Docstoc

THE EDINBURGH NAPIER UNIVERSITY SSL VPN SERVICE

Document Sample
THE EDINBURGH NAPIER UNIVERSITY SSL VPN SERVICE Powered By Docstoc
					THE EDINBURGH NAPIER UNIVERSITY
SSL VPN SERVICE

INTRODUCTION TO SSL VPN ........................................................................................... 2

WHAT SERVICES CAN I ACCESS USING SSL VPN?...................................................... 2

REQUIREMENTS OF THE SSL VPN SERVICE ................................................................. 3

ANYCONNECT QUICKGUIDE ............................................................................................ 4

SET UP OFFICE PC FOR REMOTE DESKTOP CONNECTION ........................................ 5

USING THE CISCO ANYCONNECT CLIENT ..................................................................... 6

  COMPUTER PREPARATION .......................................................................................... 6
  INITIAL INSTALLATION AND CONNECTION WITH CISCO ANYCONNECT ................. 6
  DISCONNECTING AND NAVIGATING THE CISCO ANYCONNECT CLIENT ............... 8
  SUBSEQUENT CONNECTIONS WITH CISCO ANYCONNECT ..................................... 9
  UNINSTALLING THE CISCO ANYCONNECT CLIENT ................................................... 9
  UPGRADING THE CISCO ANYCONNECT CLIENT ....................................................... 9
  SPLIT TUNNELING AND ALLOWED TRAFFIC ............................................................ 10

USING REMOTE DESKTOP (RDC) .................................................................................. 11

  WAKE ON LAN .............................................................................................................. 11
  ACCESSING YOUR MACHINE VIA RDC ...................................................................... 12
  DISCONNECTING FROM THE RDC ............................................................................. 12

HOW DO I ACCESS MY H DRIVE? .................................................................................. 13

TROUBLESHOOTING THE SSL VPN SERVICE ............................................................. 14

  WINDOWS DLL ERROR................................................................................................ 14
  CERTIFICATE ERROR WHEN CONNECTING TO SSL VPN SERVICE ...................... 14
  LOGIN PROBLEMS WHEN CONNECTING TO SSL VPN SERVICE............................ 14
  LINUX CLIENT WEBLAUNCH REQUIRES AN ACCOUNT WITH SUDO ACCESS ...... 15
  USING THE ANYCONNECT CLI COMMANDS ............................................................. 15
  UNINSTALLING THE CISCO ANYCONNECT VPN CLIENT......................................... 16
  LINUX-SPECIFIC ANYCONNECT CLIENT ISSUE........................................................ 16
  WINDOWS VISTA UNRESPONSIVE DURING SLEEP/RESUME CYCLES ................. 16
  UBUNTU 8.04 ANYCONNECT INSTALL ....................................................................... 17
  FURTHER HELP AND SUPPORT ................................................................................. 17




C&IT Services                                    Page 1                                         14/06/2010
Napier University SSL VPN
INTRODUCTION TO SSL VPN




       The Edinburgh Napier University network is secured from unauthorized external
access by a firewall. The SSL VPN allows remote users to access internal services not
usually available to external users. The most common use of the VPN service is for staff to
use Remote Desktop Connection to access their Edinburgh Napier University PC.

      The SSL VPN service is initially accessed through a secure web browser
connection with the University firewall. On successful user authentication the firewall will
automatically install a client called Cisco AnyConnect. AnyConnect allows remote users
to send data securely and quickly using SSL (Secure Sockets Layer) and/or DTLS
(Datagram Transport Layer Security).

       During an SSL VPN session, all traffic destined for Edinburgh Napier University is
sent down the secure VPN tunnel. Traffic destined for elsewhere is unaffected. VPN traffic
is subject to a series of filters once it arrives at the firewall. This allows C&IT Services to
customize VPN access rights for external contractors and University Departments while
adding another layer of security for the internal University network.



     The SSL VPN service is currently only available externally i.e. it cannot be
accessed from within the University.


WHAT SERVICES CAN I ACCESS USING SSL VPN?

