Based in Zeist, the Netherlands, PGGM manages about €90 billion (U.S.$130 billion). For years, employees had used a virtual private network (VPN) to connect to IT resources from remote locations. However, the VPN introduced several security risks. Workstations infected with a virus could easily infect the network, and sensitive data could be compromised if downloaded onto an unmanaged workstation. In 2007, PGGM replaced its VPN with a Web-based solution supported by Terminal Services in the Windows Server® 2008 operating system. The solution allows workstations to use HTTP over Secure Socket Layer (HTTPS) to connect to data and applications that remain behind the corporate firewall. As a result of its solution, PGGM has boosted network security and employee productivity, simplified system management, and made it easier for people to access the resources they need.
Situation
 |
By deploying Terminal Services in Windows Server 2008, our network is more secure. We no longer have unmanaged clients accessing our network.  |
|
|
Immanuël Noorman
Information Communication Technology Architect
PGGM |
|
|
PGGM provides retirement benefits to more than 2 million current and former employees in the healthcare and social work sectors of the Netherlands. The company has about €90 billion (U.S.$130 billion) assets under management in worldwide equities, fixed-interest securities, real estate, private equity, and commodities. The company employs approximately 1,000 people at four sites in the Netherlands, including the corporate headquarters in Zeist.
The majority of employees at PGGM work primarily from a corporate office. However, 50 employees who manage the company’s external assets spend most of their time at remote locations across the Netherlands and abroad. These mobile employees rely on portable computers and a virtual private network (VPN) to access resources in the PGGM network. Approximately 150 additional employees use the VPN to access their office desktop or a terminal server from home or other locations. In addition, approximately ten third-party companies access pension information over the VPN.
Administrators work to help ensure that the portable computers used by mobile employees have up-to-date virus and firewall protection. However, the workstations that employees use to access the VPN from home or from other remote locations are considered unmanaged because administrators lack control over the systems and have no way to know if the computer’s virus protection software or firewall is running or up to date. An infected system that connects over the VPN can quickly spread a virus or worm to the entire network.
Data integrity was another issue. To work from a remote location, employees downloaded data from the PGGM network to their workstation. However, if an employee did not maintain the firewall or virus protection services, sensitive data downloaded from the PGGM network could be compromised.
The VPN presented other challenges as well. To connect to the network from a remote location, the employee’s workstation needed to have the VPN client installed on it. This took time, and occasionally administrators had to help employees deploy the client. Also, if an employee happened to be at a remote location but did not have access to his or her system with the VPN client, the network could not be accessed. In addition, administrators had to help employees maintain their remote systems with the latest version of productivity applications such as Microsoft® Office Word 2003 and custom business applications that could not be easily accessed over the VPN.
Although PGGM had used a VPN for years without any major issues, IT personnel sought a safer and easier way to allow for remote access. In January 2007, PGGM learned about enhancements to Terminal Services in the Windows Server® 2008 operating system that could address all of these issues. “The Terminal Services solution in Windows Server 2008 immediately caught our attention,” explains Immanuël Noorman, Information Communication Technology Architect at PGGM. “It allows users to connect remotely to the PGGM network without introducing risks posed by unmanaged clients.”
Solution
|
We have not encountered any great challenges planning or deploying our Terminal Services pilot environment running on Windows Server 2008. The whole process has been very straightforward. |
|
|
Immanuël Noorman
Information Communication Technology Architect
PGGM |
|
|
Terminal Services uses the Remote Desktop Protocol (RDP) and HTTP over Secure Socket Layer (HTTPS) to connect remote users to a specific network resource, such as a workstation. Administrators specify which resources a remote user can access. Administrators can also use Windows Server 2008 to define Network Access Protection health policies for remote clients. Only workstations that comply with the health policies can access resources.
Terminal Services can communicate with any authorized Internet-connected device that runs the Remote Desktop Connection 6.0, a built-in component of the Windows® XP Service Pack 2 and Windows Vista operating systems. Once a connection is established, the remote employee works on the computer within the PGGM network, rather than by downloading data across the VPN and working on it locally.
In June 2007, PGGM decided to deploy Terminal Services in Windows Server 2008. To help with the deployment, the company engaged Microsoft Services consultants. One architect from PGGM worked with one Microsoft Services consultant to create a vision and scope for the deployment of Terminal Services Gateway. In August 2007, the team designed the solution infrastructure and built the test environment on five HP ProLiant BL480c server blade computers with dual-core Intel processors.
All five server computers run Windows Server 2008 Enterprise 32-Bit operating system and are configured to run the Terminal Services role—though the systems are set up to manage different services. For example, two server computers are configured to run the Terminal Services Gateway service. These computers allow remote users to connect to resources on the PGGM network. Microsoft Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition publishes the gateways to the Internet and helps in network load balancing.
Two server computers are configured to run Terminal Services RemoteApp™. These systems host desktop applications, such as Microsoft Office Professional Edition 2003 and Adobe Acrobat, for use by remote users. When an employee establishes an HTTPS connection, he or she can launch an application, such as Microsoft Word, hosted on a terminal server. Although the application appears to run on the local system, it actually runs on the terminal server inside the PGGM network.
