Overview
When faculty and staff are away from campus they often need to connect with servers back at MSU to do their work. When this work involves sensitive information, it is important that the Internet connection back to MSU be secure.The MSU SSL VPN service provides MSU faculty and staff with a way to connect securely to the MSU campus network. This VPN connection works from any location, whether in East Lansing, or anywhere around the world.
When you need to connect your computer to MSU's network remotely, using the SSL VPN service offers these advantages:
- Your computer will be given a secure path onto the MSU campus network. If you handle sensitive data as part of your work or research, a secure connection is important.
- Your computer will appear to have an IP address local to the MSU campus network. This allows you to connect to resources such as library databases that may require your computer to use an MSU campus address in order to gain access.
- You can use services that may have been restricted at MSU's border. For instance, for security reasons, MSU currently blocks access to Microsoft services when computers connect to MSU from off-campus. Other on-campus services, including departmental ones, may restrict which "ports" or services function. The SSL VPN may allow you to overcome such restrictions.
The service uses a product from Juniper Networks called Secure Access SSL VPN.
Upgrade notice
On Tuesday, November 17, 2009, ATS will upgrade the SSL VPN service to add support for MacOS 10.6 (Snow Leopard), Firefox 3.5 browser, and Microsoft Internet Explorer 8. This new version is reported to be Microsoft Windows 7 compatible as well.Anyone using the SSL VPN service that we operate - regardless of the operating system used (Windows, Mac, or Linux) - will need to download and install new client software (in the form of a Java applet). The installation will require Administrator privileges. If you do not have Administrator rights please contact your system administrator for help with this installation.
Who can access MSU's SSL VPN?
The SSL VPN service is available without charge for all regular faculty, staff, retirees, trustees, and graduate student users at MSU. The service is also available upon request for on-call or student employees; the request must be made by the employee's supervisor or another administrator within the requesting unit. The request should be made by filling out this form or by calling the ATS Help Desk at (517) 432-6200.The SSL VPN service is also available on a limited basis for undergraduate students living on-campus. Students may request access in order to remotely access or administer their personal computer systems located within the campus residential hall or University Apartments system.
Requests for access by other users not fitting into the above categories, should be made by filling out this form or by calling the ATS Help Desk at (517) 432-6200. Note that requests for access for individuals with an MSU NetID but who do not qualify for no-cost access must be paid for on a departmental account. Also note that the SSL VPN service is not available to holders of a departmental, group, or other shared NetID.
Virtual VPN service
An MSU department or other administrative unit may purchase a virtual VPN server for use within their unit. This server operates on the same hardware as the central SSL VPN service, but is independently manageable.The primary applications for the virtual VPN service are:
- Ability to authorize a limited set of user ids or to use a local authentication server, e.g. to restrict to departmental staff only.
- Availability of a dedicated IP address range, which can be added to local system firewalls for remote access needs.
Refer to the the Virtual VPN Rate Sheet for the setup and ongoing costs associated with this service.
Departmental requests for Virtual VPN service should be made by filling out this form or by calling the ATS Help Desk at (517) 432-6200.
Downloading the VPN software (administrator privileges required)
When necessary, (first time use or re-installation necessary), the SSL VPN service will prompt you through the steps necessary to install a Java "applet" from Juniper Networks that will allow you to connect using the SSL VPN serviceWhen the install is necessary, you must be logged into an account with Administrator privileges in order to install the Java applet. For future connections, you may use accounts with limited privileges. (However, when the ATS Network team installs a newer version of the Java client software, you will need to log in with Administrator privileges once again. Once the new applet is installed, you will be able to connect again.)
Your MSU SSL VPN tunnel and security
MSU's SSL VPN works by creating what is known as a "tunnel." When the tunnel is created, all of your Internet traffic will travel via MSU's SSL VPN. From there your data will continue to and from its destination(s) whether on campus or elsewhere on the global Internet.Please understand the limitations of your VPN tunnel. It provides you secure access to MSU's campus network, but it does not ensure an encrypted path between you and the servers your department may host. Think of the SSL VPN service as a way to gain the same security you'd have if your computer was physically on campus. If you need end-to-end security -- between you and the servers you trust -- then work with your system administrators to ensure end-to-end security. For instance, if you work with sensitive data over the Web, be sure your communications are secure end-to-end.
