Conception and implementation of the WLAN environment for the new Paessler headquarters
By 2015, the former Paessler AG HQ had become too small to contain its successful and rapid expansion. Paessler needed a new building within which it could reorganize, recruit new members, and plan ahead for the maintenance of innovation and quality customer service. After a lengthy search, a four-floor (+ basement), 7,000 sqm office was identified as a candidate for the new HQ. This new HQ, located in the north-east of Nuremberg, would soon become the beating heart of the Paessler family.
With the choice of building secured, the next step was to ensure a strong and reliable WLAN. Our belief is that employees should be able to access the infrastructure over all Paessler grounds - both inside and out. It is essential our teams can connect from their workstations, meeting rooms, from in our sports and leisure rooms belowground, the beer garden, bistro - anywhere.
Planning for the relocation was a lengthy process. It was essential that we timed everything right, planned everything accordingly, to ensure our customers a smooth and efficient transition.
The first step was to plan requirements:
The adopted solution should meet all requirements for the next 5 years. As a result, the focus in planning was on reliability, and long-term availability of equipment and good support.
2. Performance and Availability
In view of flexible use and broad support for end devices, the solution should provide high data rates in the 2.4GHz and 5GHz spectrum. By default, DUAL WLAN was set in 11n and 11ac. In addition, access to the internal systems must work quickly and smoothly throughout the building through the wireless network. The plan was an area-wide WLAN data rate of at least 500 Mbit /s.
3. Central Management
Four floors at 1.500 sqm, plus various cellar rooms and the beer garden - there must be sufficient number of access points. A basic prerequisite was that the entire WLAN infrastructure could be managed centrally.
The client-side network infrastructure is based on switches with PoE (Power over Ethernet) to supply, for example, the VoIP phones with power. The access points should also support PoE to keep our cabling as lean as possible.
5. Authentication and Security
To be able to secure the internal infrastructure effectively, but to also provide Internet access via the WLAN infrastructure to employees and guests using their own devices (BYOD), various security functions (for example, 802.1x) had to be supported. A further requirement of the WLAN setup was that access of any current device with the current standards is possible and works simply and natively.
Strong Partner Wanted
Our previous office was based in the loft of an old industrial building. Within four years, Paessler had grown from one and a half floors to two and a half - occupying an area of 500 sqm. The WLAN infrastructure here proved often to be insufficient - fluctuating strength, and so on. The system lacked features such as the seamless transfer between different access points, rendering it unsatisfactory. Users were unable to move freely from one 'zone' of the grounds to the other without risking losing connection, and therefore, any open sessions or documents. The system also lacked central management. It was high maintenance, sometimes even requiring reboots which caused disruption to company flow.
With these problems in mind, Paessler knew the relocation to new HQ would be the perfect opportunity to create the WLAN infrastructure from scratch. Paessler would choose only the most skilled professionals in order to achieve the goal of a consistent, stable, strong WLAN which could cover grounds, without disruption, both in and out.
Essentially, the following requirements were addressed to the installer:
- Homogeneous environment
- High-quality and high-performance hardware
- Good SLAs and reliable support
We had three suppliers in mind: LANCOM, Aruba and Cisco. Over the following six months, candidates were rigorously tested until finally the decision was taken to use LANCOM. LANCOM's equipment is German engineering at its finest - high-quality, with a dense partner network (for support cases). It had the best performance ratio of the three and was priced competitively.
Final planning and implementation
As soon as the decision to partner with LANCOM was made concrete, Paessler pushed forward with planning phase in order to commence implementation.
WLAN coverage: fast and wide coverage
A surveyor was called in to survey the four floors, plus underground levels, plus all outdoor areas, in order fully assess the scale of the project. A heat map was generated, detailing all ideal locations for the coming access points.
The result: we now have good WLAN coverage in all planned areas and an ideal throughput of up to 867 Mbps in the 5GHz range.
The central management is taken over by a WLAN controller, which is used to control the access points. All WLAN settings are centrally stored, edited and executed in this controller. The provisioning of access points has been simplified. Furthermore, the controller ensures that the WLAN sessions are passed seamlessly between the access points. Internal networks are separated via security functions (firewall, authentication, authorization) from public networks.
Only network cables had to be routed to the planned locations of the access points. The advantage here: no extra power connection or expensive feeding by Power Injectors is necessary.
1 Company, 4 Wireless Networks
We needed four independent WLAN networks in order to cover all requirements. But in addition to coverage, security was also a major factor. As soon as access to the internal network and systems were possible, a 2-factor authentication was implemented.
- Paessler notebooks
With Paessler's own devices, the dial-up on the WLAN should be as smooth as possible. To ensure access, we rely on certificate-based authentication via 802.1x. The client must be a member of the domain and automatically logs into the internal WLAN network by checking the installed client certificate. The employee has access to the entire infrastructure that is shared with his account.
- BYOD for Paessler employees
If the employee uses their own mobile device, they must log in using their Paessler username and password. This allows them to connect to the Internet with basic services. This network is separate from the company network. It is not possible to use internal services via this WLAN access.
Of course, we frequently entertain visitors at our new HQ: partners, consultants, suppliers, applicants, etc. Naturally, we want to offer our visitors internet access. For this purpose, we have a permanent guest network which doesn't allows visitors to access internal systems, but to enjoy a fast internet connection. The visitor is issued a token which is valid for a limited period of time.
- Events / Training
We often hold in-house events, such as PRTG trainings, regional IT events, or Paessler celebrations which many external guests attend. On such occasions, we use our fourth WLAN network which allows access to the Internet via password. The network is only activated for events / trainings and the password is changed accordingly.
Of course, sometimes a device can fail or a cable loosens. For such situations, we are able to create an overlap of signal areas, thus ensuring constant connectivity. While we won't reach the full 867 Mbit/s, enough coverage will remain to keep all departments in all locations functioning.
PRTG monitors the entire system: If a device fails, we are immediately informed. We also measure the number of clients deployed, detect anomalies, and take immediate action as soon as any issue is detected.
Where problems occur, LANCOM fulfill their promise through our agreed service contract. Should a device fail entirely, then replacements are supplied as soon as is possible. LANCOM's customer support is responsive and gears itself toward efficiently and effectively resolving any issue.
In addition to the WLAN network, the classic Ethernet-based LAN - which is connected to all workstations and meeting rooms - is our fallback solution. Should total WLAN failure occur, then we can access our LAN. Mobility suffers, but it means Paessler remains always connected.
WLAN as the basis for more agility
It has been about a year since we moved into the new headquarters. Today, you can see colleagues working with mobile devices from all around our grounds. Meetings can be carried out spontaneously. If you need peace and quiet, then you can take your laptop outside and sit in the sun or find a quiet room elsewhere in the building. Some even take their laptop to the bistro - just in case that all-important email should come through while they are lunching.
With such a powerful WLAN, mobile devices have a high level of acceptance, connection is available from everywhere at all times, and Paessler can operate at maximum capacity. The different departments have all the tools they need to maintain our desire for innovation and quality support.
Dirk Fiebiger has been IT manager at Paessler since 2016. He studied as a Business Data Processing Specialist before becoming administrator of an IT system at enterprise level. Later, Dirk became head of IT for a hotel booking portal. In addition to Dirk's innovations in network technologies, he is a motorcycling enthusiast and a fan of the German football club FC St Pauli.