Easy Management of Hundreds of SSL Certificates, Better Visibility, and Downtime-Free Maintenance
Quantum Health is a health‑care benefits coordinator that guides employers and their health plan members through the complex health‑care process, and provides a single point of contact for its clients’ health benefits and programs. Quantum Health’s clients are large self‑funded organizations that need a benefits coordinator to provide compassionate, quality care for employees (“members”) while eliminating wasteful health‑care costs. With such a valuable approach, Quantum Health’s business is on the rise.
A key component of Quantum Health’s solution is a portal where members manage their accounts, check the status of claims, and carry out related activities. For each of its clients, Quantum Health hosts and deploys a unique portal with a unique domain name. Although each customer gets a separate domain, the sites all share a common codebase that includes some custom content for each customer. This helps ease maintenance as compared to having a unique site per customer.
Starting out, Quantum Health’s IT infrastructure team managed two SSL/TLS certificates, and each certificate could support up to 100 customer domains, using the Subject Alternative Name (SAN) field. However, Quantum Health wanted to move away from that model. With a shared certificate, it’s possible to view all of the domains – and therefore the list of Quantum Health’s customers – that the certificate protects. To solve this problem, Quantum Health decided to move to a model of providing an individual certificate for each customer’s domain, which would ensure security and protect customer privacy at the same time.
While implementing this new approach, Quantum Health hit a roadblock with its web server, Microsoft IIS. With IIS, in order to deploy one certificate per domain, the team would have had to create duplicate backend servers for each customer. However, Quantum Health’s IT Infrastructure team continuously looks for ways to streamline operations, so they knew they could find a more scalable way to manage SSL certificates.
“We were moving to a single certificate per website model, where each domain would have its own unique certificate. This meant that we were moving from managing two certificates to managing hundreds of certificates. Automating the certificate management process to cut down on administrative overhead was very important to us in order to scale,” says Rick Breidenstein, Manager of IT Infrastructure at Quantum Health.
Breidenstein was already familiar with NGINX and NGINX Plus from previous projects, including personal projects and previous work at Gogo. So when the need for easier management of SSL certificates arose, he knew NGINX Plus was the ideal solution. NGINX Plus extends the open source NGINX software with advanced functionality and award‑winning support to provide a complete application delivery solution.
Quantum Health deployed a high‑availability (HA) pair of NGINX Plus instances in its private cloud in front of Microsoft IIS to handle SSL termination. With NGINX Plus, Quantum Health could achieve its goal of having individual SSL certificates per customer while maintaining a single backend application.
In addition to SSL termination, NGINX Plus also paves the way for even more enhancements within Quantum Health’s infrastructure. “Easy management of SSL certificates was what initially led us to NGINX Plus, but NGINX Plus also provides us with high availability and the flexibility to perform system maintenance during the day – without any downtime or outages to customer‑facing services,” says Breidenstein.
Achieving the Last Mile in Site Security
NGINX Plus made it easy for Quantum Health to have individual SSL certificates per customer while maintaining a single backend application. This is accomplished within NGINX Plus by specifying multiple virtual servers, one per customer domain, while having each virtual server proxy to the same backend service. To differentiate between the different customer domains coming in on the same IP address‑port pair, NGINX Plus makes use of Server Name Indication (SNI).
With NGINX Plus as a proxy handling SSL termination, Quantum Health is able to support all customer domains from one application and increase security by giving each customer its own individual certificate.
Breidenstein adds, “We previously had a B rating from SSL Labs for all of our SSL sites. NGINX Plus allowed us to tweak those configurations and increase our grade from a B to an A. NGINX Plus got us through the last mile.”
Enhanced Visibility & Metrics
With NGINX Plus, the IT team at Quantum Health has direct access to another level of analytics that were not previously available to the team. Because IIS is supported by the web team, Breidenstein’s team had to turn to their colleagues for information like the number of requests and connections, and what time of day is best to bring down the system, should an outage be required.
