Project Brief
ENT040 – Remote Windows Server Management
Approvals
| Name | Role | Position | Date |
|---|---|---|---|
| Graeme Wood | Project Sponsor | Head, ITI Enterprise Services | 19/02/2019 |
| Murray Dippie |
Service Owner Senior User |
ESW Team Leader, ITI Enterprise Services | 11/02/2019 |
| Heather Larnach | Senior User | Team Leader, ISG Technology Management | 21/02/2019 |
| Mark Lang | Senior User | Manager, ISG Development Technology | 05/03/2019 |
| David Graham | Senior Supplier | Head, ITI Communications Infrastructure Services | 28/02/2019 |
| Martin Campbell | Senior Supplier | Unix Systems Team Leader, ITI ENT | 06/03/2019 |
| Kenneth MacDonald | Senior Supplier | Unix Services Team Leader, ITI ENT | 11/02/2019 |
| Maurice Franceschi | Portfolio Manager | ITI Portfolio Manager, ISG | 13/02/2019 |
| Lawrence Stevenson |
Project Manager |
ITI Project Manager, ISG | 07/02/2019 |
Background
This project brief describes the objectives, scope, timeline, deliverables and acceptance criteria for the replacement of the current remote Windows server management process, which uses the University’s VPN service to access and manage Windows servers and VMs remotely. The goal of the project is to replace the current process with a service based on Microsoft’s Remote Desktop Gateway for Windows servers. The service will enable members of ITI Enterprise Services, and IS Apps Development Technology and Technology Management teams to remotely access Windows servers for troubleshooting and management purposes. A level of granular security will be delivered with administration groups authorised to only access specific groups of servers for which they have responsibility.
Project Scope
The project will implement secure and robust gateway processes to provide remote access to development, test and live Windows servers managed by the ITI Enterprise Services (ENT) Windows team and IS Apps teams. The implementation will cover the installation and configuration of the gateway, integration with Active Directory, registration of administrators, and definition of server groups and assignment of administrator access to specific server groups. In addition, the configuration of Windows and network firewalls is required to enable access from outside the University to specific VLANs and server groups.
All Windows servers managed by ITI ENT will be add to the gateway. This means servers running Windows Server 2008, 2012 or 2016. All gateway account administration will be managed by the ENT team.
Out of Scope
The work will only provide a new method to enable administrators to remotely connect to Windows servers managed by the ENT Windows team. Access will not be provided to Windows servers managed by other teams e.g. Schools administration team nor will access be provide to non-Windows servers such as Linux (CentOS) servers managed by the ENT Unix teams.
Objectives
The key requirements and the associated priorities are outlined below.
| Requirement | MoSCoW | Requester |
|---|---|---|
| Replace current remote access process with a secure solution based on Microsoft Remote Server Gateway | Must | Graeme Wood |
| A load balanced solution across sites that ensures all servers can be accessed even if one gateway is unavailable | Must | Murray Dippie |
| Approved process and procedures developed around the gateway use | Must | Murray Dippie |
| Storage of gateway logs in the central logging system (ELK) for review and audit | Must | Murray Dippie |
The key objectives on this project are to –
- Install and configure Microsoft’s Remote Desktop Gateway on load balanced servers at JCMB at Appleton Tower to provide access to Windows servers managed by the ENT Windows team at both data centres
- Authorise administrator groups in Active Directory as gateway users
- Define ENT Windows server groups, VLANs, etc. and add servers to the gateway
- Assign access to administrators to specific server groups
- Configure Windows firewalls to provide administrator access to VLANS and servers
- Configure external facing network firewalls to enable remote access to the gateway
- Configure and run Windows Remote Desktop tests to ensure remote end-to-end access via both sites to all defined VLANs and servers
- Test gateway server failover at both sites to ensure all servers can still be accessed
- Define the procedure for using the remote desktop client and updating server and administrator data on the gateway
- Configure the ELK central logging system to retrieve and store gateway logs for review and audit
Deliverables
The following deliverables and acceptance criteria meet the objectives of the project.
