Skip to main content

Quick Reference for SSL VPN

What is SSL VPN?

SSL VPN (Secure Sockets Layer Virtual Private Network) is the next generation of VPN service, available primarily for system administrators. SSL VPN operates much like traditional VPN, but adds additional connectivity and compatibility, utilizing the same encryption technology used by financial institutions and e-commerce web sites to protect sensitive information. SSL VPN transmits data through an encrypted tunnel to a VPN concentrator, giving the appearance that the user is on the local network, regardless of the user's actual location.

What is a good use for SSL VPN?

SSL VPN can be used to remotely access systems that are restricted so that only certain subnets or IP addresses allow access. SSL VPN is intended by NUIT to be used by system administrators to maintain systems of institutional importance. SSL VPN can also be used to grant system access to vendors or other external collaborators, provided they have valid NetIDs and passwords and are in an LDAP group with SSL VPN privileges.

What are the benefits of using SSL VPN?

SSL VPN provides system administrators with secure, protected access to resources, and access can be granted on a granular level, ensuring that the only traffic that goes through the encrypted tunnel is traffic that is approved by system administrators. SSL VPN can be accessed from any computer that has a web browser, allowing you to administer systems from virtually anywhere at any time. Additional features, such as endpoint security, source IP/date/time security, cache cleaning, and virtual sandbox user environment can be added to suit each group's needs.

How do I get SSL VPN access?

Any request for SSL VPN access should be submitted to NUIT at consultant@northwestern.edu. NUIT will coordinate requests for access and contact the requestor, data steward and other authorities as deemed appropriate for consideration and discussion of the access request.

All orders much include repsonse to the following information:

A network engineer from NUIT will contact the department to discuss and evaluate specific SSL VPN needs.

Can I view web pages outside of my approved SSL VPN content while I'm logged in to the web proxy?

The SSL service is configured to only allow access to resources that have been specifically requested. If you need access to a URL through SSL VPN, you should inform your local administrator and have him/her request that access be allowed for that resource. If you wish to view outside content while logged in, including the Northwestern homepage and the NUIT web site, open a separate browser.

Can I have more than one session open at a time?

SSL VPN allows up to five simultaneous logins per NetID. If you have one or more sessions already open when you log in, you will get a notice indicating so with an option to terminate the other session(s) or leave them active.

What if I can't log in to SSL VPN with a known, valid NetID and password?

Your NetID has not been added to an LDAP directory group that has SSL VPN access. Contact your local group administrator to verify that your NetID is in the correct group.

If your NetID is in the proper group, contact the NUIT Support Center to confirm that your NetID and password are valid.

Why won't the Pulse Secure client install or launch on my client machine?

Administrator or superuser rights are required on the client computer in order to run Pulse Secure; this ensures that updated versions of the client can be installed.

Why is it that when I SSH to my server through the SSL VPN Web Proxy SSH client and use the vi text editor, inserted text does not display properly?

This is a known issue that may be fixed with a future version of the software on the SSL VPN appliances. In the meantime, use another text editor like vim or emacs.

What IP address does my network traffic appear to come from?

Activity that is sourced from the SSL VPN Web Proxy, including File Sharing and Terminal Sessions, will always appear to come from the custom Web Proxy IP address that is assigned to your group. If your group does not have a custom Web Proxy IP address assigned, your Web Proxy traffic will appear to come from either 165.124.126.5 or 165.124.126.6. This applies even if you have a Pulse Secure session active.

With Pulse Secure, traffic that is sent over the SSL VPN tunnel from local client applications will appear to come from one of the Pulse Secure IP addresses that are assigned to your group. Traffic that is not sent over the SSL VPN tunnel will appear to come from your client's local IP address.

What traffic am I sending down my Pulse Secure tunnel?

Exactly which traffic is sent over the tunnel will differ from group to group, depending on which routes have been designated as part of your group's split tunnel configuration. If you want to see exactly what routes are installed on your client for tunneling purposes, click the Diagnostics button in the Pulse Secure window.

What are the different ways to end an SSL VPN session?

If you want to completely sign out of the SSL VPN, click the Sign Out button on either the SSL VPN Web Proxy page or the Pulse Secure client. If you simply quit the Pulse Secure client, you will end your Pulse Secure session, but your Web Proxy session will remain active.

Do I have to launch Pulse Secure from the SSL VPN Web Proxy Page?

After Pulse Secure is installed on your computer, you can launch it directly without logging into SSL VPN via your web browser. Again, note that if you simply quit the Pulse Secure client without clicking the Sign Out button, however, you will remain logged into the Web Proxy functions of the SSL VPN.

What are the browser requirements for SSL VPN?

A full document of exactly what features are supported by what versions of operating systems and browsers is available upon request. In general, the supported browsers are:

Note: On Mac OS X, most Web Proxy functionality works with non-Safari browsers, such as Firefox. However, there may be unexpected behavior when trying to launch Pulse Secure through the Firefox browser.

Can I customize the SSL Web Proxy Page?

To customize your SSL Web Proxy page you need to contact your local departmental SSL VPN administrator who can then submit a customization request to NUIT.

Is SSL VPN related to Single Sign On?

SSL VPN and Single Sign On are not tied together directly, but they do work together. For example, one can access an SSO-protected site through the SSL VPN (either via Web Proxy or through Pulse Secure). However, SSL VPN itself is not an SSO-protected resource. NUIT is investigating how to better tie SSL VPN and SSO together for future applications.

Can I use SSL VPN to remote desktop to my desktop computer?

It is possible to remote desktop to your PC through SSL VPN, but the bookmark for the remote desktop connection would be visible to everyone in your group. You would still have to log in with your local username and password after accessing your desktop.

Can I access SSL VPN as a member of multiple groups?

Yes. If you are a member of multiple LDAP groups, you will see a merged set of resources from all applicable groups on the SSL VPN start page.

Can I have an LDAP group set up for my individual needs?

No. Groups of one or two people should not be established.

Can I use SSL VPN to provide access to vendors or contractors?

Yes, however, they will not be able to access the system without a valid NetID and password. Contact the NUIT Support Center with all NetID and password issues.

Can I use my smartphone to access the Web Proxy?

Use of the Pulse Secure for iPhone is supported.

Last Updated: 20 December 2018

Get Help Back to top