When Canadian food distributor George Weston Limited moved to Microsoft Office 365, it chose F5 Application Delivery Controllers to centrally manage user traffic to its Active Directory Federation Services (ADFS) servers. The solution ensures availability of ADFS for user authentication and authorization, and it gives user’s quick, reliable access to Office 365.
Founded in 1882 in Toronto, Ontario, George Weston Limited (GWL) is one of the largest food processors and distributors in North America. GWL and its affiliates—which include apparel, furniture, and housewares companies—employ nearly 150,000 people worldwide.
With the company’s operations centralized in Toronto, GWL employees outside of Canada had to connect to the corporate network via VPN to access email, internal applications, and data—and even to browse the Internet. “Using a VPN was cumbersome for users, and they had to remember multiple usernames and passwords to log into different systems and access various corporate resources,” says Alex Gaul, IT Manager.
As a long-time user of Microsoft Exchange Server and Outlook, GWL wanted to make it easier for people to work collaboratively regardless of their location. For example, if the company wanted to launch a product in Europe that had been successfully launched in Canada, ideally it wanted workers and contractors in both locations to be able to communicate and share information with each other.
“In the past, people emailed plain-text files to each other as attachments, or they posted them online using a web-based file hosting service such as Dropbox,” says Gaul. “This created security concerns as we had potentially confidential information leaving our organization and being stored on the Internet without any protection or encryption. We were also concerned about ease of use for employees and how the lack of an efficient collaboration tool negatively impacted their productivity.”
To solve both of these issues, GWL decided to move from its locally managed Exchange Server deployment to Microsoft Office 365, a subscription-based service that provides hosted versions of familiar Microsoft applications. “Office 365 would make it easier for employees to work together no matter where they are in the world,” says Gaul. “They could connect to Office 365 using only a browser, and they wouldn’t have to remember multiple usernames and passwords to access email, SharePoint, or other internal-only applications and file shares.”
Even though Office 365 runs in a Microsoft-hosted cloud environment, user authentication and authorization is still done locally by federating on-premises Active Directory with Office 365. Organizations subscribing to Office 365 deploy Active Directory Federation Services (ADFS) on premises, and ADFS then authenticates users against Active Directory.
“Once we made the decision to move to Office 365, we knew it would be essential to ensure the availability of ADFS. Without that, users would have no access to email or other resources—even if they were working in one of our offices directly connected to the corporate network—because Exchange would no longer be running locally,” says Gaul. In fact, Microsoft best practices call for ADFS traffic to be load balanced, so GWL needed to find a reliable traffic management solution such as F5 BIG-IP Local Traffic Manager to provide high availability.
GWL evaluated products from the best known Application Delivery Networking vendors and ultimately chose an F5 solution. “Much of the functionality F5 offered was simply not available from other vendors,” says Gaul. “F5 was also able to deliver the solution very quickly, and that was a critical requirement for us.” Carl Hayes, Senior Account Executive at The Herjavec Group, an F5 UNITY Partner, adds, “F5’s commitment to professionalism and its demonstrated ability to act quickly provided our client, GWL, the assurance it needed to move forward with this initiative.”
In both its primary and secondary data centers, GWL deployed F5 BIG-IP Application Delivery Controllers running BIG-IP Local Traffic Manager (LTM), which intelligently manages all ADFS traffic across the ADFS servers. One pair of BIG-IP devices sits in front of GWL’s servers in the core network; another pair sits in front of GWL’s ADFS proxy servers in the perimeter network. By managing traffic to and from both the primary and proxy ADFS servers, the F5 devices ensure availability of ADFS—and thus, Office 365—for both internal and external (federated) users.
To provide for disaster recovery, GWL also deployed BIG-IP Global Traffic Manager (GTM) devices in the perimeter network at each data center. BIG-IP GTM scales and secures the DNS infrastructure, provides high-speed DNS query responses, and also reroutes traffic when necessary to the most available application server. Should GWL’s primary data center ever fail, BIG-IP GTM would automatically reroute all traffic to the backup data center. BIG-IP GTM also load balances ADFS across data centers to provide cross-site resiliency.
F5 Professional Services assisted in the design, installation, and configuration of the BIG-IP LTM and BIG-IP GTM solution to provide load balancing and service resiliency across the data centers. “The F5 Professional Services consultants provided hands-on knowledge transfer of the F5 implementation and enabled our staff to manage and troubleshoot the environment,” says Harald Ujc, Director of IT at George Weston Limited.
The F5 solution is enabling GWL to make a quick migration to Office 365, ensuring users worldwide will always have reliable access to email, corporate applications, and data.
Because email is a mission-critical application for most organizations, it is typically deployed on premises. But GWL believed the trend toward cloud-based enterprise applications like Office 365 offered distinct advantages. “There was no question in our minds that Office 365 would make it easier for people to work collaboratively,” says Gaul. “We just needed to ensure our ADFS servers were always available, and with F5, we were able to do that.”
Speaking of the complete F5 solution, Mirek Glowacki, Senior Manager of Infrastructure Technology Group at GWL, says, “We would not have been able to move to Office 365 without our F5 solution. Using both BIG-IP LTM and BIG-IP GTM, we can effectively load balance ADFS traffic not only within but across our data centers. F5 provides the high level of reliability and availability we need.” He adds, “The BIG-IP GTM devices are critical because they constantly monitor the health of the entire infrastructure and eliminate single points of failure by routing traffic to the best performing servers.”
Once GWL decided to migrate to Office 365, it did so on a very aggressive timeline. “F5’s Professional Services deployed this solution in record time, and that was a huge benefit to us. In fact, ensuring a smooth and quick deployment was one of the deciding factors when we chose F5 as our vendor,” says Gaul. GWL purchased the F5 solution in late December 2012, the equipment arrived on site the first week of January 2013, and the project work promptly began the following week. “We were very impressed with F5’s ability to meet our timeline, and with the way their onsite consultants worked in concert with Microsoft to deliver the solution. Both parties worked closely with each other to ensure everything was working properly; the entire solution was tested and deployed within a couple of weeks.”
Initially, GWL thought it would have to deploy ADFS in multiple locations worldwide to serve its widely dispersed operations and affiliates. But with the F5 solution, the company was able to deploy ADFS only in its primary and backup data centers in Toronto. “That’s very important, because it gives us a single point of control from which we can authenticate users and manage the ADFS environment,” says Glowacki. “I don’t know how we would have implemented this solution without F5; it would have been a nightmare to manage otherwise.”
In the near term, GWL expects to support up to 16,000 Office 365 users, and the existing F5 deployment is able to handle up to 32,000 users. That will give GWL much needed flexibility in the future.
For GWL, migrating to Office 365 is the first step in an ongoing project. In the future, GWL plans to implement a Lync 2013 VoIP solution to augment Office 365 so that both internal and external users can collaborate easily using voice, instant messaging, video chat, and content sharing capabilities.
“The F5 solution is doing exactly what we need it to do today for Exchange Online, and it will provide the perfect platform for us to use Lync 2013 in the future,” says Ujc. “When that happens, the F5 devices will manage our Lync VoIP traffic the same way they currently do for the Office 365 services.”