Differenze

Queste sono le differenze tra la revisione selezionata e la versione attuale della pagina.

--- pub:conf-vpn-out-en [2015/10/08 10:25] – m.fiorazzo@unitn.it
+++ pub:conf-vpn-out-en [2021/04/14 07:48] (versione attuale) – m.fiorazzo@unitn.it
@@ Linea 1: / Linea 1: @@
 ====== Instructions for the VPN-OUT UNITN service ======
-**NOTE:** for MacosX Yosemite only Junos Pulse is supported\\
+The VPN-OUT service allow you to access the Unitn intranet from remote locations and to access internet resources using a public UniTN ip address.
-**NOTE2:** after the upgrade to MacosX El Capitan it may be necessary to delete the Junos Pulse connection and recreate it from scratch
-The VPN-OUT service allows access to internal resources of the University network from external locations.
+  * **WARNING**: Students can connect to VPN-OUT only from external networks, not from Unitn networks.
-All the Internet traffic flows as it was generated by an UniTN internet address.
-It is based on SSL encryption.
+To use the VPN-OUT service you have to follow the general VPN instructions [[pub:conf-vpn-paloalto-en|Configurazione VPN di Ateneo]] but, when required, you have to use the connection URL:
-For the usage and configuration, visit the right section:
+<code>https://vpn-out.icts.unitn.it</code>
-^Operating System^Supported Client^Instructions^
+instead of <code>https://vpn.icts.unitn.it</code>
-|Linux|Network Connect|[[pub:conf-vpn-out-en#windows_mac_linux_pcs|Network Connect]]|
-|Linux from command line (shell)|Network Connect|[[pub:conf-vpn-out-en#using_the_network_connect_client_from_the_command_line_linux|Network Connect (command line)]]|
-|Macosx, Windows|Junos Pulse|[[pub:conf-vpn-out-en#macosx_109_maverick_windows_junos_pulse|Junos Pulse]]|
-|Mobile Devices (Smartphone & Tablet)|Junos Pulse|[[pub:conf-vpn-out-en#mobile_devices|Junos Pulse App]]|
-===== Windows / MAC / Linux PCs =====
+===== VPN-OUT properties =====
-==== Installing the Network Connect client ====
+==== traffic flow ====
-Before being able to use the service, you need to install the "Network Connect" client.
+All the traffic will flow in the SSL tunnel and the internet traffic is NATTED with a UniTN public ip address.
-** NOTE: **
-  * ** Before starting, it is recommended the elimination of the old vpn connection (if any)  **
-  * ** The PC must have a correct proxy configuration: proxy automatically configured by http://proxypac.unitn.it (internal networks) or no proxy (external networks ES: home ADSL) **
-To install "Network Connect" on your PC there are 2 possible ways:
-=== 1) MANUAL MODE ===
-**REQUISITES:**
-  * Administrator rights (Windows), root privileges (Linux / Mac)
-**INSTRUCTIONS:**
-  * Manually download, from the links below, the "Network Connect" client suitable for your operating system: \\
-^Operative System^Download link^
-|Windows 32bit|[[https://wiki.unitn.it/_media/pub:vpn:ncinst.exe|Network Connect 8.0R11 (build 36363)]]|
-|Windows 64bit|[[https://wiki.unitn.it/_media/pub:vpn:ncinst64.exe|Network Connect 8.0R11 (build 36363)]]|
-|Linux|[[https://wiki.unitn.it/_media/pub:vpn:ncui-7.3r3.i386.rpm|Network Connect 8.0R11 (build 36363)]]| \\
-For Mac and Safari: Warning !!! Be sure that your browser is saving the file with .dmg extension (and not .exe) as "networkconnect.dmg". \\
-^Operative System^Download link^
-|Mac OS X|[[https://wiki.unitn.it/_media/pub:vpn:networkconnect.dmg|Network Connect 8.0R11 (build 36363)]]|
-  * Run the downloaded installation package on your PC
-  * NB: you will need Administrator rights (Windows), root privileges (Linux / Mac)
-=== 2) "WEB" MODE ===
-**REQUISITES:**
-  * Administrator rights (Windows), root privileges (Linux / Mac)
-  * Browser with Java JRE 6 or higher installed and running
-      * after Java 7u51 update, you need to add a security exception in the Java Control Panel under "Security=>Exeption Site list” and add the URL https://vpn-ssl.unitn.it to the exceptions list.
