Versions Compared

Old Version 54

changes.mady.by.user Yee-Ting Li

Saved on

compared with

New Version 55

changes.mady.by.user Yee-Ting Li

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Yes, please follow the instructions on this page:
Connecting to SLAC's VPN Using Mac OS X

...

Yes, please follow these instructions:
Connecting to SLAC's VPN Using Linux

...

Internal AFS servers should be accessible.

In some cases, you will need to renew your Kerberos credentials and establish the connection with the internal AFS servers. Under Mac OS X or Linux, you can enter at

  1. on the command line

...

  1. , enter
    1. kinit <username>@SLAC.STANFORD.EDU

...

    1. (where <username> with your SLAC UNIX account name)
    2. aklog

This will update your tokens for AFS.

, and make sure the domain is all upper-case, as shown here), folowed by the command "aklog" to connect to the AFS infrastructure. Initial access may incur a delay as the local cache is built.

If you experience an inability to access AFS, please email net-admin@slac.stanford.edu and describe your problem.

...

The license server may not function well over VPN. There are many failure modes, and most vendors have not upgraded to more recent flexlm versions that are more reliable, nor to support alternative license servers when one fails or needs to be restarted due to upgrades/patching/failure. Also serving a license across a VPN may be a license violation (e.g. if the licenses is limited to a site). At the moment it appears to work, however there are no guarantees.

...

When connected to our VPN service, policy states that all traffic will must go through SLAC. We do not use : Security policies dicate that split tunneling is not allowed.

After connecting to the VPN, I could not access my local network resources (such as my printer at home)

This is a security feature of the new VPN. Once connected to SLAC, your system is isolated from your local network for your protection. In order to do things like access a home network-shared printer, local network file shares etc., you will need to temporarily disconnect from the SLAC VPN.

After connecting to the VPN, can I print directly to the printer in my office at SLAC?

This is supported for most models of printers. If your particular printer is not accessible, please work with IT Department Support to assess the problem.

...

Regardless of getting VPN to work, Apple is currently at Lion (OSX 10.7). As you know, the PPC/G5 is Macintoshes are not supported in under 10.6/10.7, so you really need plans to plan to replace that systemreplace such systems should be instigated for security/patching reasons alone.

The Cisco AnyConnect client for PPC is stuck at version 2.5. Although Cisco has been releasing security patches for that version, it is one major release behind the current software for all other platforms, which is at 3.0.

We performed significant testing of the 2.5 client, including on PPC systems, but eventually we made the the decision to support only 3.0+ client versions was made due to the small number of users who would be affected, and the assumption that Apple will not continue to support PPC systems with OS updates for very long in the future (we don't know for sure, but are making an educated guess based on Apple's past behavior).

...

Testing is being performed with all those, and others, but there are many different OS versions, system configuration options and user use cases. And the SLAC community often has found individual unique ways of doing things that have simply not been (well) tested.

Any success/failure information adds to the knowledge base. Please submit your experiences at net-admin@slac.stanford.edu

Can I use my mail client with an external provider such as GMail or Apple MobileMe?

...

You may connect to external mail providers from your mail client via IMAP or POP protocols to receive mail, but when using VPN you must send mail through our SLAC's authenticated SMTP server (or temporarily shut down the VPN connection)

The SLAC authenticated SMTP server does not look at the From: line, so the email will still appear to be from xxx.xxx@gmail.com. .. and In addition, the SLAC authenticated SMTP server is Internet accessible so you should be able to use it from anywhere.

...

Please note that most email clients allow you to configure multiple outgoing servers, and will attempt to connect to the default outbound mail server first. If the SLAC server is not the default, you may have to select it when sending mail or wait for the default server connection to time out before mail is sent.

Please see mail-admins page for futher details.

Every time I start a VPN, I have to pick a certificate in below dialog. Any way I can make it default so I don't have to pick?

...

It is occasionally necessary to reboot the VPN servers in order to install patched software, or to enable new features. This message indicates that the network administrator has disconnected your session so that the VPN server can be rebooted.

Click "OK" when you receive this message, and you should be able to connect again after approximately 1 minute. If you want to reconnect immediately, select an alternate server name from the AnyConnect connection window before reconnecting (e.g. change fwvpn1.slac.stanford.edu to fwvpn2.slac.stanford.edu).

If I connect to SLAC's VPN will I

...

lose all my active ssh sessions?

Yes, as all your traffic will be then routed through the VPN tunnel making you appearing from a different IP address to the server.
Only persistent connections are affected (ssh, remote desktop...) all other traffic (web surfing,...) will be transparently rerouted through the VPN.

...

I can't get IPv6 working through the VPN.

IPv6 coming from VPN clients is filtered at SLACis currently not enabled for the SLAC VPN and is actively blocked.