A few years ago, Portland Public Schools in Oregon laid out its vision for the future. Officials wanted to quickly get technology into the hands of students, teachers and staff to continue the district’s already strong track record of academic achievement.
Statewide test scores were up in almost every category in 2014, and U.S. News & World Report recently named two of PPS’s high schools among the state’s 10 best. But the district’s IT staff decided more could be done to provide students and teachers with fast, efficient access to the latest hardware and resources.
Administrators reached out to technology partner CDW to discuss different ways in which new hardware, including computers, could be customized, imaged and delivered directly to schools.
Those discussions led to CDW’s Advanced Image Deployment Service. The solution involves the creation of a secure VPN tunnel between Microsoft System Center Configuration Manager (SCCM) servers at the district and the technology provider. The dedicated network connection, which includes a VPN appliance with a static IP address, allows school IT administrators to replicate computer images directly to the distribution point server at CDW.
Educators say the VPN connection between the school and CDW reduces the time it takes to set up and deliver new technology and saves the district in other areas, such as warehouse storage costs. Rather than send machines to a district office to be configured and distributed, CDW sends the hardware directly to the schools where it is needed.
Though VPN technology has been around for a while, costs have declined and security has improved to a point where the technology has become a viable option for schools, says Jonathan Vail, user experience management lead at PPS.
How It Works
PPS creates computer images on a SCCM server. Those images are then sent via dedicated connection across the network to CDW’s configuration/distribution center in North Las Vegas. Technicians consult the instructions sent by the district and install the images as directed on new PCs. Machines are delivered and are ready to go, out of the box.
Ryan Whitman-Morales, technical services director at PPS, says the foundation for this latest collaboration was laid several years earlier when the district transitioned to Microsoft Active Directory.
“The missing link was that even with all the improvements from Active Directory and SCCM, we still didn’t have a direct network connection between PPS and CDW,” he explains.
What follows is the step-by-step process by which PPS set up its VPN tunnel in partnership with CDW.
- Preconfigure a VPN appliance. The VPN appliance (in this case, a Cisco Systems ASA 5505 unit) and an SCCM distribution point server were configured by district IT staff and sent to North Las Vegas for CDW technicians to access. The image files are transmitted over a 2-gigabit Internet connection from the district’s office to the VPN appliance on the CDW side. The district maintains a Cisco ASA 5585 unit and a secondary server on its side.
- Secure the tunnel. As a security measure, CDW requires its customers to provide a list of customer IP addresses and/or an IP address range that will touch the peer address — the static public IP address assigned to the customer. For security purposes, all other IP addresses are denied access. Ports allowed through the VPN connection are limited to IPSec, HTTPS and SSH. This connection is isolated and segmented from the CDW network and any other networks in the North Las Vegas facility that also deliver a secure connection to devices being imaged.
- Ship the preconfigured VPN device to the technology partner. CDW provided PPS with a return merchandise authorization number and instructions on how to send the preconfigured Cisco ASA appliance and SCCM server to CDW’s facility. PPS then shipped the hardware to technicians at CDW’s Configuration Center.
- Test the VPN appliance. Once it received the district’s Cisco ASA unit, CDW contacted PPS to test the VPN traffic. Adam Seitz, PPS systems administrator, says the testing process was fairly straightforward and didn’t take more than a few hours. After the VPN connection was established and traffic validated, CDW racked the VPN appliance and deployment server in its data center in North Las Vegas. The secure, climate-controlled facility is monitored by video surveillance.
- Retain management of devices. After the appliance was tested and racked, the district maintained full remote control of its VPN appliance and remote deployment server.
The new system came in handy earlier this year when PPS was moving off Windows XP and had to reimage all 14,000 machines, Whitman-Morales says. As of late fall, the district was about 84 percent done, largely because of the speed with which they now deploy new images across the district.
“It doesn’t matter if it’s during busy times like last spring, or if we get a large donation and need to image new machines, we now have the infrastructure, tools and network connection in place to quickly image computers and upload software any time we need them,” says Whitman-Morales.