Case Studies Archive Search Case Studies

Community College Simplifies Access Management with Centralized Solution from F5

Southeast Community College (SCC) in Lincoln, Nebraska, needed an easier method for managing user authentication to the web portal that delivers its powerful learning management system and other important applications.

It chose to upgrade its existing F5 BIG-IP devices and replace its existing, inflexible access management solution with BIG-IP Access Policy Manager (APM). As a result, SCC was able to greatly simplify portal access and now has a centralized solution for secure access and policy management. Just as important, it has a solid networking platform that will scale to meet growing demand and enable SCC to expand its online offerings.

Business Challenges

Southeast Community College (SCC) is known for delivering top-quality academics and vocational training at an affordable price. One reason it can deliver such value is because of its commitment to instruction outside the traditional classroom. SCC offers more than 300 classes online. All of the school’s 50 study programs have a presence on the learning management system (LMS), and more than half of those rely heavily on the LMS to deliver their classes.

Students access the LMS—as well as email and other online tools for registration, class schedules, grades, and financial aid— through a web portal using a standard browser. “The portal is a one-stop shop for our 19,000 full- and part-time students and nearly 1,100 faculty and staff members,” says Alan Brunkow, Information Services Manager at SCC. “It’s vitally important for all of our users, and they depend on it to be there for them 24/7.”

Since 2006, SCC’s IT group has used F5 BIG-IP 1500 Application Delivery Controllers with BIG-IP Local Traffic Manager (LTM) to ensure high availability and manage traffic to the portal servers. To provide secure access to the portal, SCC used Microsoft Forefront Threat Management Gateway (TMG). “We would have preferred to run access-type security functions on the F5 devices rather than on the Windows server, but TMG was recommended to us by our LMS vendor,” says Brunkow. “Given our tight budget constraints at the time, it made sense for us.”

Eventually, however, that solution proved to be a challenge for IT to manage. “With TMG, we used two different IP addresses, one for internal users and one for external users,” explains Brunkow. “Internal users were authenticated automatically using their Active Directory credentials and given direct access to the portal. External users were directed to a login page where they would enter their credentials and then be authenticated.”

The IT group also provided public access machines in various locations around campus, such as the library, and it set up several dozen additional systems in the gym every quarter for student registration.  “Technically, these were internal machines, but since they were used by many different students, they had to operate differently on the network than those assigned to specific users,” says Brunkow. “We had to customize the host file settings on these machines so that each new user would be redirected to the login page. Once they entered their credentials, they would be authenticated and then granted access to the portal.”

Maintaining custom settings on these systems put an extra burden on the IT staff and increased the potential for login issues. If library systems weren’t configured correctly, for example, users couldn’t log in, and then a number of people—from the librarian, to the help desk staff, to the IT staff—were enlisted to help. Similarly, if the machines provided for registration weren’t configured correctly, significant delays in the class registration process could occur.

“It just wasn’t an ideal scenario. There was always the chance that these files would be overlooked when it was time to update software or replace a machine,” says Brunkow. “We needed a simpler approach to access management and user authentication, and we wanted to eliminate the need to maintain these machines individually.”

As the IT group worked to solve this issue, an unexpected and more pressing challenge arose. “During our summer term in 2012, Microsoft introduced new password complexity rules,” says Rod Richards, Network Technician at SCC. “That’s a good thing from a security standpoint, but it meant that all of our users needed to update their passwords to comply with the new, strong password requirements— and they needed to do it quickly.”

September 5 was set as the deadline for those new password rules to go into effect, but when the deadline arrived, many students were caught unprepared. Those whose passwords had expired were denied access to the portal. “The frustrating part was that TMG wasn’t able  to recognize expired passwords, and there was no mechanism for notifying users what the problem was or how to fix it,” says Richards. Not surprisingly, the help desk was inundated with support calls. “With summer term needing to continue and the fall term starting in a matter of days, this presented an enormous challenge for both students and faculty.”

“With F5, we have a platform that will grow with us cost-effectively for many years to come, so we are maximizing our investment. That’s a huge plus for us.” Alan Brunkow, Information Services Manager, Southeast Community College

Solution

The IT group not only needed to solve this immediate crisis, it needed a long-term replacement for TMG. Fortunately, a solution was already in the works. In July 2012, IT received funding to upgrade its BIG-IP 1500  devices—which had served SCC well for six years—to two BIG-IP 3900 devices.

