Customer:

Pennsylvania Housing Finance Agency

Harrisburg, PA

(~300 users)

Cymphonix Product:

Network Composer DC40X

"I'm extremely happy with the Cymphonix Network Composer.  We are seeing a significant savings in annual license fees while gaining more features & functionality.  We were immediately able to identify traffic that needed to be investigated, quickly determine the source, and block or allow traffic as appropriate."

- Kris Clymans

PA Housing Finance Agency

Background:

The Pennsylvania Housing Finance Agency (PHFA) is the Commonwealth's leading provider of capital for affordable homes and apartments. Created to help enhance the quality and supply of affordable homes and apartments for older adults, persons of modest means, and persons with disabilities, the Agency operates homeownership programs, rental housing development initiatives, and a foreclosure prevention effort.

In its nearly 35 years of existence, PHFA has provided $8,000,000,000 of funding and tax credits for home mortgage loans and apartment units, while saving the homes of tens of thousands of families from foreclosure.

In addition to its major programs, the Agency conducts housing studies, promotes counseling and education for renters and homebuyers, encourages supportive services at apartments it has financed, administers rent subsidy contracts for the federal government, and acts as an advocate to promote the benefits of decent, affordable shelter for those who need it most.

PHFA also has a significant effect on employment. Its homeownership and multifamily rental programs offer vendors excellent business opportunities in the fields of real estate sales, development, law, construction, architecture, engineering, lending, housing management, and related disciplines. Other Agency-related measures affect employment and industry in a wide variety of fields and professional disciplines.

Network Environment:

PHFA’s network environment consists of approximately 325 workstations geographically dispersed in 3 offices across the Commonwealth of Pennsylvania.  Almost all users are assigned desktop or laptop systems running Windows XP SP3.  Remote access users log into a Citrix XenApp 5.0 server for access to all PHFA applications from home or any other locations outside the PHFA network.  Thin clients are also used to access the Citrix server for a 12 seat internal training facility.

Internet access is provided via a 10 Mbps Internet over Ethernet solution provided by AT&T.  PHFA requires a filtering solution to prevent liability caused by employees accessing inappropriate content from the workplace, curb non-business related Internet usage and to prevent malware from being downloaded by blocking known malware sites.  Varied levels of access for developers, Power Users, Network Administrators and the general user population are also a must for any filtering solution.

Challenge:

PHFA was a long-time subscriber of Websense to provide content filtering.  Kris Clymans in his role as Senior Network Systems Engineer for PHFA worked with the product for more than 5 years and suggested that PHFA IT staff evaluate other solutions due to the many issues with Websense.  After review and testing, PHFA migrated to SurfControl in 2005.  This solution was more suited to managing PHFA’s network traffic and worked fairly well overall.  PHFA utilized SurfControl for 2 years until the announced buyout of SurfControl by Websense.  As soon as the buyout of SurfControl by Websense was announced, PHFA IT staff viewed SurfControl as a soon to be dead product with further development unlikely.  With Web 2.0 rapidly evolving, a dying product seemed unlikely to fulfill the future needs for filtering.  After migrating back to Websense, PHFA staff realized that it hadn’t improved much in two years and decided to look for a solution that would provide more functionality, an increased feature set and hopefully, a cheaper price tag.

Specific issues with Websense were very evident over both periods of use.  The biggest concern was the complexity of managing the product.  The interface was very dated and clunky.  It often took a few attempts before a change was made that produced the desired results.  Many times, the correct change was made, but it wouldn’t take effect until a random time afterwards.  Because of this, it was often difficult to quickly resolve problems or to make changes to filtering policies.

Citrix was also a problem with Websense.  Though Websense provided a module to filter Citrix users individually, it never functioned at 100% even after repeated calls to tech support.  Eventually, the Citrix server module was removed and the server was filtered and reported on as a single entity.  The inability to report on users individually became an issue when supervisors requested reports on these users.  IT was unable to fulfill the request because the data was unable to be segregated on a user by user basis.  This also prevented administrators from downloading software when logged in remotely because many download sites were blocked because of the single policy being enforced on the XenApp server.  The single policy enforced had to be the default policy to prevent any users on the server from accessing malware laden download and hosting sites.