End-to-end security is important. If you aren't sure if your connection is secure, ask questions until you are comfortable that your communications are encrypted as they should be.
Supported Operating Systems and Browsers
The Juniper SSL VPN applet supports a variety of operating systems, Web client works on various versions of Windows, MacOS X, and Linux.As of Tuesday, November 17, 2009, the SSL VPN service will be upgraded to add support for MacOS 10.6 (Snow Leopard), Firefox 3.5 browser, and Microsoft Internet Explorer 8. This new version is reported to be Microsoft Windows 7 compatible as well.
Following is a list of platforms that are known or expected to work with the Juniper SSL VPN applet after the upgrade occurs. Note that we have not tested all combinations. Also note that the product works under various versions of Linux, but we can provide only limited support for Linux use of this product.
- Windows Vista: Internet Explorer 6.0, 7.0, 8.0; Firefox 2.0, 3.0, 3.5
- Windows XP SP2 and SP3: Internet Explorer 6.0, 7.0, 8.0; Firefox 2.0, 3.0, 3.5
- Windows 2000 Professional SP4: Internet Explorer 6.0, 7.0, 8.0; Firefox 2.0, 3.0, 3.5
- Mac OS X 10.6.x Snow Leopard: Safari 1.0 and above running Sun JVM 5
- Mac OS X 10.5.x Leopard: Safari 2.0 and above, running Sun JRE 6
- Mac OS X 10.5.x Leopard: Safari 1.1 and above, running Sun JVM 5
- Mac OS X 10.4.3 Tiger: Safari 2.0 and above, running Sun JRE 5
- Mac OS X 10.4.x Tiger: Safari 1.1 and above, running Sun JVM 5
- Mac OS X 10.3.x Panther: Safari 1.1 and above, running Sun JVM 5
Using SSL VPN
Browse to https://vpn.msu.edu.Log in with your MSU NetID and password.
Warning: popup blockers may interfere with your use
When you log into the SSL VPN, the software will attempt to open a pop-up window with information on the status of your connection. If you run anti-pop-up software, this may inhibit the loading of that window. You may need to disable your pop-up blocker.
After logging in, connect to the SSL VPN service
Once you've logged in, you'll see a screen that offers several options. To connect to the SSL VPN, click on the Start button next to "Network Connect."If you've previously intalled the SSL VPN applet, the session will commence and you can proceed.
When necessary, (first time use or re-installation necessary), the SSL VPN service will prompt you through the steps necessary to install a necessary Java "applet" from Juniper Networks that will allow you to connect. (Refer to the Downloading the VPN software section above) and then the connection will commence.
Opening the status window
After your VPN session begins, an icon that resembles a lock will appear in your Windows system tray or your MacOS Dock. Click on this icon to bring up the Network Connect window to see the status of your connection.
Monitoring your VPN Session; signing out
The Network Connect status window also has a Sign Out button that lets you close your VPN session.
Note session and inactivity timeouts
The MSU SSL VPN service will log you out after the duration of your session exceeds 4 hours. If your session is not active for more than 30 minutes, you will be logged out. In either event you may start another session if you wish to do so.Note to users of Instant Messaging, SSH, and other session-oriented services
When you start or stop your VPN session, your IP address will change to or from an MSU address. This change in IP address will interrupt session-oriented services such as Instant Messaging applications.Accessing departmental servers
If you need to use the SSL VPN to reach a departmental server, please check with your system administrator to find out whether access via the SSL VPN server will function. If access to the server is not restricted by the server itself, or by the server's firewall, then the server should be accessible once you establish a VPN connection.If you still cannot make a connection after logging in to the VPN, the system administrator may need to permit access via the VPN. The system administrator should grant access for the following IP address range:
35.12.72.0 through 35.12.75.255
Departmental server administrators will need to allow connections from this IP address range if they want users of the MSU SSL VPN service to access servers they support.