“We put a lot of effort into evaluating our options to make sure we were getting the  right solution—not just for our current needs but for our future needs,” says  Brunkow. With higher capacity devices, SCC could ensure availability of the portal and handle continued growth in traffic.  “The BIG-IP 3900 devices were an ideal solution for us because we could run BIG-IP Access Policy Manager (APM) on them,” he continues. “That would enable us to replace TMG with a centralized access policy management solution that ran on the same platform.”

“You can write an iRule for just about anything you want to do—if you can dream it, iRules will do it.” Rod Richards, Network Technician, Southeast Community College

Benefits

In addition to helping SCC solve the password issue, the F5 solution provides a simpler, more efficient way for IT to ensure reliable portal access, establish comprehensive security and access policies long term, and centrally manage all of the school’s public access machines.

Rapid deployment at a critical time

The new F5 equipment arrived at SCC in August 2012, which would have given IT a comfortable four to six weeks to set up and configure the new devices before fall term began. But on September 5 when the help desk received more than 850 password- related distress calls, the IT group team had to act immediately. “We didn’t anticipate a problem with TMG,” says Brunkow. “We had hoped to continue using it through the end of the quarter and then upgrade to the F5 solution before the fall quarter began.”

Luckily, the IT group had already set up and configured the new BIG-IP 3900 devices. The team was in the process of defining new access policies in BIG-IP APM when the password crisis hit. Using BIG-IP APM, the staff was able to quickly build a new portal login page where users could enter their credentials. The team used iRules, F5’s unique scripting language, to create a simple iRule that redirected users with expired passwords to a page where they could quickly and easily update their passwords.

“The solution was surprisingly easy for us to implement—we had the BIG-IP 3900 devices with BIG-IP APM running in our production environment that same evening.” says Richards. By the next morning, password- related help desk calls had already begun to fall back to near-normal levels.

“I was impressed with how quickly our staff was able to deploy the F5 solution—we were able to go live well ahead of schedule,” says Brunkow. “With other deployments, it wasn’t unusual for technical staff to need six months of training, but Rod [Richards] picked up the new F5 technology right away.”

For this, Richards gives a lot of credit to the built-in configuration wizard in BIG-IP APM and the ease of use of the F5 iRules technology. “With the BIG-IP APM setup wizard, we got IP addresses in place and  started building virtual servers quickly; it saved a lot of time,” says Richards, who adds that iRules is invaluable. “You can write an iRule for just about anything you want to do—if you can dream it, iRules will do it.”

Simple, centralized policy management

With BIG-IP APM, the IT group now has a centralized policy management solution that works entirely on the BIG-IP 3900 devices. “Having a centrally managed access management solution on the F5 devices is always preferable to running a solution on a multi-purpose server, because the F5 devices are optimized for this type of service,” Brunkow says. “That’s one of the primary benefits of the solution.”

In addition, because BIG-IP APM provides visibility to all devices under its control, the staff no longer has to maintain custom host file settings on public access machines around campus. “With BIG-IP APM, we keep a list of all of our public access computers.  When a user tries to log in, we can see the IP address of the machine and we know immediately that the user needs to be directed to the login page,” says Richards.  “Not having to physically update host files on each machine saves us a great deal of time and gives us better control.”

Reliable portal access

Users now enjoy more reliable and easy access to the web portal. Whether they’re in the library or using one of the other public access machine on campus, they don’t have to worry about being denied portal access.

Richards also anticipates fewer problems at the next password expiration deadline. “Before, it was a difficult process for users to update their passwords,” Richards says. “With the F5 solution, we’ve made it so much easier, and users are far more self- sufficient.” If there’s ever a problem with a user’s credentials, they’re told what the problem is and immediately redirected to a page where they can reset their passwords.  “We’ve eliminated a lot of frustration for users, and we avoid the hundreds of help desk calls that we saw before,” he says.

Solid platform for growth

As a result of its success with F5, the solution has become a cornerstone of the data center infrastructure at SCC. “F5 is so effective, it has basically become our DMZ,” says Brunkow. “Anything we present to the outside world is now behind the BIG-IP devices. Every new service we introduce is set up the same way using this technology, so sharing information among our IT staff is easier because we’re all familiar with it.”

When asked what SCC’s alternatives were, Richards says, “I don’t see how we could have solved this problem without F5. We wouldn’t have been able to expand beyond even one web server, so it really opens up the doors for us to handle more traffic and broaden the range of services we can offer.”

In the future, SCC is considering deploying BIG-IP Application Security Manager to protect web-based applications from attack and BIG-IP WebAccelerator to optimize the delivery of web-based content. When that time comes, Brunkow anticipates another smooth and rapid deployment.  “With F5, we have a platform that will grow with us cost-effectively for many years to come, so we are maximizing our investment. That’s a huge plus for us.”