skip to primary navigationskip to content
 

Managed VPN Service for Institutions

Some institutions have a requirement for a VPN service that is only accessible by their own members to provide access to private resources within that institutions. UIS offers a managed, institutional version of the UIS VPN Service to meet this need.

Whether an institutional VPN is required to access a particular local resource is determined by the IT staff within that institution. Users should contact their local IT Support staff, for more information.

Information for users on how to configure their clients, covering the differences between the general VPN Service and the Managed VPN Service is provided below. The list of Managed VPN Services (for each institution) is on a separate page.

Contents

What is the Managed VPN Service?

The institutional service uses the same Network Access Tokens as the main the main UIS VPN service. However, it differs in three ways:

  1. The hostname of the VPN server is different - typically in the domain of the requesting institution (e.g. vpn.botolphs.cam.ac.uk).
  2. The IP addresses issued to connecting clients will come from a known, exclusive range which institutions can use to provide privileged access to services by permitting them through firewalls or other IP-based access controls.  The IP address range can also be inside an private network provided by the MPLS VPN Service.
  3. The users who can access the service is limited to a subset of all users, controlled using an institutionally-managed Lookup group.
  4. Optionally, custom DNS server addresses can be returned (instead of the usual UDN recursive nameservers) to allow private, internal institutional resources to be accessed (e.g. Active Directories).  A maximum of two servers can be returned.

The service is free to end users, but the service must be subscribed to by an institution – charges are described below.

If you are not able to connect to your institution's managed VPN, as a first action please contact your local Computer Officer, who can check your Lookup group membership.

How can I request a Managed VPN Server?

If you are a Computer Officer, and your institution does not currently have the Managed VPN Service, you may request it via , stating the following, and including a Purchase Order:

  1. What the hostname of the VPN gateway server should be (e.g. vpn.botolphs.cam.ac.uk). This will act as the frontend for the new service.  It needs to be in one of the existing domains allocated to the institution.
  2. We will also create and manage server certificates for this hostname on your behalf - please explicitly state that you are happy for us to do this.
  3. A separate subnet of UDN-wide IP addresses (either public or private) will need to be allocated for use by the VPN clients.  There are two options here:
    1. A new range of UDN-wide private IP addresses can be allocated by Hostmaster.  Typically this will be a /24 but institutions should state if this is insufficient or wildly over-sized (to avoid wasting addresses).  Institutions must state the expected number of simultaneous clients; if more clients attempt to connect, they will be refused.
    2. Alternatively, if your organisation has its own block of IP addresses, you may elect to subnet off a routable block of these, rather than have a separate range assigned by Hostmaster. This may involve some reconfiguration of the routing between your institutional network and the UDN.  Note this cannot be part of an existing subnet wish is already routed at an institution, unless that subnet is freed up to be moved for the VPN service.
  4. Lookup group.  A new group will be created within your institution to control network access (recommended), or we can use one of your existing lookup groups.  Please state which of these you require.
  5. DNS server addresses.  By default, the normal UDN recursive nameservers' addresses will be supplied to clients, allowing names in private.cam.ac.uk to be resolved.  Custom DNS server addresses can be returned instead, to access private internal resources (e.g. institutional Active Directory nameservers).
  6. The routing space to be used for the client range.  The vast majority of managed VPNs use the UDN default routing space; this only needs to be different if the traffic is to be routed inside an MPLS VPN.

If the institution requires any changes to the rules on a UIS Managed Firewall, or access control lists on routers managed by the UIS, they should include this in the request and UIS Networks will coordinate that change on their behalf.  It can also be requested later, through a separate request, once the range is set up.

Information on how users should configure their clients is given below.

Pricing

There is a nominal charge to institutions for this service. This reflects the management requirements and supports expansion of the service as needed. If an institution wishes to make particularly heavy use of the service, this can be supported by prior arrangement.

Prices for the academic year 2018–2019:

ServiceAnnual Charge
Typical use £300
Heavy use POA

In addition to this, traffic between Janet and the managed VPN client range will be included in the total for that institution.

If you are an institutional Computer Officer and are interested in using the Managed VPN Service, please contact the  to discuss your particular requirements. If you decide you would like to use the service, please include an email with your purchase order.

Configuring clients

Configuring client devices to use a Managed VPN Service is largely identical to configuring the general UIS VPN Service: users can simply follow the regular instructions for their client device and operating system, making changes at the appropriate point during the setup:

  1. The hostname of the VPN server changes from vpn.uis.cam.ac.uk to (usually) vpn.inst.cam.ac.uk (i.e. the "uis" part changes for the domain name of their institution).
  2. The server certificate is different (as it contains the hostname of the VPN server) and an alternative one must be installed on platforms which require it.  Currently this applies only to the built-in client on Android. Reports suggest it may also be required for latest builds of Windows 10.
  3. Apple devices which use a connection profile — both iOS and macX (although not Yosemite, due to a bug) — require a different profile due to the hostname being different).

Different platforms require different settings and no platform will require all of the above settings to be different.

A list of Managed VPN Services, their hostnames, certificates and Apple profiles is available on a separate page.

Configuring firewalls/routing/servers

The client range will be routed onto the UDN via the VPN gateway from outside the institutional network: clients will not directly appear inside an institutional network (such as on an internal VLAN).  As such, this range will typically come in from the 'untrusted' or 'outside' of the institutional firewall and need to be permitted through it, as required by the institutional policies.

Alternatively, the MPLS VPN Service can be used to route the client range as part of the 'inside' of an institutional network.  There are two caveats:

  • The clients will still be on a separate subnet/VLAN from any of those used by the institution — they cannot be directly dropped on to an existing subnet.
  • The address range used for the VPN clients cannot be institution private: it must either be UDN-wide private or global.

If this service is used, the VPN server end of the setup will be treated as another 'site' belonging to the institution for the purposes of charging; if the institution does not already have an MPLS VPN set up, they will need to also pay for the home site side of the setup.

Last updated: 26th July 2019

Contact

If you have any enquiries regarding UIS network services, or other University network topics, please send an email to:

UIS Service Desk


  Phone padded  01223 332999

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin


A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

RSS Feed Latest news

Lecture capture: Panopto planned maintenance on Saturday 4 January

Dec 09, 2019

Lecture capture recordings will be unavailable during the evening of Saturday 4 January 2020 because Panopto is undergoing an upgrade.

Major upgrade to the phone system during 28–29 December

Dec 09, 2019

The University phone service will be disrupted on Saturday 28 and Sunday 29 December while we perform the annual upgrade of the system's core software.

View all news