhere to change management and PMO best practices for all infrastructure changes; manage project milestones with clear stakeholder communication
>

WHAT SUCCESS LOOKS LIKE

• Complex escalations are resolved decisively and thoroughly, with clear communication throughout the team and Director trust this person to own the hardest problems
>

• Network architecture documentation, standards, and reference designs are developed and kept current, reducing reliance on tribal knowledge
>

• Security posture improves measurably: firewall policies are rationalized, vulnerabilities remediated on time, and segmentation consistently enforced
>

• Network stability and availability are maintained across all properties; incidents are detected proactively rather than reactively
>

• New technologies and architectural improvements are identified and brought forward with well-reasoned business cases
>

• Service Desk escalations are resolved efficiently with recurring patterns identified and addressed proactively
>

REQUIRED TECHNICAL SKILLS / ABILITIES

INTERPERSONAL SKILLS:

• Communicates complex technical issues, architectural decisions, and incident status clearly to both engineering peers and executive leadership
>

• Strong analytical and troubleshooting instincts works through ambiguous, high-pressure situations methodically and calmly
>

• Collaborative mindset: works effectively with internal teams, MSP, MSSP, and vendors; shares knowledge freely and raises team capability
>

• Self-directed and highly accountable that takes ownership without waiting to be asked and follows through to full resolution
>

• Strong documentation discipline; leaves systems, configurations, and designs better documented than found
>

• Proactively monitors industry developments and brings emerging technologies and best practices to the team's attention
>

PALO ALTO NGFWs & PANORAMA:

• Expert-level policy management, troubleshooting, and architecture across a distributed multi-site environment
>

• Panorama: centralized policy administration, device group management, log forwarding, and operational management at scale
>

• Advanced firewall design: zone-based architecture, App-ID, User-ID, URL filtering, SSL decryption, threat prevention, and WildFire integration
>

• GlobalProtect: VPN configuration, gateway management, and site-to-site connectivity
>

• NAT policy design, security profile tuning, and firewall policy lifecycle management
>

• PCNSE certification strongly preferred
>

ARUBA WIRELESS & SWITCHING:

• Aruba CX / AOS-CX switching - configuration, troubleshooting, and lifecycle management across multi-site environments
>

• Aruba Central management: RF planning, access point lifecycle, and performance optimization
>

• Wireless security: 802.1X, RADIUS integration, guest network segmentation, and rogue AP detection
>

• SD-WAN architecture awareness and WAN/ISP circuit failover design
>

ZSCALER ZIA / ZPA:

• Zscaler Internet Access (ZIA) URL filtering, SSL inspection, cloud firewall, and policy configuration
>

• Zscaler Private Access (ZPA) zero-trust application access, app connector management, and policy administration
>

• Zscaler tenant administration, log streaming, and integration with SIEM and identity providers
>

OKTA / IAM & PAM:

• Okta SSO/SAML/OIDC configuration, MFA enforcement, and user lifecycle management including SCIM provisioning
>

• Okta integration with Palo Alto User-ID, Zscaler IdP federation, and Azure AD directory sync
>

• PAM platform familiarity and IAM integration with network access controls and Conditional Access Policies
>

DNS & DOMAIN SECURITY:

• Windows DNS / Active Directory-integrated internal DNS, external authoritative DNS, and split-brain DNS architectures
>

• DNSSEC implementation and DNS-based threat detection and filtering
>

• Domain protection - monitoring for lookalike/spoofed domains and unauthorized SSL/TLS certificate issuance
>

• SSL/TLS certificate lifecycle management across internal and external services
>

• BitSight or equivalent EASM platform administration
>

PROOFPOINT EMAIL SECURITY:

• Anti-spam, anti-phishing, email encryption, and threat response policy management
>

• Platform administration including quarantine management, allow/block lists, and reporting
>

• Coordination with the security team on phishing investigations and incident response
>

• Experience with a comparable enterprise email security platform considered equivalent
>

OT / BMS / IoT / PROPTECH:

• Hands-on experience with network design for building management systems (BMS), IoT devices, and PropTech deployments
>

• Network segmentation for OT/IT boundaries including VRF separation and secure access control
>

• Experience supporting access control, CCTV, AV systems, and sustainability technology in a commercial real estate or multi-family residential environment
>

• Awareness of OT security principles and protocols relevant to building infrastructure
>

PHYSICAL INFRASTRUCTURE & DATA CENTER:

• Physical server management, rack installation, and data center operations including cabling, power, and cooling
>

• VMware vSphere, virtual networking and server resource management
>

• Microsoft Windows Server 2019/2022/2025 and Linux administration
>

• Microsoft Active Directory, DNS, and DHCP infrastructure management
>

• SAN/NAS storage networking and business continuity / backup technologies
>

PCI-DSS & SOX COMPLIANCE:

