General Information
Request Title:Enter title from request form
DHS|OHA – Leverage Citrix NetScalers for Proofpoint Enterprise Requirements
Request Summary: Paste summary from request form
OIS Shared Services is implementing Proofpoint Enterprise to replace Tumbleweed Secure Messenger which is end-of-life. Tumbleweed is a business critical service that secures outbound email keeping both DHS and OHA in compliance with both state and federal regulations. Tumbleweed also scans inbound email for spam, malware, and viruses. There is an urgency to implement Proofpoint due to recent increases in secure email traffic as well as the agency-wide litigation hold on all email communications. Tumbleweed is at capacity for storage and processing of business critical email and is in an extremely fragile state requiring constant attention and care. Proofpoint’s implementation provides a scalable and manageable solution that meets legal and regulatory compliance obligations.
DHS|OHA also relies on 2 other end-of-life solutions, Cisco ACE and Microsoft’s Forefront Threat Management Gateway. ETS manages the Cisco ACE which provides application load balancing and redundancy to Tumbleweed. DHS|OHA manages Forefront TMG that provides external connectivity, security and authentication to internal applications. While Tumbleweed does not currently leverage Forefront TMG for this service, Proofpoint will require a reverse proxy. Tumbleweed currently accepts direct connections based on a URL sent in an email.
Proofpoint will instantly be a business critical system when it replaces Tumbleweed. For Proofpoint to rely on 2 end-of-life solutions puts the business at risk of their email environment becoming an “island” if email is not able to be sent inbound/outbound and additional loss of productivity if recipients cannot connect to Proofpoint to view their secure messages. DHS|OHA’s Microsoft Exchange environment only accepts/sends email with their secure email solution.
DHS|OHA requests to leverage their Citrix NetScalers that were implemented as part of their Citrix upgrade project. Citrix NetScalers are a Gartner leader in the “Magic Quadrant” for application delivery and will provide DHS|OHA with a sustainable solution with already contracted support and a collective internal knowledge of the product by many teams inside the agency. The NetScalers are in full production mode and the only requirement of ETS is
implementing the necessary firewall rules.
Citrix NetScalers will provide the following:
- Reduce 2 end-of-life solutions into 1 current and sustainable solution - Layer 7 technology (http://en.wikipedia.org/wiki/OSI_model)
o Layer 4 load balancing and layer 7 application delivery - Agency ability to manage load balanced servers as needed
o Agency is not currently able to remove a server from service for patching, this can cause connectivity issues to end-users
- Agency ability to view health monitors for servers serviced by the NetScalers
o Agency cannot quickly identify system issues adding to resolution time - Granular configuration for load balancing and reverse proxy needs
o Reduces the need for extra DNS records and lowers cost on SSL (secure socket layer)
certificates for encryption. Also, servers currently receive traffic based on a “ping” response from the server which can cause issues to end-users if the server is connected to the network but not servicing applications correctly
- Reduce environment complexity
o Tumbleweed has many connectivity points and troubleshooting can be cumbersome - Additional Information: Citrix NetScalers Platinum Edition
o http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/netscaler-data-sheet.pdf
Agency:Enter the Agency and division making the request for exception
DHS & OHA
Agency ContactRodney Dearmore
Phone503-884-4280
Email [email protected] Fax ETS ContactWayne Smith
Phone503-269-0449
Email [email protected] FaxProcess Progress
Steps Date Status
Initial draft 4/09/14 In-Progress
ETS Internal review 4/11/14 Complete
Final 5/12/14 Complete
Analysis Checklist
Item Question Response
1. Has the customer interpreted the criteria correctly? 1 Insert comments relative to this question “The agency has a documented emergency need that the state data center cannot meet.”
DHS/OHA has identified an urgent need to upgrade their secure email system (hosted at the SDC) that has had and still does require load balancing to meet legal and regulatory requirements. ETS agrees that the current system is out dated and needs replaced as soon as possible.
