Project Closure Report
ENT040 – Remote Windows Server Gateway
Approvals
| Name | Role | Position | Date |
|---|---|---|---|
| Graeme Wood | Senior User | Head, ITI Enterprise Services | 01/08/2019 |
| Murray Dippie | Senior Supplier | Team Leader, ENT Windows | 25/07/2019 |
| Maurice Franceschi | Programme Manager | TI Portfolio Manager | 29/07/2019 |
Distribution
| Name | Role | Organisation |
|---|---|---|
| Heather Larnach | Senior User | Team Leader, ISG Technology Management |
| Mark Lang | Senior User | Manager, ISG Development Technology |
| Graham Newton | Senior User | Head, ITI Desktop Services Team |
| David Graham | Senior Supplier | Head, ITI Communications Infrastructure Services |
| Martin Campbell | Senior Supplier | Unix Systems Team Leader, ITI Enterprise Services |
| Kenny MacDonald | Senior Supplier | Unix Services Team Leader, ITI Enterprise Services |
Project Summary
This project was initiated to enable authorised remote technical staff to connect to business resources on University service related VLANs over secure and encrypted connections without the need to configure virtual private network (VPN) connections. The goal of the project was to replace the existing process with a service based on Microsoft’s Remote Desktop Gateway for Windows servers. The new service enables members of ITI Enterprise Services, and IS Apps Development Technology and Technology Management teams to remotely access Windows servers more securely for troubleshooting and management purposes. A level of granular security was configured for administration teams to allow them to only access specific groups of servers for which they have responsibility.
Project Scope
The project’s main goal was to implement a secure and robust gateway processes to provide remote access to development, test and live Windows servers managed by the ITI Enterprise Services (ENT) Windows team and IS Apps teams. The implementation work covered the installation and configuration of the gateway, integration with Active Directory, registration of administrators, and definition of server groups and assignment of administrator access to specific server groups. In addition, the configuration of Windows and network firewalls was required to enable access from outside the University to specific VLANs and server groups.
All Windows servers managed by ITI ENT can be accessed using the gateway. This covers servers running Windows Server 2008, 2012, 2016 or 2019. All gateway account administration is managed by the ENT team.
The work only provided a more secure method to enable administrators to remotely connect to Windows servers managed by the ENT Windows team. Access is not be provided to Windows servers managed by other teams e.g. Schools administration team nor is access be provided via the Gateway to non-Windows servers such as Linux (CentOS) servers managed by the ENT Unix teams.
Outcomes
The project was initiated in January 2019, with planning completed at the start of March. The original schedule to go live on 08/07/2019 was met and the project was closed in July 2019. Apart from a short delay in testing the Gateway by the IS Apps Development Technology team, all milestones were met. In fact, the integration with the Central Logging (ELK) system was completed ahead of schedule with work completed in May rather than late June.
Objectives
The key objectives of the project were to provide –
- A segregated gateway service separate from the University’s more general VPN remote access service, purely for use by system administrators and application support staff
- A secure remote access solution that ensured access only to authorised administrators integrated with Active Directory
- A gateway service that restricted administrators access only to servers under their management
- A robust service that supported continuous operation even if one gateway server was down or inaccessible
- Integration with the Central Logging system to enable log reviews and checks
Requirements
The key requirements and the associated priorities are outlined below and were met by project closure.
| Requirement | MoSCoW | Status |
|---|---|---|
|
Replace current remote access process with a secure, segregated solution based on Microsoft Remote Server Gateway |
Must | Delivered |
| A load balanced solution across sites that ensures all servers can be accessed even if one gateway is unavailable | Must | Delivered |
| Approved process and procedures developed around the gateway use | Must | Delivered |
| Storage of gateway logs in the central logging system (ELK) for review and audit | Must | Delivered |
The main areas of work of the project covered –
- Install and configure Microsoft’s Remote Desktop Gateway on load balanced servers at JCMB and Appleton Tower to provide access to Windows servers managed by the ENT Windows team at both data centres
- Define administrator groups in Active Directory as gateway users
- Define ENT Windows server groups, VLANs, etc. and add servers to the gateway
- Assign access to administrators to specific server groups
- Configure Windows firewalls to provide administrator access to service VLANS and servers
- Configure external facing network firewalls to enable remote access to the gateway
- Configure and run Windows Remote Desktop tests to ensure remote end-to-end access via both sites to all defined VLANs and servers
- Test gateway server failover at both sites to ensure all servers can still be accessed
- Define the procedures for using the remote desktop client and updating server and administrator data on the gateway
- Configure the central logging system to retrieve and store gateway logs for review and audit
Deliverables
The following deliverables and acceptance criteria to meet the objectives of the project were all delivered as specified.
