The Cisco VPN (Virtual Private Network) at UVa

Secure Access to UVa Resources

[Nov 23, 2009 14:09] Web access to Microsoft Live@edu accounts now works.

What is the Cisco VPN?

The Cisco Virtual Private Network (VPN) provides secure, authenticated access to on-Grounds networks and services. This means you can access applications and resources, programs on your own office computer, and other restricted network resources, as if you were sitting directly in front of the computer which provides the resource.

There are now two different VPN clients available. The appropriate one for you depends on your needs and operating system.

  • The Cisco VPN Client (IPSEC connection) works for most Mac OS X clients and 32-bit Windows systems. Required for Mac OS X 10.4.
  • The Cisco AnyConnect Client (SSL connection) is recommended for Mac OS X 10.5 and 10.6 clients, required for 64-bit Windows, and satellite based systems.

If you are currently connecting with the Cisco VPN Client (IPSEC) there is no compelling reason to change clients. The AnyConnect client is more expensive for the University to operate, and for now there may be rare capacilty limits.

How It Works

When connected to the Cisco VPN at UVa, all network traffic between your system and the protected resouces at UVa is encrypted to protect it from electronic eavesdropping. For UVa Anywhere, all traffic is sent to UVa over the encrypted connection before being transmitted normally to the final destination. No system is 100% secure, so it is always good to follow best practices in using computers.

To use the Cisco VPN with UVa networks and services, you must use the UVa-specific Cisco VPN software. (Either the Cisco VPN client or the Cisco AnyConnect client as appropriate for your needs.)

Using the Cisco VPN outside the United States: If you plan to take the Cisco VPN out of the country on a computer or plan to download it while abroad, be aware that the U.S. Department of Commerce restricts the export of cryptographic software. The use of the Cisco VPN is also illegal in any of the following countries: Cuba, Iran, Libya, North Korea, Syria, and Sudan.

Installation Instructions

Cisco VPN client (IPSEC)

Follow these installation instructions for the Cisco VPN client.

  1. Determine which version to install.
  2. Download the Installer (Cisco Systems VPN Client) from Software Central.
  3. When prompted, save the Installer to your Desktop.
    • Note: We recommend you remove any previous installations of the Cisco VPN client:
      • In Windows, go through Add or Remove Programs in the Control Panel.
      • On a Macintosh computer, download and run the Cisco VPN Uninstaller from Software Central.
  4. Expand to Install: Double-click the Installer, and follow the prompts as the VPN Installer does the work.
  5. Obtain and install a Personal Digital Certificate.
    • Note: If you are on a Windows computer, we recommend you do this using Internet Explorer.
  6. Follow the instructions for the profile you need:
    • UVa-Anywhere (Oracle Special Services, UVa-More-Secure-Network, Oracle Applications and/or Mercury, UVa-HSCS-VPN are now part of the standard ITC VPN distribution; you can follow the UVa-Anywhere instructions, substituting one of the other profile selections for UVa-Anywhere)
    • Joint VPN/iKey

Cisco AnyConnect client (SSL) - Recommended for Mac OS X, Required for 64-bit Windows and Satellite connections

  1. If your Windows computer does not have Java installed, download the latest from Sun Microsystems.
  2. You will need to have a current, valid digital certificate installed in the standard location for your operating system. This can be most easily accomplished by running the Network Setup Tool.
  3. Mac OS users will need to change a setting on the digital certificate once installed. (This step will be removed when the next vesion of the Network Setup Tool is released for Mac OS.) For now, to make the changes required:
    1. Open the Keychain Access Application.
    2. Click on My Certificates
    3. In the right hand window find your newest certificate and control-click on it and choose "New Identity Preference..."
    4. In the Location or Email box - enter the URL for the profile as given above. NOTE: The trailing / on the URL is mandatory.
  4. Use a web browser to connect to the URL in the table below for the profile you are going to use. For Windows users, if you use IE, detailed step-by-step instructions are displayed. Safari, IE and Firefox (Windows and Mac OS) are known to work. Other browsers may require additional steps to install certificates.
    If the browser displays a screen with the error "UVa Anywhere Access requires a Personal Digital Certificate for authentication." either no valid digital certificate is available, or the Identity Preference setting for Safari users has a typo in the preference.

Notes for Windows users:

  1. With any browser, depending on the security settings, you may see a prompt to allow use of a digital certificate, or directing you to choose a digital certifacate.
  2. With any browser, you may see the Windows UAC (User Access Control) pop-up requiring that you approve the installer run.
  3. With any browser, you may see an additional window to approve the running of the Java application seperate from the UAC window.
  4. With Internet Explorer there may be a one-line message displayed at the top of your browser's content window asking you to approve use of an Active-X control, click anywhere in that line except the X at the end, and approve it. For Windows 7 users, this will not work properly and will fall through to the Java based installed instead.

Notes for Mac OS users:

  1. Users of any browser will need to provide their Mac OS password to allow the installer to run.
  2. Safari will see a screen telling them a certificate is required. The window below the message may be blank. Click the OK button to continue.

The VPN Profiles

The Cisco System VPN Client at UVa hosts six profiles, each having unique requirements and directed towards specific uses. The Cisco AnyConnect client is reached via a URL to the concentrator:

Profiles Cisco AnyConnect URL Description
UVa Anywhere https://uva-anywhere-1.itc.virginia.edu/ Provides an off-Grounds connection to restricted resources; e.g., Library resources, UVa Home Directory Service, access to Exchange Server, access to Restricted Departmental servers, etc.
Joint VPN Not yet available Provides special access for users in the Academic portions of the Health System. Requires additional permissions and is supported by your department's LSP. Your LSP must contact ITC to request access, obtain the hardware identity token, and then assist you with the installation of the iKey software and the configuration of the VPN client.
Oracle Applications and/or Mercury Not yet available Provides secure access for users to access sensitive data. Requires additional permissions.
Oracle Special Services Not yet available Focuses on users who have been granted a special level of access to the Integrated System. Requires additional permissions.
UVa-HSCS-VPN Not planned ? Provides secure access to the Hospital network.
UVa-More-Secure-Network https://moresecure-vpn-1.itc.virginia.edu/ Provides an additional layer of security within the University network. Requires additional permissions.

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.