“The agency has a business need that requires a solution that the SDC can not meet in a timely manner.”
ETS offers load balancing in its current hosting environment for customers which include the DHS email system, and is in the middle of an approved and funded migration of agencies onto a new load balancer (F5 – which is the leader in the Gartner Magic Quadrant). ETS’s plan has been to support both environments until the agency migrations are completed. Both environments support the DHS/OHA requirements and can handle the increased capacity. Additionally ETS currently offers server monitoring for this system.
The issue is they would like to take advantage of a tool they already purchased as part of their recent Citrix upgrade, supporting 50+ servers, that also has the capability to load balance and thus provide a self-supported solution that includes monitoring as well. They indicate they have the staff and funding to do this support.
Item Question Response 2. Has the customer considered alternative solutions? 1 Insert comments relative to this question
ETS has submitted a solution alternative to DHS/OHA that avoids duplicate use of tools and support in both DHS and ETS and that require different technical skill sets to support.
Yes No
3. Has the impact to ETS capacity been evaluated? 1 Insert comments relative to this question
ETS has the support capacity and additional system capacity to provide the solution alternative to DHS/OHA that utilizes the state standard load balancing.
Yes No
4. Has the impact to ETS processes been evaluated? 1 Insert comments relative to this question If this exclusion is granted to the agency, ETS will need to:
Modify and support different processes such as Disaster Recovery
Modify and support more processes to support the functions that is partially supported by the agency and partially by ETS, and continue to support the standard solution for all other agencies.
This also decreases the future planned use of the standard solution being upgraded and already purchased, causing a ripple effect to other customers due to fixed investment.
Yes No
5. Has the impact to ETS workload and priorities for service delivery been evaluated? 1 Insert comments relative to this question
The solution alternative offered was planned into the workload and priorities. However, if the exclusion is granted to the agency the daily management of the state network that would consist of different load balancing devices will increase complexity and impact ETS workload.
Yes No
6. Has the impact to ETS FTE for ongoing support been evaluated? 1 Insert comments relative to this question
ETS support for the standard load balancing solution takes 2 FTE, 24/7 365 covered by 6 positions. Allowing an exclusion that is non-standard and partially supported by both ETS and DHS/OHA - would require at minimum a total of 3 FTE, covered by 9 positions to provide system availability and recovery 24/7 365 for both solutions.
Yes No
Feasibility of Providing Service at the ETS
ETS Recommendation and Considerations
1.
The ETS agrees that it is in the best interest of the ETS and its customers to grant this
exception
Exclusion will be re-evaluated annually, or when a regularly scheduled review of
all exemptions is conducted by the ETS and the ETS CIO Advisory Board.
Additional Conditions:
Yes No
2.
The ETS does not support granting this exception for the following reasons:
Denial is recommended.ETS agrees that Tumbleweed should be replaced by Proofpoint as soon as possible.
ETS currently supports multiple customers leveraging Proofpoint with standard ETS services. ETS has a similar situation with DoR’s IBM Data Power that is in place for application specific functionality that does not leverage Data Power load balancing capabilities. DoR understands the benefit of the ETS Load Balancing Standard.
ETS recognizes Citrix NetScaler as an industry standard for Citrix applications and it is in use today. Granting the exception for the Netscalers to utilize additional functionality will create unnecessary technology sprawl, move away from a standard, and will not leverage the states investment in the firewall and load balancing solution.
Final
This request was withdrawn by the agency with the following conditions/responsibilities agreed upon for withdrawal. Load Balancing (Cisco ACE or other—ETS monitors)
-
Device up/down for unplanned outages (6AM-6PM)
-
Peak CPU/memory utilization (threshold >80% sustained peak)
-
Peak interface utilization (threshold in/outbound >70%)
Reverse Proxy (2008R2 Threat Management Gateway (TMG)—OIS monitors)
-
Simple up/down for unplanned outages (anything between 6AM-6PM)
Secure Mail (Tumbleweed and/or ProofPoint—OIS monitors)