-      * Verification and updating Java installation: http://www.java.com/it/download/testjava.jsp
-      * Java installation instructions: http://www.java.com/it/download/help/download_options.xml
-      * For Ubuntu Linux + Firefox you have to install the IcedTea-Web Plugin (via Firefox Add-ons Manager) and OpenJDK 6 or 7 (via apt-get see below)
-**NOTE FOR LINUX 64bit:**
-  * Linux 64bit is currently only supported with 32bit client then you also need the 32bit Java version
-  * On Ubuntu Linux 64bit (12.0.4) you have to install the openjdk 6 or 7 (32bit) with this command: "sudo apt-get install openjdk-6-jre:i386" or "sudo apt-get install openjdk-7-jre:i386"
-**INSTRUCTIONS:**
-  * Connect with a browser at [[https://vpn-ssl.unitn.it/vpn-out]], logging in with your credentials of the university.
-  * click on "Start" near the "Network Connect" entry
-{{:pub:vpn:start.png?1200|}}
-  * "Network Connect" will be installed and run on the client PC (agree to the changes and accept all security warnings if any)
-**ONLY FOR WINDOWS:**
-  * To confirm the connection, in the notification area at the bottom right (next to clock) you will see a icon like this: {{:pub:vpn:nc-icon.png|}} \\
-==== Using the Network Connect client ====
-Once the Network Connect client has been installed with one of the previous mode, for further connections, simply launch Network Connect application on your PC, a connection window appears:
-** NOTE: **
-  * ** Before starting, it is recommended the elimination of the old vpn connection (if any)  **
-  * ** The PC must have a correct proxy configuration: proxy automatically configured by http://proxypac.unitn.it (internal networks) or no proxy (external networks ES: home ADSL) **
-At this point, just perform these 3 simple steps:
-  - Insert the connection URL (Sign-in Page): **<nowiki>https://vpn-ssl.unitn.it/vpn-out</nowiki>** (if not already present)
-  - Enter username and password (University credentials)
-  - Click "Login"
-{{:pub:vpn:nc_vpn-out.png?450|}}
-In a few seconds you will be connected to the VPN session.
-**ONLY FOR WINDOWS:**
-  * To confirm the connection, in the notification area at the bottom right (next to clock) you will see a icon like this: {{:pub:vpn:nc-icon.png|}}
-  * By double clicking the icon, you can view the connection information:
-{{:pub:vpn:vpn-ssl-status.png|}}
-**NB: ** you can always make the connection by accessing via browser by repeating the steps above in the section  **1) "WEB" MODE **
-===== Using the Network Connect client from the command line (Linux) =====
-After the succesful installation of Network Connect, you can connect directly from the command line, the files are in the directory /home/user/.juniper_networks/network_connect\\
-if you can't find this directory, you can download and extract this archive: {{:pub:vpn:nc.tgz|}}
-Follow this procedure (tested on Ubuntu 64bit 12.0.4):\\
-  * 1) move to the directory /home/user/.juniper_networks/network_connect (or where you have extracted the archive) and check the files:
-<code>
-user@linux:home/user# cd .juniper_networks/network_connect
-</code>
