While globally networking all of his construction sites, the building contractor Max Bögl developed a global Remote Access VPN for secure mobile communication. Since the network is being mana-ged all around the clock, it allows inexpensive data exchange even in undeveloped regions of the world at any time.

The building contractor Max Bögl was incorporated in 1929. The group with its headquarters in Neumarkt, Germany, now looks back upon a successful company history of more than 80 years. With that, the company with const-ruction services of a total of 1.4 billion Euros and with 6,000 highly qualified employees, is not only found amongst the top five of Germany's largest building contractors, but, being held by the family in its third generation, it is Germanys largest privately owned building contractor. The activities of the international technology and service company cover all areas and levels of difficulty of the modern building and construction industry: building const-ruction, construction of traffic routes, civil engineering, tunnel construction, structural steel and plant construction as well as construction of prefabricated components.

The overall motto of the company "progress is built on ideas" also is the guiding principle of the department "IT external services". Head of the depart-ment, Dipl. Ing. Peter Reichel puts mobile availability of data first.

He is not only responsible for develo-ping innovative IT solutions but also for conceptualizing, organizing and supporting IT on construction sites and joint ventures. "A close connection between a perfectly organized IT at the construction site and the management at the headquarters enables immedi-ate fine tuning of all processes. It is this fine tuning, which reduces costs. Only with immediate communication is it possible to quickly recognize and correct errors. This reduces the risks for the whole company," Reichel explains.

Throughout the last years, Reichel and his team have been facing growing challenges through the positive and progressing internatio-nal development of the company. Until 2006, mobile employees were only nationally connec-ted to the company network via T-Mobile's IP VPN and the MPLS platform of Deutsche Telekom. When the company opened branches in other European countries, the disadvantages of that solution became apparent. It was not only that roaming fees were skyrocketing but data security also became a problem. The notorious problem of hacker attacks and

corporate espionage was an issue at Max Bögl, too. In order to combat this threat, the company needed a solution with strong authentication and encryp-tion mechanisms.

Room for growth

In 2006 Reichel and the outsourcing partner of Deutsche Telekom decided to introduce a global virtual private network (VPN). This VPN was to set the course for the future and provide enough room for growth of the company’s IT. The framework of the VPN solution required it to be more flexible in respect to com-munication media, highly scalable and to feature central management. In addition

GLOBAL REMOTE ACCESS VIA SATELLITE

Requirements for a remote access VPN solution: Provision of centrally managed secure remote

access services (managed VPN) Coexistence with T-Mobile IP VPN

and T-Systems MPLS platform International communication Use of diff erent communication media types

(3G, HSDPA, GPRS, EDGE, xDSL, WiFi; ISDN, analogue networks, satellite)

Use of laptops with T-Mobile web’n’walk Cards or T-Mobile MDAs

Easy and standardized operation for the user No incorrect operator input possible (parame-

ter lock) Secure communication via hot spot Protection of the workstation Good value

CASE STUDY

to that Reichel wanted a solution which was easy-to-use, had the highest possi-ble security and economic efficiency and provided high availability at 365 days a year. On top of that Reichel also required a VPN solution which is based on a platform that enables multi company support. The common RAS platform was the basis for the T-systems of several customers which should be operated in parallel while their data remained strictly separated.

The remote access VPN solution of the Nuremberg-based NCP enginee-ring GmbH, sales partner of Deutsche Telekom, was implemented because it met all those requirements. For many years, NCP and Deutsche Telekom have

successfully been working together at various large scale projects. NCP's Secure Enterprise VPN Server and NCP's Secure Enterprise Management (SEM) form the core of the fully automated Remote Access VPN solution of the Te-lekom Designed Network (TDN). NCP's Secure Enterprise Management (SEM) serves for systematic management and monitoring of the whole remote access network and consists of the Manage-ment Server and the Management Console. Databases form the basis of the Management Server which commu-nicates with almost every database via ODBC (e.g. Oracle, MySQL, MS SQL, MS Access, MaxDB). The Management Console is the solution’s front end which serves for saving user data or configura-tion settings and certificates. A databa-se stores all relevant information and includes them into the backup process of Deutsche Telekom.

One for allThe multi company support fea-ture makes the Secure Enterprise Management the perfect solution in all those cases where a remote access VPN is used as a single VPN platform to serve several different companies (VPN sha-ring). Each administrator account is con-figured in a way that the administrator only has access to his or her share of the network e.g his or her managed units. It is impossible for the administrator to access clients of other protected shares. The fully automatic update process allows the administrator to centrally pro-vide the remote clients under Windows with software updates or patches, which are then automatically installed on the client that is logging in (provided the automatic update option has been ena-bled). NCP's Load Balancing and Backup Services ensure high availability of the VPN infrastructure.

Depending on the needs of the project, the customer also receives all further (peripheral) VPN components like the NCP Secure Enterprise VPN Server and the Telekom Secure Client which is based on NCP's Secure Enterprise Clients. After the administrator activated the users of the VPN clients and after he conducted handoff from the Active Directory to the Radius Server, which is integrated in the Management Server, the system fully automatically manages

itself on the components operated by Deutsche Telekom. The system carries out fully automatic administration on the

basis of templates. The administrator centrally and consistently defines temp-lates as client profiles via the manage-ment console. In the same way, the administrator is able to define detailed individual user policies, for example for users which need a special profile. The fully automatic processes signifi-cantly reduce time and money spent on management and reporting. This process allows commission of a VPN of about 500 clients within a few days.

