Fresno Unified School District (FUSD) needed to replace an aging Cisco ACE load balancer with an advanced intelligent traffic management system. Impressed with the modular architecture of F5 solutions, FUSD chose to upgrade security as well. Now FUSD handles more than one full-time employee's worth of additional work related to security and application delivery.
The Fresno Unified School District (FUSD) is responsible for educating more than 73,000 students and has nearly 9,500 staff. To fulfill its mission of preparing career-ready graduates through high-quality instruction, FUSD continually strives to maintain efficient, cost-effective technology solutions, and in 2014, the district began a series of IT upgrades.
“Improving the reliability and performance of our student information system was the initial organizational driver of the project. We wanted to continue to provide a consistent experience in light of growing user demand, regardless of which web or application front end a user might access,” explains Philip Neufeld, Executive Director of Information Technology for the Fresno Unified School District. “We also sought to protect the data that’s in our student information system.” This would include adhering to the Federal Information Security Management Act and other regulatory requirements.
As FUSD explored performance and security, it realized that those issues affected more than just the student information system. For example, Neufeld says, “When it came to load balancing in particular, we had to repeatedly fuss with the architecture behind the scenes to support much of our third-party software.” This was a major obstacle for the management of the district’s enterprise applications, such as Microsoft Exchange Server and its two enterprise resource planning (ERP) solutions. “The existing architecture based on Cisco ACE had reached end of life and needed to be replaced with a solution that the school district’s ERP vendors trusted.”
Neufeld also wanted to reduce the number of security solutions because maintaining multiple, disparate security solutions, including a Cisco-based firewall and Microsoft Forefront Unified Access Gateway, was cumbersome and labor-intensive. “We wanted fewer security toolsets, which would improve manageability, but still provide strong protection.”
To address these challenges, FUSD adopted the F5 BIG-IP platform as its application delivery controller technology. A primary reason for the choice was the ability to add multiple BIG-IP product modules to a single BIG-IP device to support several networking and security functions. “That’s why F5 stood out,” says Neufeld. “In the past, a single appliance could do a single function. But the world has changed—we want to do more on one box.”
He emphasizes the point using virtualization as an analogy. “Our IT team was already virtualizing the data center, so virtualization of storage and compute resources was part of our mindset,” says Neufeld. “A box can do more than one thing. So, for instance, why shouldn’t we expect that of our security vendors and appliances?”
To support its intelligent traffic management requirements, the district standardized on F5 BIG-IP Local Traffic Manager (LTM). “We love LTM and use it for all of our enterprise applications,” says Gary Gonsalves, Systems Engineer for the Fresno Unified School District.
Next, FUSD plans to expand its use of F5 BIG-IP Access Policy Manager (APM) to support single sign-on capability. F5 BIG-IP Advanced Firewall Manager (AFM) will better support virtual private networking and better separate the district’s data center from the rest of its network. It is supporting automation and customization by using the F5 iRules scripting language and F5 iApps (the user-customizable framework for delivering applications).
By standardizing on F5 BIG-IP solutions that include traffic management and security, the Fresno Unified School District gains a flexible IT architecture that’s easier to manage and offers stronger protection of and better visibility into critical systems.
According to Neufeld, standardizing on F5 solutions gives FUSD access to support from a broader base of partners and vendors, such as those for its ERP applications in Human Resources and Finance. This makes it easier to design the IT architecture that delivers these applications. “When we said, ‘We’re moving to F5,’ other application vendors were more willing to talk to us about possible application problems, and we were able to create more rational architectures behind the corresponding F5 device,” says Neufeld. “Similarly, vendors can likely rule out load balancing as a problem because we’ve standardized on a top player in the traffic management business.”
Neufeld also cites the flexible modular design of BIG-IP as a key benefit in planning IT projects. “With F5, we can choose the modules we want and how and when we deploy them in a phased manner. That gives us time to find the people who know the specific technology involved and who will be available when the project starts.”
Gonsalves explains the flexibility benefit of BIG-IP from a physical location perspective—that is, the freedom to place a device centrally in the network or at an entry point into the network. “When we first considered upgrading, our initial goal was to replace our Cisco edge device with one from F5,” he says. “We soon realized that by putting the device in a core location—the central part of our data center and network—we can make the most of F5 features while still leveraging our institutional knowledge of Cisco technology.” This is important because much of the district’s network is based on Cisco products.
Improved IT productivity has always been a key driver for FUSD projects and time-saving automation is an important way to achieve that productivity. FUSD takes advantage of iRules and iApps templates to enforce application standards and quickly deploy application instances (copies of the program running simultaneously).
“iApps and iRules have simplified a lot of my work,” explains Gonsalves. “For some setup tasks, I used to spend several hours to several days trying to write the necessary scripts, testing them, then more tweaking and testing. Now, with an iApp the same work it takes five minutes, 15 minutes at most.”
For example, Gonsalves recently set up load balancing and monitoring for our DNS, LDAP, and on-premises versions of Microsoft Exchange, Lync, and SharePoint Server, and none took more than 15 minutes.
FUSD expanded its initial upgrade project to include security after recognizing the strong security-by-design of its F5 solution components. An upgraded firewall was key. Says Neufeld, “The danger of an old firewall is that it’s obtuse—and I use that word intentionally. It doesn’t know, or won’t tell you, if you have an incorrect configuration or if an intrusion or other security problem has occurred. We had to replace it.” Now, with BIG-IP AFM (and security capabilities built into BIG-IP LTM), Neufeld says confidence levels are high. “We’ve had one DDoS attack for which we didn’t even have to intervene. The F5 solution did that for us, and we know that because we’ve got good reporting on the event.”
Neufeld also appreciates the F5 approach to security in general. “Security is not just about the hardware. It’s about the software that sits on the hardware, the software’s capabilities, and the viability and ongoing security posture of the vendor we choose,” he says. “F5 is always asking itself, ‘What’s going on in emerging security threats? How do we improve product security? How do we get the right malware signatures and the right algorithms?’ Long-term confidence in a security solution and in its ongoing support is just as important as the devices we initially buy, and F5 provides this.”
With BIG-IP LTM, reports on traffic flow, connections, loads, and other metrics are now faster to access and simpler to read. Plus, they provide greater network visibility. “If developers need to know how much traffic is going to specific front ends, for example, they can get that information easily.”
Neufeld adds that the reporting also helps FUSD find bottlenecks and rule out load balancing as a source of bottlenecks. “Given that we have such good visibility around what is going through our core, we know where to focus on resolving throughput issues,” he says. Similarly, he notes that BIG-IP LTM provides “the analytics to know what other components the team needs to upgrade.”
FUSD estimates that comprehensive monitoring and reporting on traffic management and firewall activity makes it possible to absorb the increased demand for security vigilance while freeing up staff to tackle more challenging projects.
Although the district’s F5 solution deployment is not yet complete, Gonsalves concludes, “There’s definitely more satisfaction and joy in my job now.”