The South Carolina Department of Probation, Parole and Pardon Services (SCDPPPS) is responsible for helping motivated offenders succeed in their communities within the framework of public safety. SCDPPPS’s main responsibilities include supervising offenders, promoting public safety, investigating cases, providing assistance and support to crime victims, and providing resources to support the state’s Emergency Operations Plan and Homeland Security. Overall, there are more than 32,000 offenders under the department’s supervision.

SCDPPPS has more than 900 workstations/laptops at 56 distributed sites that created a number of technical challenges for the 12-person IT group headed by David O’Berry, Director of Information Technology Services. Among the hurdles that emerged over the last several years is the increasingly mobile nature of SCDPPPS agents. These dedicated professionals supervise offenders in the field while at the same time traveling to the various courtrooms around the state. To provide agents network access to retrieve case-related and other important information, a scalable long-term mobile solution had to be found.

The Challenge: IPSec VPN Leads to High Costs and Dramatic Inefficiencies

O’Berry deployed a leading competitor’s IPSec VPN in 2001 as a first stab at creating a cost-effective solution to provide secure access to more than 100 remote users. It was no easy feat, and resulted in a solution which, as needs changed, did not scale well for the time invested per user.

“A big challenge that we had with IPSec was having to install a client in every PC that needed to access our network,” said Tom Webb, Assistant Network Manager for SCDPPPS. At times, Webb and various other members of the team had to personally drive over to each site and get permission for their IT people to install clients on their PCs too. The process would need to be repeated for any upgrades. SCDPPPS estimates it took approximately four hours to complete the installation and setup for each computer if things went perfectly. In a less-than-ideal scenario, it could take days to get people connected. “We had to go in and make sure that each one was set up properly. And it’s not just your time; it’s the end user’s time as well.”

Another challenge was the need to connect through the networks of other agencies. “We had to make sure that the network administrators maintained their firewall to allow the IPSec connection to work, and they just didn’t have the skill sets to make all these changes. We also had to learn all the nuances about specific firewall requirements since each agency was set up differently. Then we had to run tests to make sure we were OK. It was a very cumbersome and costly process,” said Webb. “With the IPSec solution we just had too many network configuration issues over which we had no control.”

SCDPPPS decided to reevaluate its remote access solution after receiving the first phase of a grant to put laptops in every courtroom throughout South Carolina’s 46 counties. The initial target was 15 courtrooms, but once those goals were met on time the same money was then redirected to install in 10 more locations with no additional manpower. The IPSec solution was just not scaling based on the time required per location and the lack of control over local network configurations. With that in mind, O’Berry and Webb investigated a number of potential SSL solutions with a focus on finding something that traversed firewalls, was easy to deploy and maintain, and was reasonably priced. They were close to implementing a leading competitor’s SSL offering, but could not afford the high price for the user count necessary in the long run.

“Early on, we gave the competitor a ballpark figure of the amount of grant money we were budgeting and they kept saying, ‘no problem, no problem.’ But, when we got down to price negotiation, we could only get one-third to one-half of the minimum number of user accounts that we needed for the amount of money we budgeted.”

Implementing the Citrix Access Gateway

O’Berry continued his investigation and ran across the Citrix Access Gateway™. The more he read about the functionality of the Access Gateway, the more he thought it would be a perfect solution for SCDPPPS. After calling an existing Citrix Access Gateway customer as a reference, O’Berry called the Access Gateway manufacturer. The rest is history.

With the Citrix solution in place, the thick-client PowerBuilder application used by SCDPPPS agents worked across firewalls without a single change to the application. With the competitor’s SSL offering, the application would have more than likely required “webification,” a professional services engagement that would have increased the already high cost of the product. Added O’Berry, “They could not guarantee at that point that it was going to work.”

Easy in Set-up and Cost

“I was amazed at how out of control the pricing was on most of the SSL VPN options,” said O’Berry. “Beyond being super competitive price-wise, we just really liked the product, it was very clean during implementation.”

The Citrix Access Gateway installation and set-up really impressed Webb. “On the server side we were literally blown away when we were setting the Access Gateway up. It was pretty much plug and play,” said Webb. “It has a very clean admin interface that has what you need where you need it. We were able to set it up in only 15 to 20 minutes as compared to the hours it took to originally install the IPSec VPN server. David and I came in on the Saturday it arrived and were using it within 15 to 20 minutes to test it and from there used it in production that night.”

The ease of installation of the Access Gateway client was even more impressive than the server-side installation. Instead of having to manually install an IPSec client on each of the 300 PCs, Webb just emailed a URL, which downloads the Access Gateway client to the PC. “Its been a very easy rollout,” said Webb. The Access Gateway client also auto-upgrades, which saves Webb the twice a year manual IPSec client upgrade.

Said Webb, “Before the Citrix Access Gateway, it took us three months to install 20 laptops. With the Citrix solution, I’m estimating it would probably take us three to four weeks to do 100 laptops from the connectivity standpoint.”

Going Beyond the Basics: “Remote Control”

After deploying the Citrix Access Gateway with such success and ease, SCDPPPS set its sights on the latest innovation within the product: the remote control feature. Prior to the Access Gateway, the department used an open source-based virtual network computing (VNC) technology to enable the IT group to log in remotely to an end-user’s machine. But the VNC approach created serious security problems. “We had issues with the fact that it’s a piece of software that someone has to install, and if it’s installed improperly it could leave the network wide open,” said Webb.

The included remote control feature of the Access Gateway enabled SCDPPPS to troubleshoot remote users’ PCs by desktop sharing. Said Webb: “It’s very easy; you can just have somebody right click on ‘Share’ and the other person just clicks ‘OK’ and the application appears right on your desktop and you can share it. We really like that feature, and we’ve already received a very good response to this part of the product to the point where people here are almost beside themselves. It’s as if it’s a huge surprise that you can do this essential IT help desk functionality with a VPN!”

The remote control capabilities bring some pretty significant benefits. For example, O’Berry’s group no longer has to spend hours on the phone with department staff who are having technical problems. Instead, they quickly access the remote desktop via the Access Gateway, and correct problems on the fly.

“Getting the Job Done” with the Citrix Access Gateway

Overall, SCDPPPS has seen a dramatic turnaround in its remote access system. “The great thing about it is that the Access Gateway evolves based on the direct input from customers, which is a pretty huge thing,” said O’Berry. “I mean, one of the things we were so impressed with was the built-in remote control capabilities. Now I can remotely control anyone who is attached to the SSL. So, that’s pretty significant from a distributed environment perspective. With that in mind, I’m looking at the Citrix solution not only as an aggregation point for connectivity, but also as just an aggregation point for support.”

“The Citrix Access Gateway solution is really going to enable us to do things we could not do before,” said O’Berry. “We could no longer give the level of support we desired with an IPSec VPN implementation based on scalability issues with our manpower. We could not really look at a mobile solution like wireless. We could no longer really look at anything like that if we didn’t have an aggregation point that we were comfortable with to be able to support the numbers as the connectivity into our network continues to expand. IPSec just was not getting it done anymore. And standard SSL VPN cannot get it done effectively. This solution gets it right, and the Access Gateway has been able to respond to both the economic and technical situations as well as any customer could ask. You’ve got a baseline feature set here that kills pretty much anything that is out there. Plus, you add on the new innovation like remote control and host check and it’s really a no-brainer.”

Back