Keeping communication costs under controlThe VPN platform currently offers about 1,500 Max Bögl employees a highly flexible and, first of all, a secure VPN connection. This allows the employees

"ONLY WITH IMMEDIATE COMMUNICATION IS IT POSSIBLE TO QUICKLY RECOGNIZE AND CORRECT ERRORS. THIS REDUCES THE RISKS FOR THE WHOLE COM-PANY"

Peter Reichel, Max Bögl

"OUR EMPLOYEES IN DUBAI, FOR EXAMPLE, ARE ABLE TO SET UP A TUNNEL AT NEXT TO NO COST. WE REDUCED OUR COMMU-NICATION COSTS IN FOR-EIGN COUNTRIES BY THE FACTOR TEN"

Peter Reichel, Max Bögl

to transparently work via different media types (3G, HSDPA, GPRS, EDGE, xDSL, WiFi, ISDN, analogue networks, satellite). The construction site LAN's, which are all around the world, are inexpensively connected to the corporate headquarters via an NCP Secure Server that has been installed on site. "We are now able to operate independent of one single provider and locally choose the least expensive one. Our employees in Dubai, for example, are able to set up a tunnel at next to no cost. We redu-ced our communication costs in foreign countries by the factor ten," Reichel explains. Amongst others, the integrated Budget Manager of NCP's Secure Client Suite helps to keep communication costs under control. Employees are assig-ned defined volume or time budgets or have to use a certain provider in order to keep wireless communication costs under control and monitor them. Max Bögl employees do not even have to take care of selecting the suitable communication network, dialing up to the internet or setting up a VPN tunnel. NCP's VPN Clients Suite takes care of all that. The VPN client's integrated firewall is another important feature that relieves users and administrators all the same. Depending on the environment, the soft-ware automatically recognizes a "secure"

or "insecure" network and activates the required firewall rules. Since the admi-nistrator centrally defined the rules, the user cannot modify them.

IIn the meantime, the VPN is no longer exclusively used for large scale pro-jects but smaller construction sites also receive remote access to the corpo-rate headquarters for data exchange. In order to connect locations which do neither allow cabling nor have mobile radio communication, the pilot project "construction site communication via satellite" has been started in spring 2007. This project enables Bögl to even connect remote construction site VPNs to its central network. The first project of this kind was the construction project 380 kV cable route in Livorno/Ferraris (Italy). In the meantime, mobile satellite facilities are being used. These facilities automatically adjust themselves and can be transported to any place in Europe by car. On site, the construction site team is able to access the company network via the site's VPN and the Internet.

IPsec VPN connections via any Internet accessMax Bögl employees, however, faced one recurring problem: They were not able to set up an IPsec connection to the

central data network with their mobile device if they were in a hotel or in the network of a joint venture partner. This problem was usually caused by rou-ters that have been switched in or by firewalls which did not allow IPsec data

communication. Internet access was restricted to web browser communica-tion, i.e. users were only able to access the Internet via ports 80 (HTTP), 443 (HTTPS) and 53 (DNS) while operators usually blocked ports 500 or 4500 which are used for Internet access via IPsec. "We were desperately looking for a solu-tion when NCP's Path Finder Technology gained control of this problem. This feature recognizes that the VPN gateway cannot be reached via standard IPsec. If this is the case, the VPN client software automatically switches to a modified IPsec protocol mode and emulates HTTPS in order to set up a VPN tunnel," Reichel enthusiastically explains."Our employees are now able to securely access the VPN at any time and any place without any hassle."

Always a step aheadIn order to always be a step ahead of the competition, the Max Bögl group wants to strengthen its market share with the use of top-notch IT commu-nication technology at its construc-tion sites. This defines the path the IT department of the company is traveling: Over the next years every construction machine is to be connected to the com-pany network via an on-board computer. Reichel says "It is only possible to carry out an exact variance analysis in real time if you receive a performance report of every excavator shovel that moves.

"WE WERE DESPERATELY LOOKING FOR A SOLUTION WHEN NCP'S PATH FINDER TECHNOLOGY GAINED CONTROL OF THIS PROBLEM"

Peter Reichel, Max Bögl

This information is then immediately compared to the corresponding process number in our SAP system."

Stock-holding, too, is to be optimized in this way. Barcode scanners are currently integrated into Max Bögl's WiFi network. In future, employees of the plants con-structing prefabricated components and at the stocks of the construction sites are to work with RFID/ Barcode scanner, equipped with NCP's VPN client. NCP's client might also be used to connect modern on-board truck computers to the disposition department. Modern communication equipment is not only used at Max Bögl construction sites but employees of the company headquarters also test the use of mobile devices like IPhones, IPads or Android-based devices for secure communication. Modularity and high scalability of the VPN software solution allow Bögl freedom to adapt its remote access network according to its needs.

About NCP engineering, Inc. Since its inception in 1986, NCP enginee-ring has delivered innovative software that allows enterprises to rethink their secure remote access, and overcome the complexities of creating, managing and maintaining network access for staff.

Headquartered in the San Francisco Bay Area, the company serves 30,000-plus customers worldwide throughout the healthcare, financial, education and government markets, as well as many Fortune 500 companies. NCP has estab-lished a network of national and regional technology, channel and OEM partners to serve its customers.

To learn more about NCP engineering, visit www.ncp-e.com. Reach the com-pany on its blog, VPN Haus, or on Twitter.

NCP engineering, Inc. 678 Georgia Ave. Sunnyvale, CA 94085

Phone: +1 (650) 316-6273 Fax: +1 (650) 251-4155www.ncp-e.com

© 2011 NCP engineering, Inc. All rights reserved.

Peter Reichel, Head of the department "IT external services" at Max Bögl