Case Study - Ter Beke

 

Ter Beke Consolidates Security of Terminal Server/Citrix Networ

Background

Ter Beke is an innovative Belgian fresh foods group supplying its line of products in 10 European countries. The group has around 1,850 employees and two core activities: sliced cold meats and refrigerated ready meals. The internal network is a combination of terminal servers and Citrix – in other words, thin clients. Nevertheless, Ter Beke needed to implement security policies for all employees per workstation. The WatchGuard firewall appliances provided the solution.

The Challenge

IT for the entire Ter Beke group is centralised in Waarschoot, where most of the applications also run. A combination of a private MPLS cloud and VPNs over the Internet delivers connections from the headquarters to other branches, and for some 10 years Ter Beke has used WatchGuard firewalls for protecting its Internet traffic: in Waarschoot, with two clustered WatchGuard XTM 5 Series appliances, and XTM 2 Series at almost all locations.

Terminal Servers & Citrix

For many years Ter Beke has operated with a terminal server environment running on Microsoft Terminal Services, with a total of 8 central servers. Four Citrix XenApp 6.5 servers are located centrally in Waarschoot, and there are several native terminal servers in local branches in the various factories in Europe. In 2011 the company began considering an upgrade to achieve cost savings, greater ease of management, and improved user-friendliness.

Marc Decroos has been responsible for the systems and networks at Ter Beke for some 15 years. He explains: "The multiplicity of applications and terminal servers running at the various locations compelled us to look for a user-friendly solution. After all, it's not the users' problem to find out which server they have to log onto to carry out specific tasks. We opted for Citrix, so that the user can work with all applications through icons, no matter where they run physically or where the user is actually located." Decroos is already far advanced in the roll-out of Citrix, the ultimate aim being to equip all workstations with Citrix – including those in the factories."

Jorgen De Wael, System Engineer at Ter Beke: "We started by carrying out a centralisation operation. All the terminal and data servers from the various locations were migrated to Waarschoot. Then all the terminal servers were converted to a Citrix environment, running on Windows 2008/R2." A complete clean-up programme was then carried out, where all the anti- virus, web-filtering and spam-filtering point solutions were combined in one central WatchGuard UTM solution. "That saved on our spam-filter subscription with our WAN provider and we were able to cancel the licence for the costly dedicated URL filter solution. We were also able to save money on the associated servers, which thus became superfluous. Everything has now been accommodated within the WatchGuard platform," notes Decroos.

Challenges

Introducing Citrix produced a number of problems. Decroos and De Wael wanted to eliminate the URL filter server because this would yield far greater oversight within the firewall domain. De Wael said: "The URL filter solution was a web proxy, which meant all the web traffic ran through an ISA server. This was problematic, because some applications established their own connections with the outside, so that we had to apply special rules. With the former combination of URL filter and ISA server we also needed two components for one function. Not terribly efficient. We ideally also wanted that to occur on the WatchGuard platform at the edge of the network. But with solutions like WatchGuard's this produces an extra complication in combination with terminal servers: in the previous firewall implementation we were unable to see which user was visiting which websites, so that we were also unable to apply any user-specific policies."

This was a problem De Wael didn't have with the ISA server. "Here in Waarschoot we have around 40 users per terminal server. To introduce separate security policies per employee or group, who share the same IP address in a Terminal Server environment, we would need to be able to analyse them within the firewall. If the traffic occurs via a web proxy, then the first user arriving on the terminal server determines the group to which the rest of the users on the same terminal server belong, because these are all regarded by the firewall as one and the same user. An undesirable situation," adds De Wael.

Alongside the solution needing two extra components for one functionality, and that proxies from the previous URL filter solution caused delays, there was one more problem: the web proxy was unable to interact well with some applications. "Sometimes a certain filter suddenly became active, so that instead of a specific authorised user, an anonymous session was implemented. Then we regularly had to equip the firewall with IP exceptions so that the users were able to gain full outside access, without being identified. That's not secure, and also takes an enormous amount of time."

WatchGuard and Citrix: a Perfect Couple

The intended collaboration between the terminal server and Citrix environment of Ter Beke and WatchGuard got off to a challenging start. "The first implementation of Terminal Services on the old version was not a success. The UTM worked well, but the single sign-on did not," recalls Decroos.

Although Ter Beke's URL filtering licence had almost expired, at that time a new version with single sign-on for Terminal Services had not yet been released. A preview version was indeed running, according to De Wael, which was being tested extensively together with WatchGuard Benelux.

"In March 2012 we decided to order it anyway on the advice of WatchGuard Benelux, because on 27 May 2012, the day the licence for our URL filter solution expired, we didn't want to continue for another year with a point solution. WatchGuard promised to deliver a fully mature, working solution on that date. And they did."