You can access the following services using SSL VPN:

      See the SPLIT TUNNELING AND ALLOWED TRAFFIC section for a full list of
       services available on the SSL VPN service




C&IT Services                         Page 2                            14/06/2010
Napier University SSL VPN
REQUIREMENTS OF THE SSL VPN SERVICE

      You need to register for the VPN service.

           Register by completing the VPN online form which can be found on the Staff
           Forms section of the C&IT Services intranet pages.

      You need a home computer which runs one of the following operating systems:

              Microsoft Windows 2000, XP or Vista (32 or 64 bit)
              Mac OS X 10.4 or later (PPC or Intel)
              Linux – Cisco have tested Red Hat Enterprise Linux 3 or 4, Fedora Core
               4 or higher, Slackware 11 or 12.1, SuSE 10.1. C&IT Service has also
               tested Ubuntu 8.04 successfully.

      You need an existing connection to the Internet.

      You need to have the following security requirements on your home computer:
           You must have some form of anti-virus software installed on your PC.
             Edinburgh Napier staff & students are entitled to download and install a copy
             of McAfee VirusScan on their laptop/home PC. A copy of the software,
             installation and configuration instructions can be found in the Virus Protection
             and Downloads section of the C&IT Services intranet pages
           You must have up to date virus definitions, run the auto update on your
             anti-virus software to ensure the files are up to date.
           You must have a firewall. A firewall is supplied with the VPN client to
             protect your computer from unauthorised access from the Internet.
           You must agree to Edinburgh Napier University’s Information Security
             Policy. A copy of the Information Security Policy can be found in the C&IT
             Services section of the staff intranet.

      You must set up your Office PC if you want to access it using Remote Desktop. See
       the Set Up Office PC for Remote Desktop Connection section of this
       documentation.

      You will need the Java Runtime Environment installed before you will be able to
       successfully install the Cisco AnyConnect client. You can download this Java
       program at http://www.java.com. Version 1.5 or later is supported.




C&IT Services                        Page 3                           14/06/2010
Napier University SSL VPN
ANYCONNECT QUICKGUIDE



   1. Prepare your Edinburgh Napier PC for Remote Desktop and Wake on LAN if
      required – see SETUP PC FOR REMOTE DESKTOP CONNECTION section.

   2. Ensure your home PC has a valid internet connection.

   3. Prepare your home PC to install AnyConnect . Microsoft Windows Internet
      Explorer users should add a trusted site – see COMPUTER PREPARATION
      section.

   4. Start a browser on your home PC and enter the URL for Edinburgh Napier
      University’s AnyConnect VPN service. The AnyConnect client will automatically
      install – see INITIAL INSTALLATION AND CONNECTION WITH CISCO
      ANYCONNECT section.

   5. When successfully connected, users can access the services available through
      AnyConnect. – see SPLIT TUNNELING AND ALLOWED TRAFFIC for a list of
      available services.

   6. Remote Desktop users - see USING REMOTE DESKTOP (RDC) section.

   7. Users experiencing problems connecting with AnyConnect – see
      TROUBLESHOOTING THE SSL VPN SERVICE section.

   8. Once the AnyConnect client has been successfully installed, VPN users can
      connect to the service by either using the AnyConnect client directly or by the
      browser method – see SUBSEQUENT CONNECTIONS WITH CISCO
      ANYCONNECT section.




C&IT Services                      Page 4                           14/06/2010
Napier University SSL VPN
SET UP OFFICE PC FOR REMOTE DESKTOP CONNECTION

The remote desktop connection allows you to connect to your University computer and
work as if you were in your office.

To set up the Remote Desktop Connection:

              Right click on the My Computer icon on your office PC.
              Select Properties.
              Click on the Remote tab.
              Click on the “Allow users to connect remotely to this computer tick box”.
              When the Remote Sessions dialog box appears, click OK.
              Click OK to exit the System Properties dialog box and to apply the changes.