| Objective | Deliverable(s) | Acceptance Criteria |
|---|---|---|
| Install, configure, test and commission a secure and robust remote Windows server management solution using Microsoft’s Remote Desktop Gateway | Dual load balanced servers (at JCMB and Appleton Tower) hosting the gateway and providing access for ENT and IS Apps administrators to servers in the ENT managed space | The gateways are fully tested and a recognised process is embedded in ENT operational policies as a secure and accepted method to remotely access Windows servers for maintenance and troubleshooting |
| Provide user procedures on the use of Windows Remote Desktop to enable authorised administrators to access servers remotely | Documentation on the ENT wiki providing usage and configuration details | Approved user documentation available on the ENT wiki |
| Provide user procedures on (a) the registration of new administrators, groups, servers, and VLANs and requests for whitelisting and (b) removal of administrators, servers, etc. from the gateway | Documentation on the ENT wiki providing details on requests for registration, update and removal administrators, servers, etc. | User documentation reviewed, approved and available on the ENT wiki |
| Develop operational procedures covering the management of administrators, groups, servers, and VLANs on the gateway plus the whitelisting of servers to be added to the gateway and requests for any additional network firewall configuration on the gateway | Documentation on the ENT wiki providing procedures for adding, updating and removing administrators, servers, etc. on the gateway | Operational documentation reviewed, approved and available on the ENT wiki |
| Develop a process to migrate gateway logs to the ELK central logging system | Link to ELK in place providing logs from the gateway on a regular basis | Gateway logs available in ELK for review and audit |
Benefits
The successful delivery of this project is expected to provide the following benefits -
- A more secure, robust and appropriate access management to enable administrators to connect to servers remotely thus reducing the need to come on site outside office hours
- A level of granularity that can restrict server access to specific administration groups so that erroneous changes are reduced
- Formal process and procedures are presented to ENT and IS Apps staff to ensure a standard access method is available to administrators
- Gateway logs are transferred to the central logging system to facilitate reviews and to provide the facility to cross reference against other logs
Success Criteria
The following are the criteria to be met to ensure a successful completion of the project –
- An operational gateway service enabling ENT and IS Apps staff access to servers on a remote basis
- A secure service that ensures only access to assigned servers by authorised adminstrators is possible
- An operational process that adds, updates and deletes authorised users in an efficient and timely manner
- Operational and user documentation available and maintained on the process
Project Milestones
The following table outlines the key milestones in the project.
| Milestone | Responsible | Approval | Date |
|---|---|---|---|
| Initial review of scope, requirements and timeline | Lawrence Stevenson | Murray Dippie | 22/01/2019 |
| Project brief and project plan prepared | Lawrence Stevenson | Murray Dippie | 15/02/2019 |
| Project brief and plan approved | Murray Dippie |
Graeme Wood Senior Users |
01/03/2019 |
| End of planning | Lawrence Stevenson | Maurice Franceschi | 04/03/2019 |
| Remote Desktop Gateway server and client installation process designed | Murray Dippie | Senior Users | 15/03/2019 |
| Gateway user and server groups, VLANs and firewall configurations defined | Martin Cassels | Murray Dippie | 22/03/2019 |
|
Microsoft’s Remote Desktop Gateway installed on Windows management servers at JCMB and Appleton Tower |
Martin Cassels | Murray Dippie | 29/03/2019 |
| Install service certificates and load balance gateways | TBA | Martin Campbell | 05/04/2019 |
| Administrator groups in Active Directory authorised as gateway users | Martin Cassels | Murray Dippie | 05/04/2019 |
| Server group policy defined in Active Directory for gateway access | Martin Cassels | Murray Dippie | 05/04/2019 |
| Access to specific server groups by administrators' groups assigned | Martin Cassels | Murray Dippie | 12/04/2019 |
| Windows firewalls configured for gateway access | Neil Cooper | Murray Dippie | 19/04/2019 |
| Network firewalls configured for gateway access | TBA | David Graham | 03/05/2019 |
| Gateway access tested and proved from external clients | Senior Users | Murray Dippie | 17/05/2019 |
| Process documentation prepared and available on ENT wiki | Martin Cassels | Murray Dippie | 31/05/2019 |
| Administrators trained on use of remote gateway | Martin Cassels | Senior Users | 14/06/2019 |
| Remote gateway logs integrated into ELK central logging system | Kenneth MacDonald | Murray Dippie | 28/06/2019 |
| New remote gateway process presented at ENT monthly team meeting | Murray Dippie | Graeme Wood | 02/07/2019 |
| Project closed | Lawrence Stevenson | Graeme Wood Senior Users | 19/07/2019 |
Impact
Priority and Funding
This work has been identified as a Priority 2 project within the ITI Enterprise Services portfolio. No capital investment is required as the Gateway is licenced through existing Windows Server licencing. Resourcing is as outlined in the section below.
Service Excellence
The gateway project aims to meet service excellence goals for information security and process improvement by delivering new remote Windows server management service that is secure in terms of both user and server access, and is an improvement on the currently provisioned service.
Digital Transformation
The project will deliver a gateway service that uses one of the latest products providing remote access for Windows server management.
The following work breakdown structure summarise the key tasks required to deliver the gateway service.
