Wireless remote access extends Trafford Council network

Wireless remote access helped Trafford Council support an agile workforce and consolidate old buildings with secure remote access to its private and public network.

Wireless remote access provided an innovative solution to some unique challenges for Trafford Council in North West England. As its workforce became more agile and the Council looked to consolidate some of its old buildings into a new-build civic centre, the need for staff to have secure remote access via wireless was pressing.

After trialing wireless access in core meeting areas, the Council equipped key staff and remote locations with remote access points and is piloting a free Wi-Fi service in public libraries.

Public networks require compliance

Because the Council is connected to the Government Connect Secure Extranet (CGSX), any wireless system they installed needed to be in compliance with CGSX Code of Connection (CoCo) rules. "That was quite difficult when we first started looking for a wireless solution at the beginning of 2010,” said Tony Gregory, infrastructure development manager at Trafford Council.

He implemented Aruba’s Virtual Branch Networks solution, incorporating remote access points (RAPs) supplied by Surrey-based reseller Vanix. The devices provide both wireless and wired connectivity, manage security and network services, and offer connections for mobile broadband uplinks and IP telephony.

Security and scalability key

Gregory was keen that the solution be scalable as well as secure. He knew of other councils using point-based wireless solutions similar to home solutions, but he wanted a system that could scale as demand increased.

“We were attracted to this solution because the APs are technically thin. Therefore, they didn’t need any management. And if they were to go missing, we can be confident that there is nothing on the AP itself that would cause concern," said Gregory.

The solution incorporates a wireless perimeter appliance: “With wireless you have to be sure it is secure, as [someone] could attack the network from the public highway,” said Gregory.

The wireless remote access service builds on existing remote access available to council staff through a Juniper SSL-based remote access solution enabling remote access to a secure virtual workspace. “But we never gave our users network-level access," Gregory said. "It was always managed as access just to email, for example. As the user base started to grow and people needed access to more and more applications, it became [too much] management overhead."

He added, “We chose RAPs as we have a number of permanent home users that we provision services to and we thought it would be great if we could offer phone services too via the RAP. There was no additional work to get the phones to act as if they were on the network. Users could take an office VoIP phone and plug it into one of the ports on the RAP.”

Overcoming remote access challenges

At first the implementation did not go well. “We tried out some demo kits and found for about four weeks the service was intermittent, with the client dropping on and off the network. We couldn’t understand it,” said Gregory.

“We were getting frustrated. Then we did another test, and as we walked around the building, we discovered our alarm system was interfering with the wireless systems. Some of the PIRs (passive infrared movement sensors) were close to the APs and were running across the same channels, so we had to change the alarm system.”

Securing public wireless access to the system was most critical. Trafford Council's infrastructure team needed to ensure that people on the guest public network had no way to access the corporate network. They used a firewall to filter traffic on the public network to be certain there was no cross-traffic.

After that, Gregory reported the implementation was plain sailing, except for one small tweak: “When a laptop powers up, it must authenticate on the network as a corporate asset. There was a cached timeout, so if the laptop was hibernated and then pulled out of hibernation, the laptop would not come back on the network because that authentication process was not taking place. We found there was a feature that allowed you to cache [the authorisation] for a short period of time so that users did not have to reboot all the time.”

--Tracey Caldwell is a professional freelance business technology writer.

Read more on Network security strategy