One positive found in SurfControl and earlier versions of Websense was the real-time monitor.  This was of tremendous value in troubleshooting filtering problems.  The newer versions of Websense had this functionality, but the browser based implementation was much more difficult to work with and it wasn’t as responsive as previous versions.

To add to all of these issues, there were so many pieces and modules in the newer versions of Websense that it was often difficult to determine exactly what part was malfunctioning when a problem arose.  Many calls to support were made to resolve problems that ended up being a very simple configuration change that was simply difficult to isolate and determine what part needed to be examined.

Solution:

Due to the many issues with Websense, the time taken to troubleshoot issues, and the complexity of day to day management, it was again suggested that other web filtering solutions be reviewed to replace SurfControl when the subscription ended in October of 2009.  Kris Clymans began researching as many products in the space as his research could turn up.  “The costs associated with the Websense renewal were such that almost any solution was less expensive.  This allowed us to truly evaluate each solution on their merits and not have to worry as much about the costs associated.  Any solution we implemented would still mean costs savings over Websense.” 

Kris Clymans and Kim Boal, Manager of Network Service at PHFA, attended numerous online demos for products like WatchGuard, iPrism, Sophos, IronPort, and many others.  Several of them provided all the required functionality that PHFA IT staff was seeking, but some were definitely a closer match than others.  “We were particularly zeroed in on IronPort as we had recently implemented their anti-spam and email encryption offering with great success.”    Interestingly, Cymphonix was not on the original list for PHFA review and was recommended by one of the companies reviewed by PHFA and not found to be a good match.

“We were going through the online demo with another company and talked about the features we liked, but there were several features their offering lacked that made it a good fit for PHFA.  Their sales representative said that since we weren’t going with them that we should check out Cymphonix as it has a lot of the same features and included the other functionality we required.”

Kris Clymans called the contact provided to him at Cymphonix and scheduled a demo of their solution.  “We immediately knew this was a good fit.  It allowed ease of management, everything needed to run it INCLUDING data storage was on one box and it provided deep inspection into traffic to allow easy management of ALL protocols and not just HTTP.  Websense allows protocol management, but not with the granularity and simplicity provided by Network Composer.”

After additional demonstrations, conference calls with Cymphonix Engineering and many whiteboarding sessions, it was decided that Cymphonix Network Composer was the best fit for PHFA.  “Network Composer provided increased functionality, much simpler management and troubleshooting, and a year over year cost savings over the existing Websense product.” 

PHFA was put into contact with Brian Miller at Sagient Technologies to act as reseller for Cymphonix as they don’t sell directly to customers.  Brian immediately became involved in the sales process.  He got himself up to speed on the transaction and offered advice as to how other companies have implemented the product as examples to get to the results PHFA was looking to achieve.

The installation was very simple and straightforward.  The Websense configuration was mirrored into the Network Composer in an hour or two to replicate the existing rule set.  Websense was removed from service 3 or 4 days after the Network Composer install and hasn’t been powered up again.

The real-time URL monitor was a great asset in the migration.  It allowed PHFA IT Staff to quickly identify why sites were being blocked and to address the issue.  After a few modifications to the Citrix server, individual users are being logged and have appropriate policy being defined.

Solution:

The Cymphonix Network Composer DC40X fit into PHFA’s network quickly and effortlessly.  All users are now being filtered correctly with multiple policies in to reflect the correct level of access to Internet sites.  Logging and reporting is easy to produce and interpret for both IT and supervisors alike.  Any changes made to the configuration take place almost instantly, so it is easy to determine if a problem is resolved or not.  As an added bonus, the Network Composer is scanning all downloads for malware and virus-laden files.  This capability didn’t exist with the previous solution and has detected and deleted numerous infected downloads. PHFA IT hopes to begin working with the traffic shaping functionality to further refine the utilization of PHFA’s internet pipe to provide the best experience for PHFA users, PHFA customers and PHFA IT staff.