Dependencies
Clearly a prerequisite to successfully implementing a new remote Windows server management process is the adoption of the process by the ITI Enterprise Services and IS Apps teams by ensuring adequate documentation and training is delivered as part of this project.
Currently no dependencies have been identified with other ongoing ITI projects.
Risks
The risk log will be maintained, on the Projects website, to record and track all risks to resolution. Risk severity and impact, risk owner and planned mitigation date will be assigned by the project team. Major risks with close proximity need to be escalated to the project board via the project sponsor.
Initial risks that have been identified for this project include –
- The project milestones may not be met due to the volume of work in other areas and/or the lack of skilled or available resources
- The scope of the work included in the project must be approved by the project sponsor and senior suppliers; any significant change of scope during the project must be presented and approved by the project sponsor
- Additional costs could be incurred for item such as software licences, additional compute and storage capacity, or network equipment; currently this is categorised as very low risk
Organisation
Work Breakdown
The following work breakdown structure summarises the key tasks required to deliver the gateway service.
Resources, Skills and Costs
No investment costs have been identified for this project gateway software is available under existing licences. It is assumed that the server and storage capacity required is available to build and extend the VMs required to run the service in the current VMware host environment.
The project will run from February 2019 to July 2019 and require limited ITI Enterprise Systems (ENT), Communications Infrastructure Services (CIS), ISG Technology Management and ISG Development Technology resourcing during that period. Estimated resource requirements totals are itemised in the table below
| Team Member | Role | Days Allocated |
|---|---|---|
| Murray Dippie |
ESW resource management, requirements and scope, gateway build and test, documentation, project board attendance |
11.0 |
| Martin Cassels | Gateway build, user management, server integration, group policies, test, documentation | 10.0 |
| Neil Cooper |
Windows firewall configuration |
2.0 |
| TBA (CIS) | Network firewall configuration | 2.0 |
| Kenneth MacDonald | Gateway/ELK integration | 1.0 |
| TBA (ENT) | Remote access testing | 2.0 |
| TBA (Tech Mgmt) | Remote access testing | 2.0 |
| TBA (IS Apps) | Remote access testing | 2.0 |
| Lawrence Stevenson | Project management | 12.0 |
| Graeme Wood | Project sponsor, project board attendance | 2.0 |
| Maurice Franceschi | Project board attendance | 2.0 |
| David Graham | CIS resource management | 1.0 |
| Heather Larnach | Tech Mgmt resourcing | 1.0 |
|
Mark Lang |
Development Technology resourcing | 1.0 |
Project Governance
Overall project governance will be provide by the project board whose members are listed below. Day to day project management and delivery is the responsibility of the project team – see section Project Team. As this is a small project, project board meetings will be minimal.
Project Stakeholders
Project Board
The project sponsor is Graeme Wood, Head of ITI Enterprise Services. The following senior stakeholder will be invited to participate in project board meetings.
| Role | Name | Position |
|---|---|---|
| Project Sponsor | Graeme Wood | Head, ITI Enterprise Services |
| Service Owner | Murray Dippie | ESW Team Leader, ITI Enterprise Services |
| Senior User | Heather Larnach | Team Leader, ISG Technology Management |
| Senior User | Mark Lang | Manager, ISG Development Technology |
| Senior Supplier | David Graham | Head, ITI Communications Infrastructure Services |
| Senior Supplier | Kenneth MacDonald | Unix Services Team Leader, ITI ENT |
| Portfolio Manager | Maurice Franceschi | ITI Portfolio Manager, ISG |
| Project Manager | Lawrence Stevenson | ITI Project Manager, ISG |
Project Team
The following diagram shows the key members of the Remote Windows Server Management project team.
Project Estimations
The table below show the estimated times for the main tasks in the project.
