Access WebFACES without TFI VPN
Here is what you need to know:

Summary

WebFACES is TFI's client management system and its architecture was designed to authenticate to our internal user directory. IT and Software have in the last year worked to change the login process to authentiate against Microsoft's directory. Starting July 17th 2023, You will no longer need to connect to TFI's VPN to access WebFACES. But before you break out into your signature victory dance, please read the sections below for more information surrounding this change:

Scope

Any Agency employee that uses WebFACES and accesses the application remotely (outside a TFI office)

What drove the change

The VPN has for a long time been a bottleneck for remote workers accessing resources that were originally designed to be available to the internal network. After COVID-19, most workforces across the nation became distributed in nature and applications are no longer predominantly accessed from corporate offices. Remote workers often have to VPN to the corporate VPN to access these resources and while the solution addressed secure access, it often adds points of failure in our network architecture. As part of our ongoing modernization efforts, we want you to access company tools as easily and securely as posssible which is why eliminating the VPN has been on our roadmap for quite a while.

What took us so long

WebFACES manages all our clients' personal data and as such, we take our duty to protect that data seriously and we wanted the best security posture possible before this application was publicly accessible. As part of changing the authentication system, we have also invested in other security tooling that enhances our auditing and compliance capablitities and we are confident that we have enough safeguards in place. We recongnize that the VPN is an extra step in your workflow and it has served us well by keeping WebFACES secure and we have been careful not to rush the implementation that succeeds this architecture.

Enough speeches! When are we doing this

  1. On Monday June 26th 2023, when accessing WebFACES you may be prompted to log in with your Microsoft Office 365 username and password. Generally, if you are already logged in to your other Office 365 applications on your computer then your credentials will be transparently passed to WebFACES without the need to reauthenticate.
  2. On Monday July 17th 2023, WebFACES will become accessible on the Internet without the need to connect to the TFI VPN. Simply make sure you are connected to the Internet and click on the WebFACES icon on your company issued laptop or tablet.

Security Considerations

Insert Spiderman's uncle's voice here: "With great power comes great responsiblity..."

All TFI staff have been our greatest asset in the fight against cyber security threats. Part of our confidence in presenting WebFACES to the Internet was our assessment of our staff's maturity on identifying and reporting security threats. A few things to note with this new access:

  • Accessing WebFACES from personal computers is generally prohibited. Please use your corporate approved laptop or tablet
  • Although the data in transit between your computer and WebFACES is always encrypted, take extra precautions when in public networks such as cafes or airports by connecting to the TFI VPN first before accessing WebFACES.
  • Your passphrase and your company smartphone are the first and last line of defense to get into WebFACES. Keep them safe and never write down your passphrase on sticky notes. Report any loss of your credentials or device to IT immediately.
  • You may recieve a multi-factor prompt every three days on WebFACES. We do this to guard against the event if your device is lost

Frequently Asked Questions:

Nothing has changed here. Microsoft Edge is the supported browser for WebFACES
Whoa! Slow down there millennium falcon!! While it is possible to pull up the WebFACES URL on your company smartphone, the layout is not mobile friendly yet and some sections do not render correctly. WebFACES on smartphones is not supported yet so please use your laptop, desktop or tablet.
You can contact the helpdesk at (620) 208-1828
For security and compliance reasons, we do not allow traffic from outside the U.S. (U.S. territories also include foregin U.S. military bases). Enjoy your vacation or visit with your family!! WebFACES will still be here when you get back :)
The list is getting smaller :) Only PAWS and Great Plains now require a connection to the TFI VPN if you are working remotely.
Accessing WebFACES from non-corporate approved devices is prohibited because we cannot sign off on the security baseline on unmanaged devices. We will continue to establish and review the corporate policies around this but the confidentiality and security of our data will always remain our top priority.
Our initial tests indicated a slight improvement in page load speeds but we need more volume of data over time to analyze the speeds under comparable server loads. We are aware that that the overall speed of the application is not where it needs to be but we have several initiatives to modernize the underlying infrastructure. We will keep you informed on this but if you notice any page that loads slower as compared to when connected to the VPN, please let us know.
The URL remains the same. You will be redirected to the external site on July 17th automatically. https://webfaces.tfifamily.org
If you do not use PAWS or Great Plains, there may be situations when IT may ask you to connect back to the VPN to troubleshoot your connection to the on-premise Active Directory. As mentioned on the security section, when you are on a public network connection use the TFI VPN to an added layer of security on your network trafffic.

Last updated: 06/12/2023