ACCC Virtual Private Network (VPN) Gateway and Cisco VPN Clients

ACCC has installed a VPN gateway for use of UIC faculty, staff and students that need secure access to resources at UIC over a non-UIC Internet connection.

To use the VPN gateway, you will need the Cicso VPN client. The Mac and Windows versions are available at no charge from the Webstore.

While connected to the VPN gateway, the client software works with the operating system to determine when you are accessing an Internet location that the client should protect. When you are accessing such a location, the VPN client encrypts the data and sends it to ACCC's VPN gateway. As your information is flowing across the Internet to reach UIC, it is securely encrypted and is only decrypted once it reaches the VPN gateway.

For example, if you are at home and have started the VPN client to connect to the gateway (this is technically referred to as a tunnel) and use your Web browser to visit www.uic.edu, the portions of the connection that are encrypted are:

• The Web browser request to browse www.uic.edu until it reaches the VPN gateway.
• The Web page results from www.uic.edu after they are passed through the VPN gateway.

The web browser request from the VPN gateway to www.uic.edu and the reply from www.uic.edu to the VPN gateway would not be encrypted.

• If you are doing any sensitive work that requires any information to be sent to UIC computers and this information isn't encrypted some other way, this would be a good way to protect that information as it travels over the Internet.

• Also, some protocols are disabled at the UIC border which means that you cannot access these from off campus. Microsoft Exchange email servers and on-campus Windows file shares are both blocked at the UIC-to-Internet border. The VPN is a solution in these instances as the traffic from your home computer is securely tunneled past these blocks. NOTE that in order for the VPN gateway to be of use to get around these port blocks, the administrator of the server at UIC must have specifically requested the ACCC Security office (security@uic.edu) to allow this traffic.

To use the VPN gateway, you must download and install the VPN Client from the Webstore.

• You may be presented with some warnings that say that the VPN drivers are not signed. You should select the "Continue Anyway" button to proceed.
  
  
• The new Mac client requires Mac OS X 10.4 or above. For details on installing and using the Mac client, see Details of the Mac VPN Installation.
  
  
• If you are running a firewall (firewalls are built into Windows XP, Windows Vista, and Mac OS X), you should not have problems running the Cisco VPN client. The transport protocol it is set up to use ( IPSec over UDP ( NAT / PAT ), if you are interested) negotiates to find an open port to use.

Installing just means double-clicking on the downloaded file and following the installer's instructions.

But, some people installing the client on Vista are having problems with the uicvpn.pcf profile file not loading. The profile is in the .zip file, all you have to do is:

1. Double-click on the install .zip file to expand it.
2. Copy the uicvpn.pcf file from the expanded .zip file to C:\Program Files\Cisco Systems\VPN Client\profiles
   
3. Make sure that the copied uicvpn.pcf file is not read-only. Right-click on it's name in Windows explorer and select Properties. Change it if it is. That should take care of it.
4. Open the VPN client. If the profile doesn't come into the VPN client automatically, you can import it: Connection Entries then Import.....

The Cisco Mac OS X and Windows VPN clients work and look the same (given the stylistic differences between Windows and Macs).

1. To get started:
   • Windows: Open the VPN Client from the Start menu.
   • Macs: Start the VPNClient in the Mac OS X applications folder.
     
     
2. Click the Connection Entries tab and double-click the uicvpn profile, or click on the uicvpn profile to highlight it and click the Connect button.
   
   
3. Type your netid in the Username: box and your ACCC common password in the Password: box and click OK or press Enter. The client will remember your netid after the first time you use it.
   
   
4. You can verify that a session is being encrypted by the appearance of the Disconnect button on the VPN Client Window; the time you've been connected is shown at the bottom right of the screen. Click on the arrow beside the time display to see the bytes in and out and your IP address.

To stop the VPN session, open the VPN client window, and click on the Disconnect button.

Figure 2: Connected Cisco VPN Client -- This is the Mac OS X client; the Windows client looks exactly the same, in a Windows sort of way. Notice that connect time in the lower right corner of the screen. The Disconnect button is the first button on the left. There is also a Status menu and a Log tab.

Some Windows tips:

• You can verify that the session is encrypted by looking for the lock icon in the system tray. If the lock is closed, then the VPN session is active and the traffic to UIC is being encrypted. If the lock is open, then the VPN session is not active and your traffic is not being secured.
• To stop open the Windows VPN client window, double click on the lock icon in the system tray.

Having problems?

• For more information, try Carnegie Mellon University's Troubleshooting Cisco VPN.

• uillinois.edu (64.22.184.0 network)
• uillinois.edu (64.22.176.0 network)

The Cisco has complete documentation for their VPN client software available online:

• Cisco VPN Client User Guide for Windows, Release 4.0
• Cisco VPN Client User Guide for Mac OS X, Release 4.0
• Cisco VPN Client Q&A