• Working knowledge of PCI-DSS and SOX requirements for network segmentation, access control, and audit logging
>

• Firewall ACL governance, policy review cycles, and evidence collection for compliance audits
>

• Experience in a regulated industry (real estate, financial services, or similar) preferred
>

CLOUD & HYBRID NETWORKING:

• Microsoft Azure - VNet design, hybrid connectivity (ExpressRoute / VPN Gateway), NSGs, Azure Firewall, and Azure AD / Entra
>

• Hybrid DNS resolution, cloud-to-on-premises connectivity patterns, and identity federation
>

• Microsoft 365 and Exchange Online - network requirements, split tunneling, and connectivity optimization
>

EDUCATION & EXPERIENCE

• 8-10 years of progressive, hands-on enterprise network engineering experience with demonstrated depth in complex, multi-site environments
>

• At least 3 years in a senior or lead capacity managing complex, multi-site infrastructure
>

• Proven experience serving as a technical escalation resource or informal architect on an infrastructure team
>

• Experience in Real Estate, Financial Services, or a similarly regulated industry preferred
>

• PCNSE (Palo Alto Networks Certified Network Security Engineer) strongly preferred; Panorama hands-on experience is a firm requirement
>

• Aruba/HPE (ACSA/ACCP), Zscaler (ZCCA-IA/PA), Azure (AZ-104), or Okta Certified Administrator are a plus
>

• CCNP Enterprise or equivalent routing/switching certification considered; demonstrated production depth matters most
>

• Associate's or Bachelor's Degree in Computer Science, Information Technology, or related field preferred; equivalent professional experience considered
>

PHYSICAL REQUIREMENTS

• Prolonged periods of sitting at a desk and working on a computer
• Must be able to lift up to 15 pounds at times

WHAT YOU CAN EXPECT

At ESRT, like our tenants, our employees come from everywhere. We foster a collaborative work environment that captures top talent and cultivates the best ideas. As a Great Place to Work® Certified employer, we are committed to maintaining our positive work culture where employees are engaged and can grow and develop. In addition, ESRT employees embody our Company Culture & Success Factors -

• Adaptable - you are a self-starter who's able to quickly digest and execute new processes to work both collaboratively and independently
• Dynamic - you are solutions-oriented, aim to improve processes and implement efficiency, and offer insightful feedback to improve ESRT
• Dependable - you take a strong sense of ownership and accountability over your work
• Passionate - you keep up with industry trends and are excited about the potential to propel the industry forward with a "roll-up-your-sleeves" attitude
• Curious - you consistently look for new ways to work smarter, not just harder
• Ethical - you treat others with respect, act with integrity in how you perform your work, and embrace our collaborative culture
• Positive - you possess a service-oriented attitude with excellent follow through

BENEFITS

• Competitive base salary and bonus
• Health/Dental/Vision insurance
• Company sponsored Life, AD&D, STD (with Salary Continuation), and LTD Insurance
• Voluntary Enhanced LTD Program
• Voluntary Hospital, Accident, and Cancer Programs
• 401(k) with 100% match up to 5%
• Paid parental leave
• Pre-tax transit accounts
• Employee Assistance Program for emotional, financial, and legal support

WELL-BEING

• Generous paid time off
• Flex remote work time
• Flex Summer Fridays
• Employee engagement programs
• Volunteer time off
• Continuing education
• Complimentary Empire State Building Observatory access
• Complimentary gym membership and other wellness benefits
• Employee Discount Programs

$155,000 - $175,000 a year

ESRT is an equal opportunity employer and is committed to providing a workplace free from harassment and discrimination. We celebrate the unique differences of our employees because they drive curiosity, innovation, and the success of our business. We do not discriminate based on race, religion, color, creed, national origin, sex, sexual orientation, gender identity or expression, reproductive choices, age, marital status, veteran status, disability status, pregnancy, parental status, caregiver status, genetic information, political affiliation, or any other status protected by the laws or regulations in the locations where we operate. This policy applies to all aspects of employment, including hiring, promotion, demotion, compensation, training, working conditions, transfer, job assignments, benefits, layoff, and termination. Reasonable accommodations that do not create an undue hardship for the Company are available for applicants and employees with disabilities or sincerely held religious beliefs.

We may use artificial intelligence (AI) tools to support parts of the hiring process, such as reviewing applications, analyzing resumes, or assessing responses. These tools assist our recruitment team but do not replace human judgment. Final hiring decisions are ultimately made by humans. If you would like more information about how your data is processed, please contact us.