Secure Sockets Layer virtual private networks (SSL VPNs) have enabled wide area network (WAN) managers to provide users with secure remote access to files, applications and even virtual desktops from anywhere with an Internet connection. But VPNs also create ongoing help desk headaches when users forget how to log on or struggle with multiple authentication processes. One university has responded by simplifying and consolidating those...
processes so that users aren't even aware that they're using VPNs.
"I really hate VPNs and am trying to get rid of them as much as possible," said Robin Manke-Cassidy, enterprise architect and director of emerging technologies at Arizona State University (ASU), which serves 70,000 undergraduates across four campuses in the Phoenix metro area, making it the nation's largest public university in terms of enrollment. "We're trying to build the VPN connection into what they're trying to connect to…. Our goal is to get them to have one step to get where they need to go."
In addition to the students, faculty and professors who require occasional off-campus access to applications and desktop environments running on ASU's virtualized Citrix XenApp server farm, the WAN supports 3,000 remote students in its online degree program. The WAN also supports researchers in Africa and Asia and classrooms in China and Mexico. University officials want to boost enrollment to 100,000 local students and 100,000 online students by 2020, Manke-Cassidy said.
Until recently, remote users connected to the WAN by authenticating through a Web portal that connected to ASU's Cisco Systems' AnyConnect VPN client. Once the tunnel was open, users would face a second authentication process for their applications through Citrix Access Gateway, which runs on the school's Netscaler appliance, Manke-Cassidy said.
The authentication processes confused and frustrated users, Manke-Cassidy said. They frequently tied up the help desk with basic questions about logging onto the WAN and accessing their applications or called just to complain when the connection was too slow, she said.
"We have outsourced our help desk, so every time we get calls there, we get charged X amount of dollars. Reducing the number of those phone calls is absolutely key," Manke-Cassidy said.
Not all of ASU's applications have been deployed on the school's XenApp servers yet, making some applications inaccessible to remote users, she said. The networking team is also hesitant to deploy virtual desktop infrastructure (VDI) over WAN connections due to concerns about performance -- never mind the outstanding authentication issues.
"Now, most of the online students do not have access to most of the same resources," Manke-Cassidy said. "In our labs and classrooms, [applications are] now 50% XenApp and 50% on a physical workstation…. [We hope to] make physically coming to campus a non-issue."
Simplifying secure remote access, enabling VDI over WAN
There's no getting rid of SSL VPNs if ASU wants to maintain secure remote access. But WAN pros at the university are engineering the back-end to give users the illusion of a single authentication process for both the VPN tunnel and XenApp servers, Manke-Cassidy said.
The infrastructure … is going to be key to both the [local] and the remote students so that both have access to the same resources, no matter where they are -- and securely.
Enterprise Architect and Director of Emerging Technologies, Arizona State University
The university is phasing out its Cisco SSL VPNs and relying on Citrix Access Gateway SSL VPNs for secure remote access, so that students can simultaneously authenticate on the VPN and access XenApp from a single Web portal, she said.
"It's going to be using Citrix Receiver and tying it to authenticate everything at once," she said. "The infrastructure … is going to be key to both the [local] and the remote students so that both have access to the same resources, no matter where they are -- and securely."
Manke-Cassidy and her team hope to improve secure remote access by conducting more "client interrogation" using some of the network access control (NAC) features in Access Gateway to ensure that any devices connecting to the network are clean and protected.
No such pre-authentication scans are in place today, she said. Although no infections have reached the data center, WAN security pros have detected compromised machines in VPN tunnels, Manke-Cassidy said.
"If a workstation out in a home [has] a bot or infection, we just opened the door to our data center," she said. "We've talked about increasing security on those connections by making sure we're interrogating the machines to make sure they have the latest antivirus [software] or potentially have all the Microsoft [Windows] patches."
The added security check must occur quickly and in the background during the authentication process so that users aren't once again confused or impatient.
Networking pros are just beginning to implement the added security on the campus' local wired and wireless networks but are interested in extending the security boost to remote connections, she said.
"Making sure that the security is end-to-end -- the client workstation all the way to the data center -- and that it's easy to use are the two top things we're always looking for," she said. "The experience [should be] easy and straightforward so that they don't have to stand on their and count to 30 [to ensure] that it's a secure connection end-to-end."
Let us know what you think about the story; email: Jessica Scarpati, News Writer.