| Objective | Deliverable(s) | Acceptance Criteria |
|---|---|---|
| Install, configure, test and commission a secure and robust remote Windows server management solution using Microsoft’s Remote Desktop Gateway | Gateway servers (at JCMB and Appleton Tower) hosting the gateway and providing access for ENT and IS Apps administrators to servers in the ENT managed space | The gateways are fully tested and a recognised process is embedded in ENT operational policies as a secure and accepted method to remotely access Windows servers for maintenance and troubleshooting |
| Provide user procedures on the use of Windows Remote Desktop to enable authorised administrators to access servers remotely | Documentation on the ENT wiki providing usage and configuration details | Approved user documentation available on the ENT wiki |
| Provide user procedures on (a) the registration of new administrators, groups, servers, and VLANs and requests for whitelisting and (b) removal of administrators, servers, etc. from the gateway | Documentation on the ENT wiki providing details on requests for registration, update and removal administrators, servers, etc. | User documentation reviewed, approved and available on the ENT wiki |
| Develop operational procedures covering the management of administrators, groups, servers, and VLANs on the gateway plus the whitelisting of servers to be added to the gateway and requests for any additional network firewall configuration on the gateway | Documentation on the ENT wiki providing procedures for adding, updating and removing administrators, servers, etc. on the gateway | Operational documentation reviewed, approved and available on the ENT wiki |
| Develop a process to migrate gateway logs to the central logging system | Link to the central logging system in place providing logs from the gateway on a regular basis |
Gateway logs available in the central logging system for review and audit |
Benefits
The successful delivery of this project was expected to provide the benefits listed below, which have been achieved.
- A more secure, robust and appropriate access management to enable administrators to connect to servers remotely thus reducing the need to come on site outside office hours
- A level of granularity that can restrict server access for specific administration groups so that the risk of erroneous changes are reduced
- Formal process and procedures are presented to ENT and IS Apps staff to ensure a standard access method is available to administrators
- Gateway logs are transferred to the central logging system to facilitate reviews and to provide the facility to cross reference against other logs
Success Criteria
The following are the criteria that were met to ensure a successful completion of the project.
- An operational gateway service enabling ENT and IS Apps staff access to servers on a remote basis
- A secure service that ensures only access to assigned servers by authorised administrators is possible; service was penetration tested successfully
- An operational process that adds, updates and deletes authorised users in an efficient and timely manner
- User documentation has been prepared and is available on the ENT wiki at https://www.wiki.ed.ac.uk/pages/viewpage.action?pageId=412866649
Alignment with IS Change Programme
This section reviews retrospectively how the project, at closure, contributed to the themes of the IS Change Programme.
| Theme | Contribution |
|---|---|
| Project Management | Formal ISG project management processes for a small project were applied successfully |
| Working Together | The project was a successful collaboration between ITI Enterprise Service, IS Apps Development Technology and IS Apps Technology Management. |
| Standards and Technical Leadership | ITI Enterprise Services implemented a remote access solution for use by their team and application support teams |
| Staff Learning and Development | The project provided team members with exposure to a new core solution for secure remote access |
| Service Based Culture | A more secure remote access service was provided for IS Apps teams as well as the ITI Enterprise Services team |
| Equality and Diversity | N/A |
| Innovation | Implementation of an industry standard (Microsoft) remote gateway solution |
| Flexible Resourcing | The project was delivered with limited resources over an extended period so that resourcing for higher priority projects and BAU activity was maintained |
| Communication and Branding | Communication on requirements and testing was sent out well in advance; notification of the service was given to management of impacted ENT and IS Apps teams |
Project Quality
Project Plan
The project plan was developed in February 2019 and apart from some minor delays in testing and pulling the integration with Central Logging forward, tasks and milestones were completed on time.
Project Resourcing
Project resourcing was assigned on the basis that limited time was available, so resource allocation was planned for the project on an average of 0.5 days per week, rising to 1.0 days per week during build/test. The bulk of resources were provided by the ITI ENT Windows team with firewall configuration work done by the ENT CIS team (for ASA rules) and ITI ENT Windows team (for local rules), and test support provided from the IS Apps Development Technology and Technology Management teams.
Project Budget
The project was purely resource based and did not require financial funding as Microsoft Gateway server and client licences were available through the University’s Microsoft enterprise licencing agreement.
Outstanding Issues
The following work is ongoing but still to be completed –
- Inclusion in the University’s Service Catalogue – request made but not yet completed
The following requirements were reviewed but not considered necessary for this restricted infrastructure service –
- Completion of Equality Impact Assessment (EQIA)
- Completion of Data Protection Impact Assessment (DPIA)
Lessons Learned
The key observations from the project are summarised in the table below –
| Observation | Description | Impact | Recommendations |
|---|---|---|---|
| Project planned with awareness that resources were limited |
The project was planned to ensure no major resource demand was needed during the project |
The project took a longer duration than if dedicated or more resources were available | Ensure aggregate resource planning is maintained to estimate impact on BAU and other project works |
Appendix 1 – Final Project Timeline
Link to timeline.