skip to content
Home

IT Help and Support

University Information Services
 

Managed VPN Service for Institutions

Some institutions have a requirement for a VPN service that is only accessible by their own members to provide access to private resources within that institutions. UIS offers a managed, institutional version of the UIS VPN Service to meet this need.

Whether an institutional VPN is required to access a particular local resource is determined by the IT staff within that institution. Users should contact their local IT Support staff, for more information.

Information for users on how to configure their clients, covering the differences between the general VPN Service and the Managed VPN Service is provided below. The list of Managed VPN Services (for each institution) is on a separate page.

Contents

What is the Managed VPN Service?

The institutional service uses the same Network Access Tokens as the main the main UIS VPN service. However, it differs in several ways:

  • The hostname of the VPN server is different - typically in the domain of the requesting institution (e.g. vpn.botolphs.cam.ac.uk).
  • The IP addresses issued to connecting clients will come from a known, exclusive range which institutions can use to provide privileged access to services by permitting them through firewalls or other IP-based access controls.  The IP address range can also be inside a private network provided by the MPLS VPN Service.
  • The users who can access the service is limited to a subset of all users, controlled using an institutionally-managed Lookup group.  Per-device tokens (i.e. usernames in the format 'CRSid+device@cam.ac.uk') can be used and only require that the CRSid (not each device) is added to the group.  Institutional tokens (usernames in the format 'inst-number@cam.ac.uk') can NOT be used with a Managed VPN but will work with the general VPN service.
  • Optionally, custom DNS server addresses can be returned (instead of the usual UDN recursive nameservers) to allow private, internal institutional resources to be accessed (e.g. Active Directories).  A maximum of two servers can be returned.

The service is free to end users, but the service must be subscribed to by an institution – charges are described below.

If you are not able to connect to your institution's managed VPN, as a first action please contact your local Computer Officer, who can check your Lookup group membership.

How can I request a Managed VPN Server?

If you are a Computer Officer, and your institution does not currently have the Managed VPN Service, you may request it via , stating the following, and including a Purchase Order:

  1. What the hostname of the VPN gateway server should be (e.g. vpn.botolphs.cam.ac.uk). This will act as the frontend for the new service.  It needs to be in one of the existing domains allocated to the institution.
  2. We will also create and manage server certificates for this hostname on your behalf - please explicitly state that you are happy for us to do this.
  3. A separate subnet of UDN-wide IP addresses (either public or private) will need to be allocated for use by the VPN clients.  There are two options here:
    1. A new range of UDN-wide private IP addresses can be allocated by Hostmaster.  Typically this will be a /24 but institutions should state if this is insufficient or wildly over-sized (to avoid wasting addresses).  Institutions must state the expected number of simultaneous clients; if more clients attempt to connect, they will be refused.
    2. Alternatively, if your organisation has its own block of IP addresses, you may elect to subnet off a routable block of these, rather than have a separate range assigned by Hostmaster. This may involve some reconfiguration of the routing between your institutional network and the UDN.  Note this cannot be part of an existing subnet wish is already routed at an institution, unless that subnet is freed up to be moved for the VPN service.
  4. Lookup group.  A new group will be created within your institution to control network access (recommended), or we can use one of your existing lookup groups.  Please state which of these you require.
  5. DNS server addresses.  By default, the normal UDN recursive nameservers' addresses will be supplied to clients, allowing names in private.cam.ac.uk to be resolved.  Custom DNS server addresses can be returned instead, to access private internal resources (e.g. institutional Active Directory nameservers).
  6. The routing space to be used for the client range.  The vast majority of managed VPNs use the UDN default routing space; this only needs to be different if the traffic is to be routed inside an MPLS VPN.

If the institution requires any changes to the rules on a UIS Managed Firewall, or access control lists on routers managed by the UIS, they should include this in the request and UIS Networks will coordinate that change on their behalf.  It can also be requested later, through a separate request, once the range is set up.

Information on how users should configure their clients is given below.

Pricing

There is a nominal charge to institutions for this service. This reflects the management requirements and supports expansion of the service as needed. If an institution wishes to make particularly heavy use of the service, this can be supported by prior arrangement.

Prices for the academic year 2018–2019:

Service Annual Charge
Typical use £300
Heavy use POA

In addition to this, traffic between Janet and the managed VPN client range will be included in the total for that institution.

If you are an institutional Computer Officer and are interested in using the Managed VPN Service, please contact the  to discuss your particular requirements. If you decide you would like to use the service, please include an email with your purchase order.

Configuring clients

Configuring client devices to use a Managed VPN Service is largely identical to configuring the general UIS VPN Service: users can simply follow the regular instructions for their client device and operating system, making changes at the appropriate point during the setup:

  1. The hostname of the VPN server changes from vpn.uis.cam.ac.uk to (usually) vpn.inst.cam.ac.uk (i.e. the "uis" part changes for the domain name of their institution).
  2. The server certificate is different (as it contains the hostname of the VPN server) and an alternative one must be installed on platforms which require it. Currently this applies only to the built-in client on Android and some Linux distributions, including Ubuntu. Reports suggest it may also be required for latest builds of Windows 10.
  3. Apple devices which use a connection profile — both iOS and macX (although not Yosemite, due to a bug) — require a different profile due to the hostname being different).

Different platforms require different settings and no platform will require all of the above settings to be different.

A list of Managed VPN Services, their hostnames, certificates and Apple profiles is available on a separate page.

Configuring firewalls/routing/servers

The client range will be routed onto the UDN via the VPN gateway from outside the institutional network: clients will not directly appear inside an institutional network (such as on an internal VLAN).  As such, this range will typically come in from the 'untrusted' or 'outside' of the institutional firewall and need to be permitted through it, as required by the institutional policies.

The technical/generic information page describes this is more detail, including about how this range will be NATed when exiting onto Janet and the internet.

Alternatively, the MPLS VPN Service can be used to route the client range as part of the 'inside' of an institutional network.  There are two caveats:

  • The clients will still be on a separate subnet/VLAN from any of those used by the institution — they cannot be directly dropped on to an existing subnet.
  • The address range used for the VPN clients cannot be institution private: it must either be UDN-wide private or global.

If this service is used, the VPN server end of the setup will be treated as another 'site' belonging to the institution for the purposes of charging; if the institution does not already have an MPLS VPN set up, they will need to also pay for the home site side of the setup.

Last updated: 4th March 2021

Contact us

UIS facilities

Resources

UIS websites

Study at Cambridge

About the University

Research at Cambridge