skip to primary navigationskip to content

Managed VPN Service for Institutions

Some institutions have a requirement for a VPN service that is only accessible by their own members to provide access to private resources within that institutions. UIS offers a managed, institutional version of the UIS VPN Service to meet this need.

Whether an institutional VPN is required to access a particular local resource is determined by the IT staff within that institution. Users should contact their local IT Support staff, for more information.

Information for users on how to configure their clients, covering the differences between the general VPN Service and the Managed VPN Service is provided below. The list of Managed VPN Services (for each institution) is on a separate page.


What is the Managed VPN Service?

The institutional service uses the same Network Access Tokens as the main the main UIS VPN service. However, it differs in three ways:

  1. The hostname of the VPN server is different - typically in the domain of the requesting institution (e.g.
  2. The IP addresses issued to connecting clients will come from a known, exclusive range which institutions can use to provide privileged access to services by permitting them through firewalls or other IP-based access controls.  The IP address range can also be inside an private network provided by the MPLS VPN Service.
  3. The users who can access the service is limited to a subset of all users, controlled using an institutionally-managed Lookup group.
  4. Optionally, custom DNS server addresses can be returned (instead of the usual CUDN recursive nameservers) to allow private, internal institutional resources to be accessed (e.g. Active Directories).  A maximum of two servers can be returned.

The service is free to end users, but the service must be subscribed to by an institution – charges are described below.

If you are not able to connect to your institution's managed VPN, as a first action please contact your local Computer Officer, who can check your Lookup group membership.

How can I request a Managed VPN Server?

If you are a Computer Officer, and your institution does not currently have the Managed VPN Service, you may request it via , stating the following, and including a Purchase Order:

  1. What the hostname of the VPN gateway server should be (e.g. This will act as the frontend for the new service.  It needs to be in one of the existing domains allocated to the institution.
  2. We will also create and manage server certificates for this hostname on your behalf - please explicitly state that you are happy for us to do this.
  3. A separate subnet of CUDN-wide IP addresses (either public or private) will need to be allocated for use by the VPN clients.  There are two options here:
    1. A new range of CUDN-wide private IP addresses can be allocated by Hostmaster.  Typically this will be a /24 but institutions should state if this is insufficient or wildly over-sized (to avoid wasting addresses).  Institutions must state the expected number of simultaneous clients; if more clients attempt to connect, they will be refused.
    2. Alternatively, if your organisation has its own block of IP addresses, you may elect to subnet off a routable block of these, rather than have a separate range assigned by Hostmaster. This may involve some reconfiguration of the routing between your institutional network and the CUDN.  Note this cannot be part of an existing subnet wish is already routed at an institution, unless that subnet is freed up to be moved for the VPN service.
  4. Lookup group.  A new group will be created within your institution to control network access (recommended), or we can use one of your existing lookup groups.  Please state which of these you require.
  5. DNS server addresses.  By default, the normal CUDN recursive nameservers' addresses will be supplied to clients, allowing names in to be resolved.  Custom DNS server addresses can be returned instead, to access private internal resources (e.g. institutional Active Directory nameservers).
  6. The routing space to be used for the client range.  The vast majority of managed VPNs use the CUDN default routing space; this only needs to be different if the traffic is to be routed inside an MPLS VPN.

If the institution requires any changes to access control lists or firewall rules managed by UIS Networks, they should explicitly request those changes, either as part of the same request, or a separate request, once the VPN client range is allocated.

Information on how users should configure their clients is given below.


There is a nominal charge to institutions for this service. This reflects the management requirements and supports expansion of the service as needed. If an institution wishes to make particularly heavy use of the service, this can be supported by prior arrangement.

Prices for the academic year 2015–2016:

ServiceAnnual Charge
Typical use £300
Heavy use POA

In addition to this, traffic between Janet and the managed VPN client range will be included in the total for that institution.

If you are an institutional Computer Officer and are interested in using the Managed VPN Service, please contact the  to discuss your particular requirements. If you decide you would like to use the service, please include an email with your purchase order.

Configuring clients

Configuring client devices to use a Managed VPN Service is largely identical to configuring the general UIS VPN Service: users can simply follow the regular instructions for their client device and operating system, making changes at the appropriate point during the setup:

  1. The hostname of the VPN server changes from to (usually) (i.e. the "uis" part changes for the domain name of their institution).
  2. The server certificate is different (as it contains the hostname of the VPN server) and an alternative one must be installed on platforms which require it.  Currently this applies only to the built-in client on Android.
  3. Apple devices which use a connection profile — both iOS and OS X (although not Yosemite, due to a bug) — require a different profile due to the hostname being different).

Different platforms require different settings and no platform will require all of the above settings to be different.

A list of Managed VPN Services, their hostnames, certificates and Apple profiles is available on a separate page.

Configuring firewalls/routing/servers

The client range will be routed onto the CUDN via the VPN gateway from outside the institutional network: clients will not directly appear inside an institutional network (such as on an internal VLAN).  As such, this range will typically come in from the 'untrusted' or 'outside' of the institutional firewall and need to be permitted through it, as required by the institutional policies.

Alternatively, the MPLS VPN Service can be used to route the client range as part of the 'inside' of an institutional network.  There are two caveats:

  • The clients will still be on a separate subnet/VLAN from any of those used by the institution — they cannot be directly dropped on to an existing subnet.
  • The address range used for the VPN clients cannot be institution private: it must either be CUDN-wide private or global.

If this service is used, the VPN server end of the setup will be treated as another 'site' belonging to the institution for the purposes of charging; if the institution does not already have an MPLS VPN set up, they will need to also pay for the home site side of the setup.

Last updated: 20th September 2018


If you have any enquiries regarding UIS network services, or other University network topics, please send an email to:

Getting help

UIS Service Desk
General support queries

  Phone padded  (01223 7) 62999

UAS Service Desk
Administrative staff queries

  Phone padded  (01223 3) 32999

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website padded  Sign up for SMS/email status alerts

RSS Feed Latest news

Lecture capture cloud maintenance: Saturday 22 June

Jun 14, 2019

Panopto will be upgrading its cloud service on Saturday 22 June from 19:00 until approximately 22:00. Users will not be able to access or upload lecture capture recordings during this downtime.

Wi-Fi upgrade schedule

Jun 13, 2019

We'll be implementing a significant migration of the University Wireless Service to a new underlying operating system and controller platform in a carefully phased roll-out over the next 4 weeks.

View all news