Case Studies Archive Search Case Studies

Kettering Health Network Provides “One-Stop-Shop” for Remote Users with F5 Solution

Kettering Health Network (KHN) wanted to streamline access to its electronic medical records system and other apps for its remote users who work throughout the Dayton-Cincinnati area. Using a single, unified solution from F5, KHN was able to consolidate existing Citrix, Microsoft, VMware, and other third-party solutions in its edge network and provide a unified access portal for users.

Business Challenges

People living in the greater Dayton area and northern Cincinnati are fortunate to have top-rate medical care. Kettering Health Network (KHN), a nonprofit network of seven hospitals, eight emergency rooms, and more than 75 outpatient facilities, has been rated by Thomson Reuters three years in a row as one of the top 10 hospital networks in the U.S. for clinical excellence. KHN has more than 14,000 employees, 1,200 physicians, and 1,000 volunteers.

As part of its commitment to provide superior medical care, KHN decided to modernize its existing electronic medical records (EMR) system, replacing it with EpicCare EMR. To intelligently manage traffic to the EpicCare servers, KHN deployed F5 BIG-IP Application Delivery Controllers (ADCs) in its core network and its disaster recovery site. As a result, EpicCare servers were highly available, enabling clinicians to interact with a reliable, high-performing application. The F5 solution also improved business continuity by eliminating downtime for routine maintenance and providing for failover in the event of an outage.

At the time, KHN had evaluated several networking vendors and ultimately chose the F5 BIG-IP solution for two primary reasons: its user-friendly GUI and superior auditing and logging capabilities. “We can do 99 percent of administrator tasks using F5’s web interface with a simple point and click of the mouse,” says Sean Graham, Network Architect at KHN. “Using F5’s scripting language, iRules, we can easily audit and log connection information to determine the health of our servers and applications.”

After initially rolling out EpicCare to internal users, the IT team subsequently provided access for remote users working in clinics and other off-campus locations. While internal users connected to EpicCare directly or through a VMware Horizon with View desktop, remote users accessed EpicCare over the Internet through Citrix XenApp sessions.

A subset of KHN’s remote users needed full SSL VPN connectivity to access additional backend applications and resources. To complete the required two-factor authentication process for SSL VPN access, users entered a unique code generated by an RSA SecurID token.

Both the VMware and Citrix solutions required KHN to deploy multiple security and gateway servers in its perimeter network. SSL VPN capability was provided by a pair of third-party firewalls, also located in the perimeter network. In addition, KHN used Microsoft Threat Management Gateway (TMG) to authenticate users of Microsoft applications such as Exchange and Lync. Eventually, KHN used the TMG servers to proxy traffic to additional web services.

In time, these multiple perimeter solutions became more complex for the IT team to manage. “We really wanted to replace all of the different security and gateway servers that resided in the perimeter network with a single solution,” says Graham. “Our goal was to give users in any location a single portal—a ‘one-stop-shop’—from which they could easily access all the applications and resources they needed.”

KHN also wanted to switch from using RSA SecurID to Symantec VIP, but making a smooth transition from one authentication scheme to the other would have been difficult since our existing firewalls did not support both. 

“Through a single portal, users have access to the majority of resources they need; that’s just the kind of simplicity we wanted for our users.” Sean Graham, Network Architect, Kettering Health Network


When Microsoft announced it would discontinue its TMG product, KHN’s IT team knew a new solution would be needed long-term. It considered Citrix and F5 solutions as possible replacements.

“We had been successfully managing our EpicCare traffic for years using our existing F5 devices with BIG-IP Local Traffic Manager. But when we discovered the capabilities of BIG-IP Access Policy Manager, we realized it could solve a lot of our multi-vendor remote access and authentication challenges,” says Graham.

Specifically, BIG-IP APM would enable KHN to consolidate multiple gateway and authentication solutions in its edge network and provide user authentication across both the Citrix and VMware environments. F5’s unified platform and the ability to layer additional services on the same device was an added bonus. 

“It’s a huge benefit to be able to deploy BIG-IP modules on our existing devices without buying more hardware.” Sean Graham, Network Architect, Kettering Health Network


Since deploying BIG-IP APM, KHN has consolidated multiple vendors’ security, access, and SSL VPN solutions, simplified the user authentication process, and provided a single portal from which users can easily access numerous applications and resources.

Consolidated, simplified infrastructure

KHN was able to replace a number of solutions in its edge network, including the Citrix web access and gateway servers, web front-end proxy servers, Microsoft TMG, and some third-party firewalls used for SSL VPN client connections.

“BIG-IP Access Policy Manager enabled us to replace four different vendors’ solutions in our perimeter network. As a result, we either redeployed or consolidated devices, saving on licensing and maintenance costs,” says Graham. “Now whether a user wants to access EpicCare, Citrix applications, or other backend applications that require an SSL VPN connection, all of that traffic comes into our network through the F5 devices.” 

Easy access for users

With the dynamic webtop feature of BIG-IP APM, KHN now provides users a one-stop-shop—a single portal that displays all applications and resources a user is authorized to access. “We were thrilled that with F5, we can present on a single portal the Citrix icons, proxied apps, web redirects, SSL VPN and, in the near future, the VMware desktop,” says Graham. “We weren’t able to do that with TMG.”

BIG-IP APM has also enabled single sign-on (SSO) for most applications, simplifying access for users. Because BIG-IP APM collects credentials up front, it auto-fills credentials for most apps when they are launched. “Through a single portal, users have access to the majority of resources they need; that’s just the kind of simplicity we wanted for our users,” says Graham, noting that the IT team will add access to more apps in the future.

Using BIG-IP APM, KHN was also able to smoothly transition its SSL VPN users from RSA SecurID to Symantec VIP. Our existing firewall solution didn’t support both authentication schemes, so switching 5,000 or more users all at once would have been difficult to pull off without disruption.

“Since BIG-IP APM supports both schemes, there was no change or interruption in workflow for users. They entered whatever code their token provided, were authenticated and served up a portal page, and then were able to launch the VPN client.” This flexibility made it possible for KHN to gradually migrate all RSA SecurID users to Symantec VIP over time, which wasn’t possible with the previous solution.

Simplified administration and management

Aside from simplifying the infrastructure by consolidating solutions from four vendors, the F5 solution has made it easier for the IT team to manage systems. “The BIG-IP browser-based configuration utility is great for our less experienced staff—anyone can use it because it’s so easy,” says Graham. “The nice thing is that with F5, we have the flexibility to use the command line, which gives us visibility into the entire network.”

Within BIG-IP APM, F5 provides the Visual Policy Editor (VPE), a unique GUI-based tool that simplifies policy creation. “Using VPE, we easily created a policy that authenticates users whether they’re using an RSA SecurID token or a Symantec VIP token,” says Graham. Because BIG-IP APM enabled KHN to support both authentication schemes simultaneously, the IT team was able to gradually transition users away from SecurID to VIP.

Flexible platform for growth

Graham appreciates F5’s unified BIG-IP platform and the ability it gives the IT team to deploy multiple application and security services on a single device. “Today we provide intelligent traffic management, SSL offloading, and access policy management on a single device; in the future, we can easily add a web application firewall,” says Graham. “It’s a huge benefit to be able to deploy BIG-IP modules on our existing devices without buying more hardware,” noting that BIG-IP Application Security Manager is looking more and more like a must-have for the future.