About the Virtual Private Network (VPN)

1 Why use a VPN?
2 Advantages of a VPN
- 2.1 Simple to use
- 2.2 Connection security
- 2.3 Improved campus-wide strategy for IT security
3 Using the VPN
- 3.1 Accessing campus network resources
- 3.2 Settings at a glance
- 3.3 Two-factor authentication
- 3.4 Installation guides
  - 3.4.1 Common operating systems
  - 3.4.2 Mobile devices
4 Accessing subscription-based resources through the VPN
5 What's the difference between a VPN and "remote desktop"?
6 Technical details for support staff
- 6.1 Client-side modifications

Why use a VPN?

Off-campus computers are subject to various network restrictions:

uWaterloo network border policies prevent certain high-risk network traffic, such as Windows file-sharing (getting at your "network drive") and Unix/Linux X-Windows protocols.
Some website and other network resources are restricted to uWaterloo computers only.
There are certain computer systems on campus that use "private addresses" that are restricted to use on campus.
Consumer Internet Service Providers (ISPs) sometimes implement restrictions on the kind of traffic that can be transmitted, or impose limits (such as email message size).

A VPN connection bypasses these restrictions by making the client appear as if it were on campus. The VPN provides a private address on Waterloo's network in the local General VPN IPv4 or IPv6 range.

For IST-managed Windows machines that are being used at home, the VPN is required in order for:

Windows and other software licenses to continue working
SCCM updates to be deployed to help prevent issues and vulnerabilities

Advantages of a VPN

The most apparent advantage of the VPN is that it allows users off-campus to connect to network resources such as network drives.

Simple to use

Once the VPN connection is started, it works in the background to manage all traffic between the off-campus computer and the campus resources. There is no need to start special file-transfer programs or other software to get at campus resources. Only traffic destined for the University of Waterloo goes through the campus VPN "tunnel". Traffic from your computer to other Internet sites does not go through our VPN.

Connection security

VPN connections are encrypted end-to-end, using the same Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption that secure websites use. This means that email, file sharing, web browsing, calendars - all of the data between the off-campus and on-campus computers - is encrypted and secure.

Improved campus-wide strategy for IT security

With the campus VPN in place, it is now possible for IT managers on campus to be more pro-active in securing services. In particular, websites that provide sensitive services can be restricted to campus addresses only, and off-campus access can be provided through the authenticated VPN connection.

Using the VPN

Accessing campus network resources

Most users will need to install the VPN client software in order to get access to all campus network resources. In this case, you would run the Cisco Secure client software before attempting to access the resource. For example, you would start the VPN client before running site-licensed software on your laptop that needs to connect to the University's license server, or before starting your Remote Desktop client.

Settings at a glance

If you already have the Cisco VPN client installed, you can use the following settings to connect:

Server/connect to address: cn-vpn.uwaterloo.ca
Username: WatIAM ID
Password: WatIAM password

Two-factor authentication

In the second password field, enter 'push' if using DUO mobile, enter a code if using a token

Installation guides

Guides are located in the Confluence knowledge base

Common operating systems

Install the VPN client on Windows OS (applies to IE, Edge, Firefox, and Chrome)
Install the VPN client on Mac OS X
Connecting to VPN on Linux (Ubuntu)

Mobile devices

Accessing subscription-based resources through the VPN

The UWaterloo Library and some academic departments have subscriptions for electronic journals and other online resources. In most cases, access to these resources is restricted to on-campus Internet Protocol (IP) addresses.

The VPN technology cannot circumvent this practice directly. When using the VPN from home or elsewhere, traffic to the electronic resource website (for example, a journal website) will not be sent through the VPN because the resource is not on campus. Instead, the VPN client sends requests in the "usual" way for the off-campus system. This will appear to be from an address that is not a UWaterloo IP address, and so access is typically not automatically granted as it would be for an on-campus computer.

Fortunately, the UWaterloo Library has a portal web page that VPN users can use to access most subscription and licensed/restricted-access resources. From there you can reach all of the subscription-based resources that are available to the library.

What's the difference between a VPN and "remote desktop"?

Many people already connect to campus network resources by using Remote Desktop (RDP) to connect to their campus workstation from off-campus.

RDP works by transmitting the video (and sometimes sound) signals from the on-campus system to the off-campus system and then transmitting keyboard and mouse signals from off-campus to the on-campus system.
RDP provides some security, but with a VPN, the entire traffic stream is encrypted to the same degree as a secure website ("https" or SSL/TLS encryption).
RDP is a Windows-based product for connecting to Windows computers and terminal servers. There are clients for Mac or Linux users to connect to Windows computers as well.

RDP is now blocked at the campus boundary. When you need to use RDP, a VPN connection must be established first using the Cisco Secure client (obtained from campus VPN website). Instructions for obtaining and installing the Cisco Secure client are outlined above.

Technical details for support staff

Client-side modifications

The Secure client installs as a networking pseudo-device, e.g. "Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64" for 64-bit Windows devices.
The client pseudo-device will be assigned an address in the local General VPN IPv4 or IPv6 range.
The DNS name associated with the dynamic IP address will be vpn-uw-general-IP-address.dynamic.uwaterloo.ca, for example vpn-uw-general-10-40-0-1.campus-dynamic.uwaterloo.ca.
A split-tunnel routing model is used. Traffic to global IP addresses will be routed via the VPN connection, and all other traffic will use the client's normal default route.
The VPN server will not route any non-Waterloo traffic (i.e. global IP addresses) to an off-campus address. A typical user scenario is that after starting the VPN, they can get to campus addresses, but not anywhere else. In this situation the failure is probably on the client-side with its routing setup.
The number of routing hops to an on-campus address will likely be reduced, although the first hop may take more time.