Introduction

IST provides a Virtual Private Network (VPN) service to the campus community to facilitate telecommuting and other access to campus-based network resources. The VPN uses the public Internet to connect a remote computer, such as a home computer or a laptop, securely to the uWaterloo network. The underlying principle is to make the remote computer seem as if it were physically connected to the campus network.

Why use a VPN?

Off-campus computers are subject to various network restrictions:

• UWaterloo network border policies prevent certain high-risk network traffic, such as Windows file-sharing (getting at your "network drive") and Unix/Linux X-Windows protocols.
• Some website and other network resources are restricted to uWaterloo computers only.
• There are certain computer systems on campus that use "private addresses" that are restricted to use on campus.
• Consumer ISPs sometimes implement restrictions on the kind of traffic that can be transmitted, or impose limits (such as email message size).

A VPN connection bypasses these restrictions by making the client appear as if it were on campus.

Advantages of a VPN

Access to network resources

The most apparent advantage of the VPN is that is allows users off-campus to connect to network resources such as network drives.

Simple to use

Once the VPN connection is started, it works in the background to manage all traffic between the off-campus computer and the campus resources. There is no need to start special file-transfer programs or other software to get at campus resources. Opening a file that resides on a campus-based network drive is as simple as opening a file on the local computer.

Connection security

VPN connections are encrypted end-to-end, using the same SSL/TLS encryption that secure websites use. This means that e-mail, file-sharing, web-browsing, calendars -- all of the data between the off-campus and on-campus computers is encrypted and secure.

Improved campus-wide strategy for IT security

With the campus VPN in place, it is now possible for IT managers on campus to be more pro-active in securing services. In particular, websites that provide sensitive services can be restricted to campus addresses only, and off-campus access can be provided through the authenticated VPN connection.

What's the difference between a VPN and "remote desktop"?

Many people already connect to campus network resources by using "remote desktop" (RDP) to connect to their campus workstation from off-campus. VPNs can offer some significant advantages over RDP:

• RDP works by transmitting the video (and sometimes sound) signals from the on-campus system to the off-campus system and then transmitting keyboard and mouse signals from off-campus to the on-campus system. Depending on what you're doing, this can be very slow and provide poor interactive response.
• The campus system must be powered on and in a ready state. This may not always be practical or feasible.
• For laptop users, there is no on-campus system at all.
• RDP provides some security, but with a VPN, the entire traffic stream is encrypted to the same degree as a secure website ("https" or SSL/TLS encryption).
• Some departments and sub-networks do not permit RDP traffic from off-campus because of the security exposure. The campus gateway does permit RDP at the moment (as of March 2011), but may not at some point in the future.
• RDP is a Windows-based product and is not applicable to Mac or Linux users. Tools such as "VNC" which are popular on Linux, are a security threat and their use is discouraged.

However, there are circumstances where using RDP will continue to make sense. With a VPN, applications and other software are running on the remote computer. If you have specialized applications installed on your uWaterloo workstation, you would need to install them again on the remote computer. This may or may not be feasible. In such circumstances it still makes sense to use RDP. However, using RDP within a VPN connection is a much more secure practice, and is the future direction of IT security.

Who can use the VPN?

At present (September 2011), the VPN service is available to University of Waterloo staff, faculty and graduate students.

Using the VPN

The VPN device's network address is cn-vpn.uwaterloo.ca. The web access address is https://cn-vpn.uwaterloo.ca. In the AnyConnect client, the "Connect to" location is cn-vpn.uwaterloo.ca.

If you only need to access on-campus web sites, using the VPN can be done without installing any software on your home computer. You can use the VPN website to access other websites. Most users, however, will need to install the VPN client software in order to get access to all campus network resources. In this case, you would run the Cisco AnyConnect client software, then do what you need to do to access the resource. For example, you would start the VPN client before running site-licensed software on your laptop that needs to connect to our license server, or before starting your Remote Desktop client.
The following documents give screen snapshots and detailed instructions for various operating systems.

• Windows
• Mac OS X
• Ubuntu
• Mobile Devices

Accessing Subscription-Based Resources Through The VPN

The Waterloo Library and some academic departments have subscriptions for electronic journals and other online res ources. In most cases, access to these resources is restricted to on-campus IP addresses.

The VPN technology cannot circumvent this practice directly. When using the VPN from home or elsewhere, traffic to the electronic resource website (for example, a journal website) will not be sent through the VPN because the resource is not on campus. Instead, the VPN client sends requests in the "usual" way for the off-campus system. This will appear to be from an address that is not a uWaterloo IP address, and so access is typically not automatically granted as it would be for an on-campus computer.

Fortunately, the Waterloo Library has a portal web page that VPN users can use to access most subscription and licenced/restricted-access resources. From there you can reach all of the subscription-based resources that are available to the library.

Laptops Already Joined to the Campus Active Directory (ADS)

For laptops (or any remote uWaterloo workstations) that are joined to the campus ADS Windows Active Directory, you can log into the domain via the VPN. This will make your laptop behave exactly as if it were on campus. This feature will be particularly valuable for users who travel and are using their uWaterloo laptops in hotels, airports and at other public access points. The security aspects of the VPN are particularly important in such situations.

• More details about using Laptops and VPN

FAQ

A list of frequently asked questions about VPN.

Technical Details

For those looking for more technical details about VPN. The complete documentation for VPN.

Information Systems & Technology
University of Waterloo
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4567 x37070

Contact Us | Give Us Feedback | Privacy Statement