Versions Compared

Old Version 70

changes.mady.by.user Reuber, Kent B.

Saved on

compared with

New Version 71

changes.mady.by.user Unknown User (gcx)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
minLevel2

Which connection string should I use?

Please use vpn,slac.stanford.edu , this is the address of a redundant cluster so you won't be impacted by scheduled maintenance.

How to map network drives of the Windows central file servers when connected to the VPN?

...

Can I connect to the SLAC VPN using my mobile device, e.g. smartphone?

For the iPhone and iPad running iOS 4.1 or later (multitasking) you You need to download the free "Cisco AnyConnect client. The iPhone/iPad client is not officially supported, but many users have reported success. This is available from the Apple App Store. For the iPhone app, search the app stores for "Cisco AnyConnect Client". Within the app, select "Add VPN Connection...". Enter Anyconnect secure mobility client" from the app store. This has been reported working from main platforms (android, ios, windows).

You will need to set the server address  "vpn.slac.stanford.edu as the server address, this will be replaced with a list of the VPN servers that is automatically updated each time you connect.

There are also Android apps but often they require the phone to be rooted.

SLAC does not provide support for personal devices or such apps at this time, but you are free to make your own attempts to connect using them.  Other mobile devices may be able to connect when Cisco releases AnyConnect Secure Mobility clients for those platforms. Any informal  support from the OCIO will focus on iOS and Android today and target browsers with HTML5 first". We use SSL vpn (not IPSec).

I'm getting periodically disconnected while I work, and I know I wasn't idle for 20 minutes

...

You should be able to access SLAC computers via RDP. If not please report this with details as a problem to net-admin@slac.stanford.edu.the IT helpdesk.

Can I access confluence?

You should be able to fully access Confluence. If not please report this with details as a problem to net-admin@slac.stanford.edu .the IT helpdesk.

Is all network traffic routed through SLAC when connected to VPN? Is traffic logged?

...

This is a security feature of the new VPN. Once connected to SLAC, your system is isolated from your local network for your protection. In order to do things like access a home network-shared printer, local network file shares etc., you will need to temporarily disconnect from the SLAC VPN. USB device will still work.

After connecting to the VPN, can I print directly to the printer in my office at SLAC?

...

In order to test VPN connectivity, you should ping an internal SLAC only server; an example would be www-lanmon.slac.stanford.edu

 

Are you doing your own testing with a Mac? Or a Windows box?

Testing is being performed with all those, and others, but there are many different OS versions, system configuration options and user use cases. And the SLAC community often has found unique ways of doing things that have simply not been (well) tested.Any success/failure information adds to the knowledge base. Please submit your experiences at net-admin@slac.stanford.edu

Can I use my mail client with an external provider such as GMail or Apple MobileMe?

...

Please see mail-admins page for futher details.

...

I

...

You can remove certificates using the "Credential Manager":

  1. Open the Windows menu (formerly the Start menu)
  2. Type "certmgr.msc" in the Search/Run field at the bottom of the menu
  3. From the application that launches, delete the certificates in the
    "Personal" folder

You may also be able to connect which will load a new client and next time you connect the certificates will not be displayed.

I was disconnected with the message "Administrator Reset", what does this mean and how do I reconnect?

...

It is sometimes required to perform some maintenances on VPN gateways, and this message indicates that the network administrator has disconnected your session so that the VPN server can be rebooted.

Thanks to our redundant system, users using vpn.slac.stanford.edu as connection string are not affected by our scheduled maintenances.

...

Yes, as all your traffic will be then routed through the VPN tunnel making you appearing from a different IP address to the server. Only persistent connections are affected (ssh, remote desktop...) all other traffic (web surfing,...) will be transparently rerouted through the VPN.

Which login should I use to connect to the

...

VPN system?

You must use the login of your SLAC windows account, and this account should be enabled for "dialup services".VPN enabled. From a computer on the SLAC network you can check whether an account is VPN capable by doing a query on https://www-internal.slac.stanford.edu/comp/windows/search/usersearch.aspx (VPN status will indicate "Active" or not)

When putting your login into Cisco anyconnect client's interface please do not prefix it with "SLAC\", only put your login name in the field.

...

IPv6 is currently not enabled for the SLAC VPN and is actively blocked.

Where can I find more information on VPN security issues

See http://csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf from NIST.

Can I connect to Stanford university using SLAC VPN?

...

When connected to the SLAC VPN, you can reach Stanford ressources as if you were in your office at SLAC.

...

SLAC

...

1/8/2015: There is an issue with Samsung Galaxy devices having trouble to successfully validate VPN gateways' SSL certificates. When trying to connect to vpn.slac.stanford.edu with the Cisco anyconnect client, or when trying to go with a browser to https://vpn.slac.stanford.edu the device will complain that the certificate is invalid (unknown CA message or alike). Some old systems (Windows XP) may also have similar issue.

This is because on these devices the default keystore is currently missing some intermediate certificates, particularly the one used by thawte to issue SHA-256 certificates (CA issuer name cn=thawte SSL CA - G2).

To have this fixed just go to http://thawte.tbs-certificats.com/thawte_tj.crt with a web browser, it then will ask a name for this certificate. Put something like "Thawte SHA256" and then valid. The cert will be automatically imported in the keystore.

Then if you try to go to https://vpn.slac.stanford.edu or if you try to connect to the SLAC VPN gateways with the cisco anyconnect client it will work without issuing a warning.