Breidenstein explains, “Since installing NGINX Plus, my team has visibility that we didn’t have before. We’ve been able take NGINX Plus’s access logs and send them to Sumo Logic in order to gather a wealth of metrics. For example, we can see how many
404 errors there are, the domain with the most
404 errors, and more. Basically, any of the data that’s in the NGINX Plus access logs can be analyzed in Sumo Logic. Before having this data, we had to rely on another team to tell us when to bring down the system if we had a service‑impacting event. Now, we can answer that question ourselves and make solid decisions to support our growing business.”
Quantum Health is also using NGINX Amplify and finds that it has been a very helpful tool as well. “Through NGINX Amplify, some of the key metrics I look at are the number of active connections and the system load, so that we don’t run into any capacity issues. I can see that the number of active customers is on average 150 at any one time, with 400,000 hits overall in a day. With NGINX Amplify we can easily see that we are nowhere near hitting our CPU and memory limits,” notes Breidenstein.
He adds, “I don’t see any type of limit from the NGINX Plus side that would stop us from signing up more customers and continuing to scale, without worrying about outages along the way.”
Working Smarter Through Automation
Breidenstein’s goal was to automate the NGINX Plus deployment to enable employees to deploy new code even if they weren’t familiar with NGINX Plus or Linux.
Breidenstein fully automated the NGINX Plus deployment using Python scripting, Lemur for certificate management, and an orchestrator called Rundeck to tie it all together and provide a self‑service portal for web developers to easily deploy new sites.
Now, developers can deploy a new site just by plugging in a couple of variables and generating a configuration file in the staging area on Rundeck. With a click of a button, Rundeck deploys the new configuration and SSL certificate from staging out to both of the NGINX Plus proxies in production, in order to keep them in sync. When the configuration is pushed to production, the new site is publicly available.
Quantum Health uses SVN to help control changes to the NGINX Plus configuration files so the team can see the changes over time, should the need arise to troubleshoot an issue.
Painless Migration with Professional Services & Support
After choosing NGINX Plus, Quantum went from decision to deployment in two weeks. That’s definitely a lot to ask, and NGINX, Inc.’s Professional Services team made the transition a lot easier.
During the migration, Breidenstein worked with a dedicated Professional Services engineer. “NGINX Professional Services is extremely helpful and knowledgeable. The engineer I worked with was great at communicating and teaching me about the process so that I was able to learn along the way. I give a very high rating to the support I received and would recommend using NGINX Professional Services for additional installations in the future,” says Breidenstein.
Quantum Health hasn’t required technical support since the migration, but knowing it’s included with NGINX Plus was a key factor in the decision early on. “If something goes wrong, I don’t want to be standing there alone”, notes Breidenstein. “NGINX Plus was the only way that I would go because I needed the backing of expert support.”
Laying a Solid Foundation for the Future
While switching to NGINX Plus solved its immediate SSL and deployment issues, it also prepared Quantum Health for future growth. As it brings in new customers and set up new web portals, NGINX Plus provides Quantum Health a solid architectural foundation that can scale more easily than its earlier setup. “NGINX Plus has enabled us to increase the number of customers we can support without having to alter our backend configuration,” says Breidenstein.
And because Quantum Health has designed its architecture for high availability, it’s able to perform site maintenance at any time with no customer interruptions. “The way NGINX Plus is deployed, we can take one of those boxes down and patch it at any time,” explains Breidenstein.
Lastly, as traffic increases, NGINX Plus provides the load‑balancing capabilities Quantum Health needs to scale up and handle several times the current throughput. “Eventually NGINX Plus will become our frontend load balancer. We’ve configured everything today to support multiple upstream backend servers.”
About Quantum Health
Quantum Health is an award‑winning care coordination and consumer navigation company serving the needs of self‑insured public and private employers across the United States since 1999. With a background in consumer behavior and a deep understanding of how real people experience health care, Quantum Health has a proven history of improving the efficiency of clients’ benefits plans while maintaining industry‑leading satisfaction rates and claims savings. Based in Columbus, Ohio, Quantum Health has been recognized on the Inc. 5000 as one of the fastest‑growing privately held companies for the past seven consecutive years (2008–2015), listed as one of the 50 Fastest Growing Women Owned/Led Companies by the Women Presidents’ Organization and has been listed as both a FORTUNE Magazine Great Place to Work® and an Entrepreneur Magazine Great Place to Work®. Learn more at Quantum-Health.com.