You will need your IP address to connect from out with the University. To obtain your IP
address:

              Double click on the Who Am I icon on your desktop:




              A screen will appear displaying information about your PC.


                                                                            IP Address




MAC Address




              Take a note of the number next to IP Address (also take a note of the
               MAC address if you are planning to use Wake on LAN); you will need
               these addresses to connect to your office workstation from out with the
               University.
              Click Quit.




C&IT Services                        Page 5                          14/06/2010
Napier University SSL VPN
USING THE CISCO ANYCONNECT CLIENT

COMPUTER PREPARATION

        Cisco recommends that Microsoft Internet Explorer (MSIE) users add the University
firewall to the list of trusted sites. Doing so enables the ActiveX control to install with
minimal interaction from the user. Windows XP SP2 and Vista users must complete the
following 8 steps to ensure successful deployment of the Cisco AnyConnect client:-

Step 1 Go to Tools > Internet Options > Trusted Sites

Step 2 Click the Security tab

Step 3 Click the Trusted Sites icon

Step 4 Click Sites

Step 5 Type the host name Napier-SSLVPN.napier.ac.uk

Step 6 Click Add

Step 7 Click OK

Step 8 Click OK in the Internet Options window



INITIAL INSTALLATION AND CONNECTION WITH CISCO ANYCONNECT

      Start a web browser (Safari, Firefox and Microsoft Internet explorer are supported)
       and enter the following URL:

              https://Napier-SSLVPN.napier.ac.uk

      On the login page select anyconnect form the GROUP option and enter your
       University username and password:




      See TROUBLESHOOTING THE SSL VPN SERVICE for possible problems that
       may occur when entering your username and password.




C&IT Services                       Page 6                           14/06/2010
Napier University SSL VPN
      The AnyConnect installation will try and use ActiveX or Java to install the client:




      If the client install fails, you will be prompted to manually install the client. Click on
       the link to install:




       Apple Mac users may be prompted to trust an applet signed by Cisco – if so click
       Trust. Mac users may also be prompted for their local Mac username and
       password.




      The AnyConnect client will then be installed:




C&IT Services                          Page 7                              14/06/2010
Napier University SSL VPN
      Once installed the AnyConnect client will establish the VPN connection:




DISCONNECTING AND NAVIGATING THE CISCO ANYCONNECT CLIENT

      When connected to the SSL VPN service, windows users will see the following icon
       in the system tray (bottom right of the desktop window). Mac users will see the icon
       in the dock




      Right click this icon and select Open. The following screenshots are from Microsoft
       Windows XP – other OS windows will be similar.

                                                   The Connection tab shows the url of
                                                   the firewall that you are connected to.
                                                   To Disconnect for the SSL VPN
                                                   service, click the Disconnect button.

                                                   The Statistics tab shows IP addresses
                                                   and sent/received traffic. Note that the
                                                   AnyConnect client IP is an Edinburgh
                                                   Napier IP address i.e. 146.176.x.x




C&IT Services                       Page 8                           14/06/2010
Napier University SSL VPN
 SUBSEQUENT CONNECTIONS WITH CISCO ANYCONNECT

      Once installed, the Cisco AnyConnect client can be used as a standalone
       application. Simply run the Cisco Anyconnect VPN Client programme, click on the
       Connection tab and enter napier-sslvpn.napier.ac.uk into the Connect to box.
       Select anyconnect form the Group option and enter your Edinburgh Napier
       University username and password.




      Once installed, the Cisco AnyConnect client can also be used from a command
       line – see the USING THE ANYCONNECT CLI COMMANDS section of
       TROUBLESHOOTING THE SSL VPN SERVICE.
      Cisco AnyConnect can also be accessed again through a browser with the URL

                      https://Napier-SSLVPN.napier.ac.uk


UNINSTALLING THE CISCO ANYCONNECT CLIENT

      Regular users of the SSL VPN service should keep the Cisco AnyConnect client
       installed. Users wishing to uninstall should read the UNINSTALLING THE CISCO
       ANYCONNECT VPN CLIENT section of TROUBLESHOOTING THE SSL VPN
       SERVICE.


