About the Virtual Private Network (VPN)
Why use a VPN?
Off-campus computers are subject to various network restrictions:
uWaterloo network border policies prevent certain high-risk network traffic, such as Windows file-sharing (getting at your "network drive") and Unix/Linux X-Windows protocols.
Some website and other network resources are restricted to uWaterloo computers only.
There are certain computer systems on campus that use "private addresses" that are restricted to use on campus.
Consumer Internet Service Providers (ISPs) sometimes implement restrictions on the kind of traffic that can be transmitted, or impose limits (such as email message size).
A VPN connection bypasses these restrictions by making the client appear as if it were on campus. The VPN provides a private address on Waterloo's network in the subnet 172.16.36.0/22.
For IST managed Windows machines that are being used at home, the VPN is required in order for:
Windows and other software licenses to continue working
SCCM updates to be deployed to help prevent issues and vulnerabilitiesÂ
Advantages of a VPN
The most apparent advantage of the VPN is that is allows users off-campus to connect to network resources such as network drives.
Simple to use
Once the VPN connection is started, it works in the background to manage all traffic between the off-campus computer and the campus resources. There is no need to start special file-transfer programs or other software to get at campus resources. Only traffic destined for the University of Waterloo goes through the campus VPN "tunnel". Traffic from your computer to other Internet sites does not go through our VPN.
Connection security
VPN connections are encrypted end-to-end, using the same Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption that secure websites use. This means that email, file sharing, web browsing, calendars - all of the data between the off-campus and on-campus computers is encrypted and secure.
Improved campus-wide strategy for IT security
With the campus VPN in place, it is now possible for IT managers on campus to be more pro-active in securing services. In particular, websites that provide sensitive services can be restricted to campus addresses only, and off-campus access can be provided through the authenticated VPN connection.
Â
Using the VPN
Accessing on-campus websites
If you only need to access on-campus websites, using the VPN can be done without installing any software on your home computer. You can use the VPN website to access other websites.
Accessing campus network resources
Most users will need to install the VPN client software in order to get access to all campus network resources. In this case, you would run the Cisco AnyConnect client software, then do what you need to do to access the resource. For example, you would start the VPN client before running site-licensed software on your laptop that needs to connect to the University's license server, or before starting your Remote Desktop client.
Settings at a glance
If you already have the Cisco VPN client installed, you can use the following settings to connect:Â
Server/connect to address:Â cn-vpn.uwaterloo.ca
Username:Â WatIAMÂ ID
Password:Â WatIAM password
Two-factor authentication
In the second password field, enter 'push' if using DUO mobile, enter a code if using a token
Installation guides
Guides are located in the Confluence knowledge base
Common operating systems
Install the VPN client on Windows OSÂ (applies to IE, Edge, Firefox, and Chrome)
Mobile devices
Â
Accessing subscription-based resources through the VPN
The UWaterloo Library and some academic departments have subscriptions for electronic journals and other online resources. In most cases, access to these resources is restricted to on-campus Internet Protocol (IP) addresses.
The VPN technology cannot circumvent this practice directly. When using the VPN from home or elsewhere, traffic to the electronic resource website (for example, a journal website) will not be sent through the VPN because the resource is not on campus. Instead, the VPN client sends requests in the "usual" way for the off-campus system. This will appear to be from an address that is not a UWaterloo IP address, and so access is typically not automatically granted as it would be for an on-campus computer.
Fortunately, the UWaterloo Library has a portal web page that VPN users can use to access most subscription and licensed/restricted-access resources. From there you can reach all of the subscription-based resources that are available to the library.
What's the difference between a VPN and "remote desktop"?
Many people already connect to campus network resources by using Remote Desktop (RDP) to connect to their campus workstation from off-campus.
RDP works by transmitting the video (and sometimes sound) signals from the on-campus system to the off-campus system and then transmitting keyboard and mouse signals from off-campus to the on-campus system.
RDP provides some security, but with a VPN, the entire traffic stream is encrypted to the same degree as a secure website ("https" or SSL/TLS encryption).
RDP is a Windows-based product for connecting to Windows computers and terminal servers. There are clients for Mac or Linux users to connect to Windows computers as well.
RDP is now blocked at the campus boundary. When you need to use RDP, a VPN connection is simply established first, using the Cisco AnyConnect client (obtained from campus VPN website), then the RDP connection is established as before. Instructions for obtaining and installing the Cisco AnyConnect client are outlined below.
Technical details for support staff
Client-side modifications
The AnyConnect client installs as a networking pseudo-device, e.g. "Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64" for 64-bit Windows 7.
The client pseudo-device will be assigned an address in the 172.16.36.0/22 range.
The DNS name associated with the dynamic IP address will be IP-address.dynamic.uwaterloo.ca, for example 172-16-36-55.dynamic.uwaterloo.ca.
A split-tunnel routing model is used. Traffic to 129.97.0.0/16, 172.16.0.0/12, fd74:6b6a:8eca::/47, and 2620:101:f000::/47 will be routed via the VPN connection, and all other traffic will use the client's normal default route.
The VPN server will not route any non-Waterloo traffic (i.e. destination networks 129.97.0.0/16, 172.16.0.0/12, fd74:6b6a:8eca::/47, and 2620:101:f000::/47) to an off-campus address. A typical user scenario is that after starting the VPN, they can get to campus addresses, but not anywhere else. In this situation the failure is probably on the client-side with its routing setup.
The number of routing hops to an on-campus address will likely be reduced, although the first hop may take more time.