Success Story
Full Service via the Internet
Remote Maintenance. The rising cost of newspaper presses makes fast support from machine manufacturers ever more important. Downtime means losses, so avoiding protracted maintenance work or major outages is a top priority.
As the market leader in large-scale web-fed offset systems, MAN Roland Druckmaschinen AG bases its customer service operation around a secure remote maintenance solution. The company`s “tele-support center“ operates around the clock, from its headquarters in Augsburg and outposts in Chicago and Sydney, as support centers for printing machines installed throughout the world. Helpline functions includeongoing monitoring based on the analysis of log files, regular maintenance tasks such as software updates, and a quick response to warnings and problems. “Because we are constantly monitoring our machines, we can solve problems before they get to the stage of downtime or breakdowns,“ says Peter Brechtel, IT Infrastructure Manager at MAN Roland.
Towering: Web-fed offset printing machine
As well as being used for operational support, the remote maintenance link is also essential for the construction of new printing machines. MAN Roland's specialist technicians, working under time pressure on the on-site installation of new systems, can use the direct link whenever requires to access vital tools, software, and know-how from their company network.
Top-Level Security Requirement
These links, therefore, are the vital nerves at the heart of the MAN Roland customer service system. That means rigorous requirements for their technical implementation, with the spotlight on reliability and security. “Our support system must have quick access to the machines at all times. And our customers quite rightly expect the application of the toughest security standards for these external interventions in their networks,“ according to Brechtel: “Other expectations include ease of installation from the customer`s perspective, and low running costs.“
In early 2004, MAN Roland decided to set up a virtual private network (VPN) for communications between the printing machines at customer establishments and their own corporate network. A VPN involves laying highly encrypted tunnels via public networks such as the Internet, providing a secure channel for the transfer of highly sensitive data. This requires the installation of VPN appliances at end points, to create these “data tunnels“ through the non-secure areas. MAN uses the “GeNUBox“ encryption appliance manufactured by the IT security specialist GeNUA. The GeNUBox device works with the SSH protocol. This technology allows direct control of systems within external networks, even where the target is hidden behind a firewall. “An SSH-based solution has major advantages in terms of both security and installation, and this was a crucial consideration when it came to choosing a VPN appliance,“ says Karlheinz Huber, an employee in MAN Roland's IT department.
GeNUBox Protecting the Costumer Network
All MAN Roland web-fed printing plants are fitted with a GeNUBox as standard equipment, and more and more sheet-fed printing presses are being supplied to the customer with this form of remote maintenance access. The VPN appliance is then connected to the customer`s network with a counterpart GeNUBox in the MAN Roland network. All that remains is to open an outgoing part in the customer network firewall, to create the encrypted link to MAN Roland. The VPN appliance protects the customer`s access to maintenance support. The device`s integrated firewall functionality isolates the maintenance area from the remainder of the customer network, and conveys the encrypted SSH link directly to the printing machine. This means the maintenance access is targeted solely at the supported installation. No access is provided to any other systems in the printing machine operator`s network.
Automatically: Change of printing plate
As another security feature of the solution, the maintenance link can be set up only by the party opening its network for external access, i.e. the customer. Only when the link has been created it can be used by MAN Roland in the opposite direction to carry out the required maintenance work. That gives the printing machine operator control over whom it lets into its network, and when.
Full Service Based on Wake-Up Function
Since the link is always set up from the customer side, agreed time windows for maintenance are arranged in advance with the manufacturer`s support service, or booked a short time ahead by telephone. Another possibility is to use the “wake-up“ solution. In this case, the access opening process can also be activated by MAN Roland, which can then perform all the required maintenance tasks independently, without having to disable the security feature whereby only the customer can initiate the link.
Reliable and secure: Remote maintenance appliance GeNUBox with management server
This is done as follows: the manufacturer`s support team wanting to carry out maintenance work sends a special data packet (UDP) to the VPN appliance in the customer network. This signal tells the GeNUBox to set up the SSH tunnel to MAN Roland, and once the link is in place, it can also be used in the opposite direction for the performance of maintenance work.
Installation of the maintenance solution at the customer`s end ist carried out in a few simple steps:
- 1. Opening of an outgoing port on the firewall
- 2. Input of the Man Roland`s IP address as the destination for the SSH tunnel
- 3. Brief test of the link, run from a laptop
- 4. Connection of the GeNUBox, preconfigured by MAN Roland, to the network
The link used is usually the company`s existing Internet access, so that there are no additional running costs. The solution works with both permanent and dynamic IP addresses. Since the launch of the maintenance VPN service, over 40 customers have connected up to the MAN Roland support service, and approximately 60 new web-fed offset and sheet-fed printing machines link up to the system each year.