UPGRADING THE CISCO ANYCONNECT CLIENT

      Any updates/upgrades for the Cisco AnyConnect client will be applied
       automatically by the firewall with no user interaction.



C&IT Services                      Page 9                         14/06/2010
Napier University SSL VPN
SPLIT TUNNELING AND ALLOWED TRAFFIC

        Split tunnelling is enabled for the SSL VPN service. When a user connects to the
SSL VPN service, only certain traffic is encrypted and sent down the VPN tunnel to the
University. All other traffic is sent via the ISP as normal.
        The tables below show what traffic (listed under Destination Network) will be
encrypted by the VPN tunnel. This traffic is filtered/firewalled before it enters the University
LAN. The allowed traffic is listed under Application. All other traffic destined for the
University will not be encrypted by the VPN and will enter the University through the main
firewall.




School of Computing Staff
Application                                            Destination network
Remote Desktop Connection TCP/3389                     146.176.162.0/24
echo                                                   146.176.163.0/24
SSH TCP/22                                             146.176.164.0/24
Telnet TCP/23                                          146.176.165.0/24
VNC 5800-5810 and 5900-5910                            146.176.166.0/24
http
https

All other Staff
Application                                            Destination network
Remote Desktop Connection TCP/3389                     All staff subnets
echo




Contractors
Contractors will have a more specific filter. This filter is specified by the Edinburgh Napier
University Staff member sponsoring the Contractor when filling in the VPN registration
form for the C&IT Support Desk




C&IT Services                        Page 10                             14/06/2010
Napier University SSL VPN
USING REMOTE DESKTOP (RDC)

WAKE ON LAN

      Wake on LAN WoL allows RDC users to remotely power on their work PCs. To use
WoL, users must have a note of their IP and MAC addresses. Users can download a
freeware WoL utility from:

       http://www.depicus.com/wake-on-lan/wake-on-lan-gui.aspx

      To use WoL enter your IP (Internet) and MAC Addresses in the provided boxes. For
Subnet Mask enter 255.255.255.0, for Send Options select Internet and for Remote
Port Number enter 7. To wake up your PC click the Wake Me Up button.




       Your PC may take a few minutes to boot up. To check when your PC is ready you
can ping your PC’s IP address. XP users can select Start – Run. In the Open box enter
cmd and press OK.




       This will open a DOS window. Type ping –t <IP Address> (where <IP Address> is
the IP address of your Work PC) and hit the enter key. When your PC is unreachable (still
booting) you will see the following output:



       When your PC is up and running you will see the following output. When you see
replies from your PC you can then connect to it using RDC.




C&IT Services                      Page 11                          14/06/2010
Napier University SSL VPN
ACCESSING YOUR MACHINE VIA RDC

       Before you access your machine you must have installed the Edinburgh Napier
University VPN Client on your home computer (refer to the section INSTALLING THE
VPN CLIENT) and set up the Remote Desktop connection on your office PC (refer to the
section SET UP OFFICE PC FOR REMOTE DESKTOP CONNECTION).

       To access your machine via remote desktop connection:

      Start the VPN client and connect.
      Start Remote Desktop Connection: All Programs – Accessories –
       Communications - .

              Once you have started Remote Desktop Connections the following screen
              will appear:

                                                                           Enter IP Address



                                                                           Click Connect




      Enter the IP address of the PC you will be connecting to. Refer to the section SET
       UP OFFICE PC FOR REMOTE DESKTOP CONNECTION for information on how
       to obtain the IP address.
      Click Connect if you want to connect directly to the machine. Alternatively you
       could click Options to view some of the advanced options of the Remote Desktop
       Connection.
      Once connected, you can log in to your office workstation with your normal
       Edinburgh Napier University User ID and Password.

       Please note: when you press ctrl, alt, del to log in to your office workstation your
       Windows Vista machine may react rather than the office workstation. In this
       situation press ctrl, alt, end - you should then be able to log in to your office
       workstation.