A WatchGuard agent per terminal or Citrix server now monitors which user is associated with a session, and thus ensures the personal identification of each individual user for the firewall, which makes the application of user-specific security rules possible at the edge of the network.

"For the ERP processes some employees launch a session with us in Waarschoot, but additionally they also use Outlook and Office, and some also use factory applications. Because Ter Beke can also use its own agent per server per region, a distributed model occurs. Ter Beke in fact needs one centralised Active Directory environment encompassing all the users in Europe. Waarschoot also only has one redundantly-implemented central XTM gateway with which all the Terminal Server agents communicate," notes De Wael.

Individual Policies

Of the 1,850 employees of Ter Beke, around 400 people use desktops and laptops in their daily work. Terminal Server is used in several places in the company; for example, there are people with hand-scanners and forklift truck drivers in the factories and warehouses. However, they do not have an Internet connection.

Decroos and De Wael can decide per workstation what the relevant user may and may not do on the Internet. This occurs by creating specific rules for each Active Directory user or group of users. A distinction is drawn at Ter Beke in three levels with rising authorities. If desired, specific sites or categories of sites can also be permitted – or excluded – for each IP address or user. If a person is given a new position, he or she only needs to be placed within the general permissions appropriate to the group in the Active Directory, and the firewall modifies the access automatically based on the new group. "This is the same in each country," explains De Wael. "Whether someone is logging in from abroad or mobile through a VPN, the rules are applied everywhere based on his or her profile in the Active Directory in Waarschoot. The same rules and groups are also established in the local, smaller XTMs. At busy times we sometimes see more than 400 thin and fat client user sessions simultaneously."

IT and HR together determine what the users may and may not do, outside the level appropriate to their job. "At the application level we are currently not going further than establishing which application is used within the http(s) proxy. For example, suppose that specific marketing people are permitted to use Facebook. If we want to we can establish that, within that application, they are permitted to chat but not to play games."

Because availability is extremely important, alongside the redundancy at the firewall level Ter Beke has also opted for redundant connections for the branches. If a physical back-up connection is available through a 'second' provider, this is used there. Some branches are in fact quite remote, so that it's not always possible to obtain a second physical Internet connection from 'another' provider. This is why for the branches, Ter Beke uses the WatchGuard Broadband Extend Wireless Bridge, which achieves a back-up Internet connection based on a 3G network.

Cost Savings and User Convenience

After the entire transformation Decroos has acquired a far greater insight into bandwidth use. "That's what it's about. The tools are not intended to check up on our colleagues. I would just like to know what is being used by which applications."

The WatchGuard solution Ter Beke is using encompasses the UTM bundle for protection against all types of threats – along with URL filtering, it also includes Intrusion Prevention, Application Control, SpamBlocker, Gateway Antivirus and Reputation Enabled Defense.

"We have achieved a great deal of cost savings through the consolidation," notes a satisfied Decroos. "The anti-spam solution from the WAN provider was an expensive monthly subscription per user, our anti-virus solution ran on its own server and the URL filtering was also a fairly expensive subscription. Just the savings on anti-spam and URL filtering based on 500 concurrent users was around 10,000 euros annually, or roughly speaking 20 euros per user per year. As a consequence of the consolidation two Microsoft servers also became superfluous. We have eliminated all the regular costs. We have also been able to give our users a much nicer working experience. My colleague De Wael has been relieved of a lot of frustrations in maintaining duplicate exceptions in the ISA server, and thanks to the WatchGuard reporting he now has the possibility of a much more transparent inspection of what is actually happening in his network. The fact that WatchGuard has turned out to be so good at protecting a terminal server and Citrix environment is the icing on the cake of our project."

About Ter Beke

Ter Beke is an innovative Belgian fresh foods group which commercialises its range in 10 European countries. The group has two core activities: sliced cold meats and refrigerated ready meals. It has nine industrial sites in Belgium, the Netherlands and France and has around 1,850 employees. In 2011 Ter Beke achieved sales of 403.7 million euros. Ter Beke is listed with Euronext Brussels. Learn more at http://www.terbeke.com.

 

Resources

Download Printable Version

All Case Studies

We have achieved a great deal of cost savings through the consolidation... Just the savings on anti-spam and URL filtering based on 500 concurrent users was around 10,000 euros annually.

Marc Decroos, Network and IT Manager,
Ter Beke

 

 

About WatchGuard

WatchGuard has deployed nearly a million integrated, multi-function threat management appliances worldwide. Our signature red boxes are architected to be the industry's smartest, fastest, and meanest security devices with every scanning engine running at full throttle. Why buy WatchGuard? Find out here.

 

GET IN TOUCH

  • Global Headquarters
    505 Fifth Avenue South, Suite 500
    Seattle, WA 98104, United States
  • Phone
    1.800.734.9905 US & Canada