skip to primary navigationskip to content
 

Managed VPN Service for Institutions

Some institutions have a requirement for a VPN service that is only accessible by their own members to provide access to private resources within that institutions. The UIS offers a managed, institutional version of the UIS VPN Service to meet this need.

Whether an institutional VPN is required to access a particular local resource is determined by the IT staff within that institution.  Users should contact their local IT Support staff, for more information.

Information for users on how to configure their clients, covering the differences between the general VPN Service and the Managed VPN Service is provided below.

Contents

What is the Managed VPN Service?

The institutional service uses the same Network Access Tokens as the main the main UIS VPN service. However, it differs in three ways:

  1. The hostname of the VPN server is different - typically in the domain of the requesting institution (e.g. vpn.botolphs.cam.ac.uk).
  2. The IP addresses issued to connecting clients will come from a known, exclusive range which institutions can use to provide privileged access to services by permitting them through firewalls or other IP-based access controls.  The IP address range can also be inside an private network provided by the MPLS VPN Service.
  3. The users who can access the service is limited to a subset of all users, controlled using an institutionally-managed Lookup group.
  4. Optionally, custom DNS server addresses can be returned (instead of the usual CUDN recursive nameservers) to allow private, internal institutional resources to be accessed (e.g. Active Directories).

The service is free to end users, but the service must be subscribed to by an institution – charges are described below.

If you are not able to connect to your institution's managed VPN, as a first action please contact your local Computer Officer, who can check your Lookup group membership.

How can I request a Managed VPN Server?

If you are a Computer Officer, and your institution does not currently have the Managed VPN Service, you may request it via , stating the following:

  1. What the hostname of the VPN gateway server should be (e.g. vpn.botolphs.cam.ac.uk). This will act as the frontend for the new service.  It needs to be in one of the existing domains allocated to the institution.
  2. We will also create and manage server certificates for this hostname on your behalf - please explicitly state that you are happy for us to do this.
  3. A separate subnet of CUDN-wide IP addresses (either public or private) will need to be allocated for use by the VPN clients.  There are two options here:
    1. A new range of CUDN-wide private IP addresses can be allocated by Hostmaster.  Typically this will be a /24 but institutions should state if this is insufficient or wildly over-sized (to avoid wasting addresses).  Institutions must state the expected number of simultaneous clients; if more clients attempt to connect, they will be refused.
    2. Alternatively, if your organisation has its own block of IP addresses, you may elect to subnet off a routable block of these, rather than have a separate range assigned by Hostmaster. This may involve some reconfiguration of the routing between your institutional network and the CUDN.  Note this cannot be part of an existing subnet wish is already routed at an institution, unless that subnet is freed up to be moved for the VPN service.
  4. Lookup group.  A new group will be created within your institution to control network access (recommended), or we can use one of your existing lookup groups.  Please state which of these you require.
  5. DNS server addresses.  By default, the normal CUDN recursive nameservers' addresses will be supplied to clients, allowing names in private.cam.ac.uk to be resolved.  Custom DNS server addresses can be returned instead, to access private internal resources (e.g. institutional Active Directory nameservers).
  6. The routing space to be used for the client range.  The vast majority of managed VPNs use the CUDN default routing space; this only needs to be different if the traffic is to be routed inside an MPLS VPN.

Information on how users should configure their clients is given below.

Pricing

There is a nominal charge to institutions for this service. This reflects the management requirements and supports expansion of the service as needed. If an institution wishes to make particularly heavy use of the service, this can be supported by prior arrangement.

Current pricing

Prices for the academic year 2015–2016:

ServiceAnnual Charge
Typical use £300
Heavy use POA

In addition to this, traffic between Janet and the managed VPN client range will be included in the total for that institution.

If you are an institutional Computer Officer and are interested in using the Managed VPN Service, please contact  to discuss your particular requirements. If you decide you would like to use the service, please include an email with your purchase order.

Configuring clients

Configuring client devices to use a Managed VPN Service is largely identical to configuring the general UIS VPN Service: users can simply follow the regular instructions for their client device and operating system, making changes at the appropriate point during the setup:

  1. The hostname of the VPN server changes from vpn.uis.cam.ac.uk to (usually) vpn.inst.cam.ac.uk (i.e. the "uis" part changes for the domain name of their institution).
  2. The server certificate is different (as it contains the hostname of the VPN server) and an alternative one must be installed on platforms which require it.  Currently this applies only to the built-in client on Android.
  3. Apple devices which use a connection profile — both iOS and OS X (although not Yosemite, due to a bug) — require a different profile due to the hostname being different).

Different platforms require different settings and no platform will require all of the above settings to be different.

A table of Managed VPN Services and their differences is below.

List of Managed VPN Services, settings and files

The following table is a list of institutional VPN services currently in operation, along with links to download the customised server certificate and iOS profile:

InstitutionVPN server hostname

Client certificate
(for Android) 

Connection profile
(for Apple: iOS and macOS) 
(Default - University) vpn.uis.cam.ac.uk Certificate Profile
Astronomy (Institute of) vpn.ast.cam.ac.uk Certificate Profile
Cambridge Institute for Medical Research (CIMR) fireship.cimr.cam.ac.uk Certificate Profile
Computer Laboratory vpn.cl.cam.ac.uk Certificate Profile
Chemistry

vpn3.ch.cam.ac.uk

Certificate Profile
Fitzwilliam Museum

vpn.fitzmuseum.cam.ac.uk

Certificate Profile
Gonville and Caius College vpn.cai.cam.ac.uk Certificate Profile
International Union for the Conservation of Nature (IUCN) vpn.iucn.conservation.cam.ac.uk Certificate Profile
Land Economy

vpn.landecon.cam.ac.uk

Certificate Profile
Law vpn.law.cam.ac.uk Certificate Profile
Trinity College vpn.trin.cam.ac.uk Certificate Profile
Trinity Hall vpn.trinhall.cam.ac.uk Certificate Profile
University Library vpn.lib.cam.ac.uk Certificate Profile
Woolf Institute vpn.woolf.cam.ac.uk Certificate Profile

In addition to the list above, some institutions may have managed VPNs which are not publicly advertised.  Users should contact their local IT Support staff to find out if such a service exists or is required to reach a resource.

Configuring firewalls/routing/servers

The client range will be routed onto the CUDN via the VPN gateway from outside the institutional network: clients will not directly appear inside an institutional network (such as on an internal VLAN).  As such, this range will typically come in from the 'untrusted' or 'outside' of the institutional firewall and need to be permitted through it, as required by the institutional policies.

Alternatively, the MPLS VPN Service can be used to route the client range as part of the 'inside' of an institutional network.  There are two caveats:

  • The clients will still be on a separate subnet/VLAN from any of those used by the institution — they cannot be directly dropped on to an existing subnet.
  • The address range used for the VPN clients cannot be institution private: it must either be CUDN-wide private or global.

If this service is used, the VPN server end of the setup will be treated as another 'site' belonging to the institution for the purposes of charging; if the institution does not already have an MPLS VPN set up, they will need to also pay for the home site side of the setup.

Last updated: 9th September 2016