       Once you have logged in you will see your desktop as you would if logging in from
your office. You can use the machine as you would your machine at work.

DISCONNECTING FROM THE RDC

There are 2 methods of disconnecting from the remote desktop connection.

       Method 1:

      On the machine you are remote controlling, click Start.
      Select Log Off. This will end all applications that are running, log you out of the
       machine you are remote controlling and then disconnect you from the remote
       control session.
C&IT Services                        Page 12                           14/06/2010
Napier University SSL VPN
       Method 2:

      On the machine you are remote controlling, click Start.
      Select Disconnect. This will disconnect you from the remote desktop session but
       all programs will be kept running on the workstation that you were connecting to.

       Method 3:

      To shutdown the machine you are remote controlling, press CTRL+ALT+END.
       Select Shutdown. See the Microsoft support article for more details:

                      http://support.microsoft.com/kb/303070




HOW DO I ACCESS MY H DRIVE?

      Providing you have Internet access you can access your H drive out with the
University using MyDrive. Please refer to the MyDrive User Guide for more information.
To view the guide visit the Off Campus Services section of the C&IT Services intranet
pages.




C&IT Services                       Page 13                         14/06/2010
Napier University SSL VPN
TROUBLESHOOTING THE SSL VPN SERVICE

WINDOWS DLL ERROR

   In rare circumstances, if you install the AnyConnect client on a computer that has a
new or clean Windows installation, the AnyConnect client might fail to connect, and your
computer might display the following message:

        The required system DLL (filename) is not present on the system.

   This could occur if the computer does not have the file MSVCP60.dll or MSVCRT.dll
located in the winnt\system32 directory. For more information about this problem, see the
Microsoft Knowledge Base, article 259403, at http://support.microsoft.com/kb/259403


CERTIFICATE ERROR WHEN CONNECTING TO SSL VPN SERVICE

      SSL certificates are valid for certain periods of time. Ensure your computer has the
       correct date and time set.
      Ensure you have a valid GlobalSign Root certificate on your computer.

      If you still experience certificate errors when connecting after checking the points
above, contact the C&IT Support Desk by email or by telephoning ext. 0131 455 3000.


LOGIN PROBLEMS WHEN CONNECTING TO SSL VPN SERVICE

      After selecting anyconnect and entering your Edinburgh Napier University
       username and password, the login attempt is rejected. This occurs when an
       incorrect username and/or password has been entered.




      After selecting anyconnect and entering your Edinburgh Napier University
       username and password, the login attempt is denied. This occurs when the
       supplied username has not been given access to use anyconnect.




C&IT Services                       Page 14                           14/06/2010
Napier University SSL VPN
LINUX CLIENT WEBLAUNCH REQUIRES AN ACCOUNT WITH SUDO ACCESS

Launching the AnyConnect client for Linux from the browser does not work when the user
is non-root and when the user does not have sudo access on the machine. To work
around this problem, install sudo, adding a line like:

“someusername ALL = (ALL) ALL” (without the quotes) to /etc/sudoers

USING THE ANYCONNECT CLI COMMANDS

The Cisco AnyConnect VPN Client provides a command line interface (CLI) for users
who prefer to issue commands instead of using the graphical user interface. The following
sections describe how to launch the CLI command prompt.

For Windows
To launch the CLI command prompt and issue commands on a Windows system, locate
the file vpncli.exe in the Windows folder C:\Program Files\Cisco\Cisco AnyConnect VPN
Client. Double-click the file vpncli.exe.
19
For Linux
To launch the CLI command prompt and issue commands on a Linux system, locate the
file vpn in the folder /opt/cisco/vpn/bin/. Execute the file vpn. You can run the CLI in
interactive mode, in which it provides its own prompt, or you can run it with the commands
on the command line. The following table shows the CLI commands. The following
examples shows the user establishing and terminating a connection from the command
line:

Command                     Action
connect                     IP address or alias Client establishes a connection to a specific
                            security appliance.
disconnect                  Client closes a previously established connection.
exit                        Exits the CLI interactive mode.
help or ?                   Gets usage information for CLI commands.
hosts                       Lists all saved VPN server hosts.
quit                        Exits the CLI interactive mode.
state or status             Displays current state of the VPN subsystem.
stats                       Displays statistics about an established connection.
version                     Displays the version of the currently installed Cisco AnyConnect
                            VPN Client

/opt/cisco/vpn/bin/vpn connect 1.2.3.4
Establishes a connection to a security appliance with the address 1.2.3.4.

