Doshisha Women’s College of Liberal Arts (DWCLA) migrated its core internal IT systems to the cloud and deployed Office 365 in September 2016. It chose F5 BIG-IP solutions to consolidate network equipment in a private cloud solution and enable SSO for access to multiple discrete systems. DWCLA aims to fully exploit all the functionality BIG-IP solutions have to offer going forward.
More and more academic institutions are making use of the cloud. It plays a crucial role in helping them reduce costs and use IT efficiently in the tough business conditions stemming from a shrinking pool of enrollees. One challenge for these organizations is user authentication for systems that have become increasingly complex, and single sign-on (SSO) is ideal for combining security and convenience. DWCLA chose BIG-IP solutions to lay the groundwork for using SSO to access diverse application systems.
“We started considering BIG-IP solutions to virtualize the internal-administration and some other servers, which were housed in a private cloud, to consolidate them. This led to discussion of migrating the networking hardware in the server room to the private cloud as well,” explains Toshihiko Chonan, head of network infrastructure at the college. He recalls, though, that with limited usable rack space, migrating the firewall, load balancer, switches, and other equipment (in use at the time) was not feasible without some changes. “We had to consolidate the hardware to house the network equipment in the private cloud. That’s where the BIG-IP solutions came in—they were a great fit for our needs.”
At the same time, the college was moving forward with a project to migrate internal email accounts to Office 365, which meant user authentication for the email system had to link up with the college system. On top of that, the college was scheduled to replace its internal authentication system and SSL VPN equipment. The timing was ideal for reviewing the authentication system in general. “The BIG-IP solutions let us consolidate the hardware, use SSO with diverse systems, and run SSL VPN. We could also add security features such as a WAF in the same housing, making it the perfect choice for the longer term,” says Chonan.
The college deployed BIG-IP solutions and started integrating its systems in July 2016. The firewall and load balancer, previously built on other vendors’ products, were migrated to BIG-IP LTM, and they and SSL-VPN functionality were all consolidated on the BIG-IP platform. In addition, a new college portal using BIG-IP Access Policy Manager (APM) was set up. The portal’s SSO takes care of user authentication and uses BIG-IP APM to automatically log users into the college’s other systems. This is unique in that, to give users access to the systems, BIG-IP APM forwards user authentication data to each college system on their behalf.
When users access the portal, they get a screen asking for their user ID. Once they’ve provided it, they’re asked for their password, which gets checked against credentials on the internalLDAP servers for authentication. With authentication complete, a list of available systems appears on the screen. The user selects the systems he or she wants to access, and BIG-IP APM forwards their authentication data using POST, which the target systems then each use to authenticate the user.
This exchange of authentication data (using POST) can be performed by using either the standard features of BIG-IP APM or JavaScript, depending on how the target system processes logins. The system also displays the RSS feed to the portal page and character mascot VIVI on the college home page.
Office 365 authentication is linked to the Active Directory (AD) and AD Federation Services (ADFS). The system also enables IEEE authentication for the college Wi-Fi network using AD and RADIUS. The new network services went live in September 2016, with only two months needed to set up all these features and functions.
Deploying BIG-IP solutions allowed DWCLA to save space by consolidating hardware, substantially reduce administrative and operational tasks, and even lay the groundwork for providing single-point entry to multiple university systems. Looking ahead, DWCLA hopes to eventually take full advantage of all the features the BIG-IP platform provides.
Deploying the BIG-IP platform to consolidate equipment saved considerable space. “It reduced the number of logins for network administration too,” comments Mitsuaki Okuda of the network infrastructure section. Using just one vendor also facilitated the inquiry process when there were problems or questions.
The solution provided the basic framework for using SSO to access a diversity of systems. The college has already enabled SSO for its administrative and library systems, the WebDAV environment, and Webmail, and plans to extend SSO to other systems in stages going forward. “We’re using ADFS for Office 365 authentication, but we’re considering an access process leveraging BIG-IP APM and SAML in the future,” says Kenji Akashi, a team leader in the network infrastructure section responsible for deploying and integrating Office 365.
BIG-IP Advanced Firewall Manager (AFM) made it possible to protect against DoS and DDoS attacks, and the college is keen to utilize other BIG-IP features as well. It plans to deploy BIG-IP DNS by March 2017 to migrate BIND to the BIG-IP system, which should resolve BIND vulnerability issues. The college is also considering the use of F5 IP Intelligence Services and BIG-IP Application Security Manager, a web application firewall. “The BIG-IP solutions have huge potential,” says Chonan. “Most important in this project is fully exploiting them all.”