Header left.png

Remote Access & VPN

From Systems Group
Jump to: navigation, search

In efforts to further improve the overall security of the Computer Science Department's computing resources, we will be blocking Remote Desktop(RDP) and SecureShell(SSH) at the edge of our network on the night of January 12th at 11pm. This change is intended to reduce our current attack surface, and limit the effectiveness of brute force attacks levied against our computing resources. In addition to putting these restrictions in place, we will also be migrating our VPN to our newly acquired Palo Alto firewalls. This page is intended to provide information on what can be expected after the remote access restrictions have been put in place as well as details on how to connect to the new VPN.

Remote Access Policy Changes

Inbound RDP and SSH access will be restricted to all resources with the following exceptions:

  • These computing resources will still be available without the need for VPN:
    • Our Virtual Computing Lab (vclab.cs.odu.edu)
    • Our departmental Linux machines (linux.cs.odu.edu, atria.cs.odu.edu, sirius.cs.odu.edu)
  • RDP/SSH connections will not be blocked if they are originating anywhere on campus.

Besides the caveats mentioned above, remote access to all servers/workstations will require that a connection be established to our VPN first.

VPN

Our VPN is available to Students, Faculty, and Staff. The only requirement for connecting to the VPN is a valid CS account.

[Instructions for connecting to the VPN]

Connecting Printers (MacOS)

Below is a guide for setting up connection to printers once connected through a VPN connection.

[Instructions for connecting a printer while using MacOS and connected to VPN]

FAQ

"After establishing a connection to the GlobalProtect VPN on Windows, the new VPN network shows up as unidentified/unknown. Why?"

Known GlobalProtect Issue on MacOS

There is a known issue with using GlobalProtect 4.1.x on MacOS 10.13.x (High Sierra).

The Issue

After installing the current GlobalProtect client application on MacOS High Sierra, GlobalProtect will prompt for a portal address. After entering the address, it will automatically attempt to connect to the specified address without ever prompting for credentials first, causing the connection to never complete.

The reason this happens is because GlobalProtect uses unsigned kernel extensions, and MacOS does not allow kernel extensions from untrusted sources.

The Fix

To fix this issue, follow the steps below:

1) Uninstall GlobalProtect using the installer

2) Reboot the Mac into recovery mode by pressing "Command + R" when it is powering back on

3) Open a terminal from the menu at the top, under the "Utilities" tab, and enter this command:

 $ spctl kext-consent add PXPZ95SK77

4) Boot regularly into MacOS

5) Re-install GlobalProtect