Quick Reference for SSL VPN

SSL VPN (Secure Sockets Layer Virtual Private Network) is the next generation of VPN service, available primarily for system administrators. SSL VPN operates much like traditional VPN, but adds additional connectivity and compatibility, utilizing the same encryption technology used by financial institutions and e-commerce web sites to protect sensitive information. SSL VPN transmits data through an encrypted tunnel to a VPN concentrator, giving the appearance that the user is on the local network, regardless of the user's actual location.

SSL VPN can be used to remotely access systems that are restricted so that only certain subnets or IP addresses allow access. SSL VPN is intended by NUIT to be used by system administrators to maintain systems of institutional importance. SSL VPN can also be used to grant system access to vendors or other external collaborators, provided they have valid NetIDs and passwords and are in an LDAP group with SSL VPN privileges.

SSL VPN provides system administrators with secure, protected access to resources, and access can be granted on a granular level, ensuring that the only traffic that goes through the encrypted tunnel is traffic that is approved by system administrators. SSL VPN can be accessed from any computer that has a web browser, allowing you to administer systems from virtually anywhere at any time. Additional features, such as endpoint security, source IP/date/time security, cache cleaning, and virtual sandbox user environment can be added to suit each group's needs.

To order SSL VPN service an authorized work order contact must submit an order online via the CONDUITS Online Order Form. If you have questions about ordering this service, please call User Services at 847-467-5560.

All orders much include the following information:

• Contact name and phone number
• Department
• Location of servers to be accessed through SSL VPN
• Number of servers to be accessed through SSL VPN
• IP addresses and domain names of servers to be access through SSL VPN

Answer the following questions when requesting SSL VPN service:

• Do you have an LDAP group established for the users who need SSL VPN access?
• How many users do you anticipate needing access?
• How many users are you expecting to connect simultaneously?
• What services are you interested in providing through SSL VPN?
• What specific resources are you interested in protecting through SSL VPN?
• Are any of the resources you are interested in protecting currently behind a hardware firewall?
• Will you require a custom IP address for Web Proxy-based services?

A network engineer from NUIT will contact the department to discuss and evaluate specific SSL VPN needs. For questions about ordering this service, call User Services at 847-467-5560.

The SSL service is configured to only allow access to resources that have been specifically requested. If you need access to a URL through SSL VPN, you should inform your local administrator and have him/her request that access be allowed for that resource. If you wish to view outside content while logged in, including the Northwestern homepage and the NUIT web site, open a separate browser.

SSL VPN will only allow one session per username to be active at a time. If you try to open additional sessions, you will get an error. You may also get this error if you close your browser without logging out properly and then try to log back in.

Your NetID has not been added to an LDAP directory group that has SSL VPN access. Contact your local group administrator to verify that your NetID is in the correct group.

If your NetID is in the proper group, contact the Support Center at 847-491-HELP to confirm that your NetID and password are valid.

Administrator or superuser rights are required on the client computer in order to run Network Connect; this ensures that updated versions of the client can be installed. In addition, pop-up windows must be allowed in your web browser for Network Connect to work correctly.

This is a known issue that may be fixed with a future version of the software on the SSL VPN appliances. In the meantime, use another text editor like vim or emacs.

Activity that is sourced from the SSL VPN Web Proxy, including File Sharing and Terminal Sessions, will always appear to come from the custom Web Proxy IP address that is assigned to your group. If your group does not have a custom Web Proxy IP address assigned, your Web Proxy traffic will appear to come from either 165.124.126.5 or 165.124.126.6. This applies even if you have a Network Connect session active.

With Network Connect, traffic that is sent over the SSL VPN tunnel from local client applications will appear to come from one of the Network Connect IP addresses that are assigned to your group. Traffic that is not sent over the SSL VPN tunnel will appear to come from your client's local IP address.

Exactly which traffic is sent over the tunnel will differ from group to group, depending on which routes have been designated as part of your group's split tunnel configuration. If you want to see exactly what routes are installed on your client for tunneling purposes, click the Diagnostics button in the Network Connect window.

If you want to completely sign out of the SSL VPN, click the Sign Out button on either the SSL VPN Web Proxy page or the Network Connect client. If you simply quit the Network Connect client, you will end your Network Connect session, but your Web Proxy session will remain active.

After Network Connect is installed on your computer, you can launch it directly without logging into SSL VPN via your web browser. Again, note that if you simply quit the Network Connect client without clicking the Sign Out button, however, you will remain logged into the Web Proxy functions of the SSL VPN.

A full document of exactly what features are supported by what versions of operating systems and browsers is available upon request. In general, the supported browsers are:

• Windows 2000/XP/2003/Vista (32-bit Vista only)
  IE 6/7, Firefox 2
• Max OS X 10.2-10.4
  Safari 1/2
• Linux (SuSE 10, Fedora Core 5)
  Firefox 2
• Java 1.5

Note: On Mac OS X, most Web Proxy functionality works with non-Safari browsers, such as Firefox. However, there may be unexpected behavior when trying to launch Network Connect through the Firefox browser.

Yes. Click on the Preferences button on the SSL Web Proxy page, and you will be given the option of rearranging the various sections on the page.

SSL VPN and Single Sign On are not tied together directly, but they do work together. For example, one can access an SSO-protected site through the SSL VPN (either via Web Proxy or through Network Connect). However, SSL VPN itself is not an SSO-protected resource. NUIT is investigating how to better tie SSL VPN and SSO together for future applications.

It is possible to remote desktop to your PC through SSL VPN, but the bookmark for the remote desktop connection would be visible to everyone in your group. You would still have to log in with your local username and password after accessing your desktop.

Yes. If you are a member of multiple LDAP groups, you will see a merged set of resources from all applicable groups on the SSL VPN start page.

No. Groups of one or two people should not be established.

Yes, however, they will not be able to access the system without a valid NetID and password. Contact email-accounts@northwestern.edu for all NetID and password requests.

Using any mobile device for SSL VPN is not supported by NUIT.