Facebook, the world’s largest social networking site, needed to ensure that its remote access portal and Citrix XenApp virtual application environment could provide fast, reliable connectivity and Performance—without becoming a pathway for network intrusion and data theft.
By deploying an F5 solution that provides tight XenApp integration and unique three-factor authentication, Facebook was able to connect remote employees, vendors, consultants, and partners to applications and web services quickly and reliably, without risk to sensitive user data.
Facebook’s IT department, which makes corporate applications available to vendors, consultants, and partners via Citrix XenApp, wanted to optimize the performance and availability of its XenApp virtual application environment, as well as upgrade the security of its remote access portal. “Because Facebook is a huge target, we must be able to positively identify every user connecting to our remote access portal and corporate applications,” says Simon Blackstein of Facebook’s corporate T infrastructure team.
Facebook’s existing virtual private network (VPN) and two-factor authentication were simply not up to the job. “We found a VPN to be too blunt a tool for identifying users and restricting access,” says Blackstein. “We needed a better solution for remote access and authentication than Citrix or other vendors could provide.” In its search, Facebook found that many solutions could authenticate the validity of login passwords and certificates separately, but not verify that each belonged to the same user. Facebook sought a third level of authentication that would verify that a portal user was logging on from a valid IP address—a feature that was very difficult to find in any identity solution. “We wanted much smoother integration with our Citrix XenApp environment and more control over user access to individual services.”
Finally, Facebook needed a solution that would be easy to use for both the IT department and the average user. “We’re a fast-moving company that needs to get partners and consultants on board and working quickly. We were looking for a configuration and user experience with as few steps and as much ease of use as possible,” says Blackstein.
After investigating many different application delivery, identity, and security solutions, Facebook chose three clustered pairs of F5 BIG-IP 8900 devices running BIG-IP Local Traffic Manager (LTM), and one pair of BIG-IP 3900 devices running BIG-IP LTM with BIG-IP Access Policy Manager (APM). This solution sits in front of Facebook’s remote access user and partner portal, where it optimizes XenApp application performance, scalability, and reliability, while providing unique three-factor authentication that matches a user’s login information with his or her unique certificate and origin IP address. The F5 solution also offers fine-grained control of user access to web services.
The F5 BIG-IP solution won over Blackstein with its ease of installation, tight integration with Citrix XenApp, and powerful iRules scripting language. “We had a faceoff between BIG-IP LTM with APM and a competing solution, and BIG-IP blew away everything the other vendor could do,” says Blackstein.
Deployment was smooth and took only a few weeks, according to Blackstein. “It was incredibly easy to get started, integrate with XenApp, and build the highly customized solution we needed for authentication.
Anyone with any level of scripting knowledge can write highly customized iRules, and the DevCentral website provides examples of iRules scripts from thousands of users that are tremendously useful.”
Blackstein also found that F5 was easy to work with. “F5 doesn’t have the ‘one-size-fits-all’ mentality of many vendors,” says Blackstein. “We told F5 what we were looking for, they understood what we needed and why, and were there to help us build it.” Facebook also used iRules to customize and streamline its portal interface so the solution would be as easy as possible for its users.
Facebook has realized numerous business benefits from its BIG-IP implementation, including reliable integration with its XenApp deployment; powerful authentication and security; and easy configuration and access for outside consultants.
Because the BIG-IP solution is so well-integrated with its XenApp deployment, Facebook can easily apply security policies across both solutions from a central location. “We were warned by some that it might be difficult to make BIG-IP and XenApp solutions play well together, and we wouldn’t get the level of support we needed since we’d have to work with two different vendors,” says Blackstein. “They couldn’t have been more wrong. F5’s solution plays very well with XenApp. F5 keeps up with XenApp changes, and support has been excellent from both vendors. The result is that portal users can get to their applications quickly, easily, and reliably rather than feeling left on their own, as they often do when they come into a network on a traditional VPN.”
By taking advantage of the traffic management and server health checking features of BIG-IP LTM, Facebook has seen improved application performance and reliability. “This portal is a mission-critical service for us,” says Blackstein. “Many of our vendors—as well as our call centers—are in different geographies and time zones, so they’re still working while we’re asleep. That means the portal can never be down—at night, for maintenance, or because of an outage.” Blackstein’s team also appreciates that it can take machines in and out of service while the F5 solution ensures constant application access. “Citrix does a great job of virtualizing applications, but F5 does a better job overall of delivering them quickly and reliably over the network.”
With the powerful three-factor authentication offered by BIG-IP APM and customizable iRules, Facebook provides a level of security for its remote access portal that’s far superior to anything it could have achieved using other solutions. “The sophisticated authentication process we achieved with F5 has helped us eliminate immeasurable risk to our users and our business,” says Blackstein. “By enabling us to match up login information with certificates and source IP addresses in record time, our portal users are no longer invisible citizens on the network. F5 gives us a much better understanding of what is appropriate use for our web services.”
“Outsourced projects often come about because we have an urgent need for a specific service,” says Blackstein. “That means we need to get the vendor online with secure access quickly—without giving them too much access, of course.” Using BIG-IP APM and iRules, Facebook developed a fast, turnkey method for getting new partners and consultants up and running with the appropriate level of access.
“In all, the F5 solution was uniquely equipped to handle the proxying, load balancing, and robust authentication, and also deliver security at the level of customization that we needed,” says Blackstein.
Pleased with the results of its BIG-IP implementation, Facebook is planning to take advantage of F5’s customizable web interface for XenApp to refine and streamline application access even further. “The advantage of using the F5 solution is that you can put together a custom portal that isn’t constrained by the Citrix web interface—it can be whatever you need it to be,” says Blackstein.
Facebook is also planning to deploy BIG-IP Global Traffic Manager (GTM) to support its corporate messaging infrastructure and as part of its strategy for migrating applications to a new data center without any disruption to business application access.