-  * 2) Download the ssl vpn certificate (check if the file "certificato_vpn-ssl.crt" is already present in your directory first)
-<code>
-user@linux:home/user/.juniper_networks/network_connect# openssl s_client -connect vpn-ssl.unitn.it:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -outform der > certificato_vpn-ssl.crt
-</code>
-  * 3a) to establish the connection with the control applet (insert the password when required):
-<code>
-user@linux:home/user/.juniper_networks/network_connect# /usr/lib/jvm/java-6-openjdk-i386/bin/java -jar NC.jar -h vpn-ssl.unitn.it -u username@unitn.it -f certificato_vpn-ssl.crt -r AR-unitn-ldap-ad -U https://vpn-ssl.unitn.it/vpn-out
-Searching for ncsvc in current working directory done
-Password:
-</code>
-  * 3b) to establish the connection in "silent" mode, without control applet (insert the password when required):
-<code>
-user@linux:home/user/.juniper_networks/network_connect# ./ncsvc -h vpn-ssl.unitn.it -u username@unitn.it -f certificato_vpn-ssl.crt -r AR-unitn-ldap-ad -U https://vpn-ssl.unitn.it/vpn-out
-Password:
-Connecting to vpn-ssl.unitn.it : 443
-</code>
-  * 4) Check and verify the connection status:
-<code>
-user@linux:home/user/.juniper_networks/network_connect# ip addr show tun0
-: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 500
-    link/none
-    inet 10.31.0.36/32 scope global tun0
-</code>
-===== MACOSX 10.9 Maverick, Windows (Junos Pulse) =====
-As an alternative to Network Connect, for MACOSX (>10.6) and Windows it is possible to download and use Junos Pulse following the instructions below (screenshots taken from MACOSX 10.9)\\
-**NB: for MacOSX 10.9 Maverick Junos Pulse is the ONLY supported client** \\
-^Junos Pulse Download^
-|{{:pub:vpn:j-pulse-mac-4.0r8.0-b42127-installer.dmg|MACOSX (>= 10.6) Junos Pulse 4.0.8.42127}}|
-|{{:pub:vpn:junospulse.x86.msi|Windows XP, Vista and Windows 7 (32bit) Junos Pulse 4.0.8.42127}}|
-|{{:pub:vpn:junospulse.x64.msi|Windows XP, Vista and Windows 7 (64bit) Junos Pulse 4.0.8.42127}}|
-For Mac and Safari: Warning !!! Be sure that your browser is saving the file with .dmg extension (and not .exe) as "pulse.dmg". \\
-After the installation, launch the Junos Pulse Application, the main screen appears:\\
-{{:pub:vpn:1_pulse_avvio.png|}}
-Create a new connection by clicking the '+' sign and entering the following parameters:\\
-{{:pub:vpn:2_pulse_crea_connessione.png|}}
-To start the connection, click on <Connect>\\
-{{:pub:vpn:3_pulse_connetti.png|}}
-Fill the form with the username (@unitn.it) and password:\\
-{{:pub:vpn:4_pulse_password.png|}}
-The connection is etablished, you can stop the vpn clicking on <Disconnect>\\
-{{:pub:vpn:5_pulse_connessione_ok.png|}}
-On the top you can see the Junos Pulse menu bar with the status icon:\\
-{{:pub:vpn:6_pulse_bar.png|}}
-You can show a status window from File->Connections->Advanced Connection Details...\\
-{{:pub:vpn:7_pulse_connessione_ok_status.png|}}
-It is possible to verify the assigned vpn ip from a terminal window with the 'ifconfig' command:\\
-<code>
-MAC user$ ifconfig
-lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
-....
-....
-utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
-	inet 10.31.101.10 --> 10.31.101.10 netmask 0xffffffff
-</code>
-===== Mobile Devices =====
-**REQUISITES**
-  * iPhone, iPod Touch, iPad (iOS 5.0,4.3.x,4.2.x or higher)
-  * Android devices 4.0 or higher
-  * Windows Mobile 6.5
-**INSTRUCTIONS:** (screenshots related to Android version 4.1.2)
-  * Install the app "Junos Pulse" from ther App Store or Google Play
-  * Start the application "Junos Pulse"
-{{:pub:vpn:screenshot_2013-03-01-13-05-09.png?200|}}
-  * Create a new connection by entering:
-    * "Connection Name" (your choice)
-    * "URL": https://vpn-ssl.unitn.it/vpn-out
-    * "User Name" (in the form username@unitn.it)
-    * Touch on "Create Connection"
-{{:pub:vpn:screenshot_2013-03-01-13-06-42_2.png?200|}}
-  * Tap on "Connect", enter your password and select "Sign In" (possibly accept the warning about security and trusted application)
-{{:pub:vpn:screenshot_2013-03-01-13-07-12.png?200|}}
-{{:pub:vpn:screenshot_2013-03-01-13-07-45.png?200|}}
-{{:pub:vpn:screenshot_2013-03-01-13-08-00.png?200|}}
-  * At this point the connection is established, verifiable by a touch on "Status"
-{{:pub:vpn:screenshot_2013-03-01-13-08-09.png?200|}}
-{{:pub:vpn:screenshot_2013-03-01-13-08-17.png?200|}}
-  * At the end of the session, to end the connection, tap on "Disconnect"
-===== Features of vpn-ssl service =====
-==== IP addresses assigned to the clients ====
-To connected vpn clients is assigned an ip in the range from 10.31.0.10 to 10.31.0.254
-==== "split-tunnel" mode ====
-The VPN connection provides traffic directed to intranet IP using the VPN tunnel while traffic to other networks (eg Internet) is provided by standard client connection (eg ADSL at home).
-NB: the routing change doesn't affect the already "established" connections at the moment of the connection
-==== User-side Firewall rules ====
-VPN traffic is encrypted in SSL and uses TCP destination port 443. For the ESP mode (which increases performance) you must open the UDP destination port 4500 too.
-==== Supported clients ====
-^Platform^SO^Browsers and Java Environment^
-|Windows|- Windows 8 on 32-bit or 64-bit platforms.- Windows 8 Enterprise on 32-bit. \\ - Windows 7 on 32-bit or 64-bit platforms \\ - Windows 7 SP1 Enterprise on 32-bit \\ - Windows Vista on 32-bit or 64-bit platforms \\ - Windows XP with SP3 on 32 bit|- Internet Explorer 10 \\ - Internet Explorer 9.0 \\ - Internet Explorer 8.0 \\ - Internet Explorer 7.0 \\ - Firefox 3.0 and above including FF10 \\ - Oracle JRE 6 and above|
-|Mac|- Mac OS X 10.6.x, 32 bit and 64 bit \\ - Mac OS X 10.7.x, 32 bit \\ - Mac OS X 10.8.x, 32 bit|- Safari 6.0 Sun JRE 6 \\ - Safari 5.1 Sun JRE 6 \\ - Safari 5.0 Sun JRE 6|
-|Linux|- OpenSuse 10.x and 11.x \\ - Ubuntu 9.10, 10.x and 11.x \\ - Red Hat Enterprise Linux 5|- Firefox 3.0 and above \\ - Oracle JRE 6 and above|
-|Solaris|- Solaris 10, 32 bit only|- Mozilla 2.0 and above|
-**NOTE:**\\ \\
-) IE 10 is supported in Windows 8 Desktop Mode on Windows 8\\
-) 32 bit Network Connect is supported only on the following distributions:\\
-^Platform^Operating System^Browsers and Java Environment^
-|Linux|- Ubuntu 12.04 LTS \\ - OpenSUSe 12.1 \\ - Fedora 17|- FireFox 10-ESR \\ - Oracle JRE 6 and 7 \\ - IcedTea-Web 1.2 with OpenJDK 6 and 7|
-Other operating systems, browsers and versions of Java, it may work by requiring, in some cases, possible interventions configuration on the client.