The remaining server computer runs the Terminal Services Licensing service. This system manages the Terminal Services client access licenses for devices and users that connect to a terminal server. In addition, the Terminal Services Licensing service is used as the session broker for load balancing.
In September 2007, the team deployed the new environment to 40 pilot users, including IT personnel. “We have not encountered any great challenges planning or deploying our Terminal Services pilot environment running on Windows Server 2008,” notes Noorman. “The whole process has been very straightforward.”
PGGM expects to expand its new solution within the next several months to all employees who work from remote locations. In addition, the company will migrate additional server computers to Windows Server 2008 early next year. Other plans for 2008 include the deployment of Microsoft SoftGrid® Application Virtualization and Microsoft Office Professional 2007. SoftGrid Application Virtualization works with Terminal Server to give all employees access to one centralized copy of an application. As a result, employees do not have to install and run an application source on their workstations. Instead, they access a virtualized copy of an application from a central repository.
Benefits
By deploying Terminal Services in Windows Server 2008, PGGM has been able to improve network security, increase employee productivity, enhance the access to resources from remote locations, and simplify system management.
|
Our people can be more productive as a result of Terminal Services in Windows Server 2008. They can do their work from any place as long as they have a computer with an Internet connection. |
|
|
Immanuël Noorman
Information Communication Technology Architect
PGGM |
|
|
Strengthens Security
The VPN introduced several security risks. Unmanaged desktops could infect the network, and data stored outside of the PGGM network was unsecured. Today, workstations that do not conform to health polices are immediately identified and prevented from network access. In addition, remote employees work directly on the systems inside of the PGGM network, so sensitive data remains protected behind the corporate firewall.
“By deploying Terminal Services in Windows Server 2008, our network is more secure,” explains Noorman. “We no longer have unmanaged clients accessing our network. This means we don’t risk getting infected with spyware or viruses as we used to with our old VPN connection.”
Increases Productivity
Before the solution, employees had to download and upload documents over the VPN. Today, because remote employees use the applications and data that reside inside of the PGGM network, they don’t have to wait for file transfers. In addition, remote employees do not have to keep track of which files are current. And if employees want to use a different computer to access the PGGM network, they can do so without installing an additional VPN client. As a result, employees can get the information they need—when and where they need it.
“Since we deployed Terminal Services Gateway in Windows Server 2008, we are more flexible in providing a remote connection to the PGGM network,” explains Noorman. “People no longer need a VPN client on their desktop to make a connection—they only need a computer that has the Remote Desktop Protocol. And because most computers already have RDP on it, this is not an issue as it was with the VPN client. This means it’s less intensive to set up remote users—and it’s easier for remote workers to access their desktop to do their work.
“Our people can be more productive as a result of Terminal Services in Windows Server 2008,” Noorman continues. “They can do their work from any place as long as they have a computer with an Internet connection. When we relied on a VPN connection, employees were limited in which applications they could access. With the RDP connection, it makes it possible for employees to do any of the work that they need to do, remotely.”
Enhances Access to Resources
The PGGM terminal servers provide a centralized repository for basic business applications. As a result, employees can gain access to their office environment from any location while they enjoy the same level of performance.
In the future, PGGM will expand on this virtualized application model when it deploys SoftGrid Application Virtualization. By doing so, employees inside and outside of the PGGM network will be able to access virtualized copies of centralized applications, rather than have to run individual copies on their hard drive. Centralized copies of applications will help guarantee that all employees have access to the latest software tools.
Simplifies System Management
Windows Server 2008 eliminates or minimizes many tasks that system administrators used to perform. They no longer have to help employees install VPN clients or maintain client licenses for software that runs on remote systems. In addition, Windows Server 2008 provides tools that administrators can use to gain greater insight into the health and performance of server computers.
“We expect to be able to streamline the management of our overall solution with Windows Server 2008,” says Noorman. “One reason for this is that the tools are better than those in Windows Server 2003. For example, we really like the new Server Manager. It provides a single place where we can go to get a good overview of the system and what we can do with it. This makes it much easier for system administrators to do their jobs.”
The enhanced system management, security, and remote access capabilities will eventually translate into monetary savings. “Although it’s too early to collect these figures, we expect to lower the total cost of ownership as a result of Windows Server 2008,” concludes Noorman.
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com
For more information about PGGM products and services, call +31-302779911 or visit the Web site at:
www.pggm.nl
Windows Server 2008
Windows Server 2008, with built-in web and virtualization technologies, enables you to increase the reliability and flexibility of your server infrastructure. New virtualization tools, web resources, and security enhancements help you save time, reduce costs, and provide a platform for a dynamic and optimized datacenter. Powerful new tools like IIS 7.0, Server Manager, and Windows PowerShell, allow you to have more control over your servers and streamline web, configuration, and management tasks. Advanced security and reliability enhancements like Network Access Protection and the Read-Only Domain Controller option for Active Directory Domain Services harden the operating system and protect your server environment to ensure you have a solid foundation on which to build your business.
For more information, go to:
www.microsoft.com/windowsserver2008
This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Document published January 2008