| Task | Duration | Start | Finish |
|---|---|---|---|
| Define scope, requirements and timeline | 10 | 14/01/2019 | 25/01/2019 |
| Prepare brief and plan | 10 | 28/01/2019 | 08/02/2019 |
| Review brief | 10 | 11/02/2019 | 22/02/2019 |
| Update project brief | 3 | 25/02/2019 | 27/02/2019 |
| Approve project brief | 2 | 28/02/2019 | 01/03/2019 |
| Design Gateway usage processes | 10 | 04/03/2019 | 15/03/2019 |
| Define gateway user and server groups, VLANs and firewall configurations | 5 | 18/03/2019 | 22/03/2019 |
|
Install MS Remote Desktop Gateway on management servers (JCMB & AT) |
5 | 25/03/2019 | 29/03/2019 |
| Add Gateway administrator groups in Active Directory | 2 | 01/04/2019 | 02/04/2019 |
| Define group policies in Active Directory for gateway access | 3 | 03/04/2019 | 05/04/2019 |
|
Assign access to specific server groups by administrators' group |
5 | 08/04/2019 | 12/04/2019 |
| Configure Windows firewalls for gateway access | 5 | 15/04/2019 | 19/04/2019 |
| Configure network firewalls for gateway access | 10 | 22/04/2019 | 03/05/2019 |
| Test Gateway access from external devices (ENT) | 10 | 06/05/2019 | 17/05/2019 |
| Test Gateway access from external devices (IS Apps) | 10 | 06/05/2019 | 17/05/2019 |
| Prepare documentation on ENT wiki | 10 | 20/05/2019 | 31/05/2019 |
| Train users on use of remote gateway (ENT) | 10 | 03/06/2019 | 14/06/2019 |
| Train users on use of remote gateway (IS Apps) | 10 | 03/06/2019 | 14/06/2019 |
| Integrate gateway logs into ELK central logging system | 10 | 17/06/2019 | 18/06/2019 |
| Present gateway process at ENT monthly meeting for approval | 1 | 02/07/2019 | 02/07/2019 |
| Approve gateway service in production | 1 | 05/07/2019 | 05/07/2017 |
| Prepare closure report | 2 | 08/07/2019 | 09/07/2019 |
| Review closure report | 3 | 10/07/2019 | 12/07/2019 |
| Update closure report | 3 | 15/07/2019 | 17/07/2019 |
| Approve closure report | 2 | 18/07/2019 | 19/07/2019 |
Assumptions
The following assumptions have been identified at the start of the project and may be expanded during the project.
- The resources estimated for the project will be available as scheduled to ensure the work assigned in the project plan is completed
- No additional investment costs will be needed for additional licences or equipment
- The remote access process will be thoroughly tested to ensure that is fit for purpose and all administrators have access to the relevant servers
- The remote Windows server management process will be adequately documented and adequate training given to administrators
- A BAU process will be in place to manage, inter alia, administrators, new and decommissioned servers, access rights, network changes and software upgrades
Constraints
The main constraint for the project is that team members are not fully assigned to the project and are working on other projects and supporting BAU activities. This can be translated into a key risk were precedence for resources may go the BAU work or work on a higher priority project. Management commitment needs to be made to days allocated in the ITI resource plan and to the overall commitment defined in the section Resources, Skills and Costs.
Additionally, it is a management goal to complete the project before the end of FY2018-19. The current plan reflects this. However, the tasks have been stretched across the February to July timeframe to ensure the project does not put excess demand on ITI resources during this period.
Issues
If and when they arise, issues will be recorded, on the Projects website, and tracked throughout the project. Issues that are not outside agreed tolerances will be resolved within the project team. Major issues need to be escalated to the project board for review and advice on resolution. Issue resolution that requires a major change to the project in terms of time, quality or cost needs to be approved under formal change management by the project board.
All project changes outside tolerances must be reviewed and approved by the project board. Project changes within tolerances can be managed with the project team.
Project work that impacts production systems or networks must be communicated with the requisite lead time to the ISG CAB for review and approval.
Tolerances
The following standard ITI project tolerances will be applied and these are outline below. Any deviation outside these tolerances must be reported for review and resolution to the Project Board, if constituted, or the Project Sponsor and Portfolio Manager otherwise.
- Cost – over +/- 10% of original budget
- Plan – slippage of over 4 weeks to current plan
- Scope – extensive addition or reduction from current scope
- Quality – refusal to approve a key project deliverable
Lessons Learned
A log will be maintained on the Projects website to record lessons learned throughout the project. This will be reviewed at the project closure meeting and will be available for review by future projects.
Communication
The following meetings and communication channels will be put in place to support the effective communication of project progress, risk management and escalation.
| Forum | Frequency | Participants/Recipients | Communication |
|---|---|---|---|
| Project Meeting | Fortnightly | Project team members and Project Manager | Meeting minutes, plan, risk & issues |
| Project Board | As required | Sponsor, Senior Users, Senior Suppliers, Project Manager | Meeting minutes & progress report, escalations |
| Project Report | Monthly | Project Manager/All stakeholders | ISG Projects website |
| Project announcements & updates | As required | Project Manager or Senior Supplier, as appropriate | Email, IS Alerts |
| ISG CAB | As required |
Senior Supplier/CAB Members |
CAB submissions |
| Attachment | Size |
|---|---|
 ent040_wbs.jpg | 60.79 KB |
| ent040_organisation.jpg | 44.99 KB |