/opt/cisco/vpn/bin/vpn connect some_asa_alias
Establishes a connection to a security appliance by reading the profile and looking up the
alias some_asa_alias in order to find its address.

/opt/cisco/vpn/bin/vpn stats
Displays statistics about the vpn connection.

C&IT Services                           Page 15                          14/06/2010
Napier University SSL VPN
/opt/cisco/vpn/bin/vpn disconnect
Disconnect the vpn session if it exists.


UNINSTALLING THE CISCO ANYCONNECT VPN CLIENT

Windows

To manually uninstall the AnyConnect client from a Windows system, use the standard
“Add or Remove Programs” Control Panel available from the Start menu.

Linux and Mac OS X

The procedure for manually uninstalling the AnyConnect client from a Linux or Mac OS X
system is the same for both systems. As root, run the following shell script:

/opt/cisco/vpn/bin/vpn_uninstall.sh


Typically, you would do this via sudo, as follows:
$ sudo /opt/cisco/vpn/bin/vpn_uninstall.sh

If you do not use sudo, use a root shell:
# /opt/cisco/vpn/bin/vpn_uninstall.sh


LINUX-SPECIFIC ANYCONNECT CLIENT ISSUE

The AnyConnect client might not establish DTLS tunnel in Linux and might revert to TLS.
In addition, the AnyConnect client reports that statistics in the Linux user interface are not
available. Closing the user interface without disconnecting and launching another (while
the tunnel is still active) seems to fix the problem.

WINDOWS VISTA UNRESPONSIVE DURING SLEEP/RESUME CYCLES

If you use sleep and resume on Vista, you might find that the tunnel cannot be established
due to the AnyConnect driver not being enabled. A reboot is typically required to recover
from this condition. The problem is caused by an issue in the Vista Kernel component as
described in KB-952876 (http://support.microsoft.com/kb/952876 ). When this issue
occurs, another core Vista component, TCPIPREG.sys, fails to function. The Cisco
AnyConnect VPN Client relies on this service to set the IP address of the Virtual Adapter.
If you see an error stating that the Virtual Adapter could not be set up, you might have
encountered this issue. We recommend that you apply the patch if you are experiencing
issues on Vista where the AnyConnect adapter fails to enable. After applying the patch,
you might still see an occasional failure due to a timing issue in the TCPIPREG.sys
service. This is rare and should be recoverable by simply trying the tunnel a second time.
Cisco is working with Microsoft to correct this remaining issue.




C&IT Services                        Page 16                            14/06/2010
Napier University SSL VPN
UBUNTU 8.04 ANYCONNECT INSTALL

      Start a web browser and enter the following URL:

              https://Napier-SSLVPN.napier.ac.uk

      Login - when the install fails, click on the link Linux i386 to download the file
       vpnsetup.sh




      When the vpnsetup.sh file is downloaded run the following commands


              # chmod +x vpnsetup.sh

              # sudo ./vpnsetup.sh

Connect to the SSL VPN service using:

      The command line as outlined in the section
       USING THE ANYCONNECT CLI
       COMMANDS i.e. execute the file
       /opt/cisco/vpn/bin/vpn

      The GUI i.e. execute the file
       /opt/cisco/vpn/bin/vpnui




FURTHER HELP AND SUPPORT

     If you are still having problems with the SSL VPN service please contact the C&IT
Support Desk by email or by telephoning ext. 0131 455 3000.




C&IT Services                          Page 17                          14/06/2010
Napier University SSL VPN

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:41
posted:8/16/2011
language:English
pages:17