Difference between revisions of "VPN - JHU"

 
(85 intermediate revisions by 3 users not shown)
Line 1: Line 1:
**THIS DOC IS UNDER CONSTRUCTION**
+
==INTRO==
  
==INTRO==
+
:Several JHU IT-based resources require your computer to be connected to the JHU network for access.  For example, JHU-located share drives and certain JHU websites/services.  If you're outside of JHU, for instance, at home or at a hotel, you are not on the JHU network, and therefore, cannot access the JHU Network-only resources.
  
Several JHU IT-based resources require your computer to be connected to the JHU network for accessFor example, JHU-located share drives and certain JHU websites/services.  If you're outside of JHU, for instance, at home or at a hotel, you are not on the JHU network, and therefore, cannot access the JHU Network-only resources.
+
:Enter the '''VPN'''A VPN ('''''V'''irtual '''P'''rivate '''N'''etwork'') is a way to access resources of another network, for example, a business's network, without physically residing on that network.  You can connect to a VPN from home/mobile, and it will look to your computer and to the business's server as if you were on that server's network, even if physically, you're not.
  
Enter the VPN.  A VPN (Virtual Private Network) is a way to access resources of another network, for example, your business's network, without physically residing on that network.  You can connect to a VPN from home/mobile, and it will look to your computer and to the business server as if you were on the business network, even if physically, you're not.
+
:JHU hosts its own VPN.  The JHU VPN will allow JHU users' home/mobile/etc. computers who are ''outside'' of the JHU network to connect to JHU as if they were physically on campus.
  
JHU hosts its own VPN.  The JHU VPN will allow JHU users' home/mobile/etc. computers (home/mobile) who are ''outside'' of the JHU network to connect to JHU as if they were physically on campus.
+
<br>
  
 
==Connecting to the JHU VPN==
 
==Connecting to the JHU VPN==
  
===STEP 1:  Set Up Multi-Factor Authentication===
+
===STEP 1:  Setting Up Multi-Factor Authentication===
 +
 
 +
<!--'''NOTE:  In order for some of the links below to bring you to the correct site, you need to be on the JHU network (or the JHU VPN.)''' -->
  
JHU now requires [http://www.it.johnshopkins.edu/services/directoryservices/jhea/MFA/ Multi-factor Authentication (MFA)] to access some of its services... including the JHU VPN.
+
:JHU requires [https://it.johnshopkins.edu/services/directoryservices/jhea/AzureMFA/AzureLoginMFA '''M'''ulti-'''F'''actor '''A'''uthentication (MFA)] to access some of its services... ''including the JHU VPN''.  JHU uses ''Microsoft Azure'' for providing JHU's Multi Factor Authentication service.
  
(Some further details regarding what MFA is all about can be found [http://www.it.johnshopkins.edu/services/directoryservices/jhea/MFA/Users/index.html here].)
+
:(Besides this page we're providing you, WSE IT has put together a document discussing MFA [http://wseit.engineering.jhu.edu/get-help/multi-factor-authentication here] as well.)
  
You will need to visit the '''''[http://www.it.johnshopkins.edu/services/directoryservices/jhea/MFA/MFA_Instructions/index.html JHU Multi-factor Setup Instructions page]''''' to enroll  your JHED ID to have it work in conjunction with what JHU calls its ''myIT Login Code''.
+
:To get started with MFA, you will need to visit the Azure MFA Resource Center's '''''[https://livejohnshopkins.sharepoint.com/sites/Office365Hub/SitePages/Multi-Factor-Authentication.aspx  Enrollment Page]''''' to enroll. <!-- your JHED ID to have it work in conjunction with what JHU calls its ''myIT Login Code''.-->
  
Once there, please watch the videos on that page, appropriate to your operating system (currently, Windows, Mac.
+
:That page and its video will show you how to enroll your JHED ID with the Azure MFA. The video is very helpful in explaining the process. You are encouraged to watch it all the way through.
  
That page and its videos will show you how to enroll your JHED ID with a myIT Login Code. The videos are very helpful in explaining the process. You are encouraged to watch them all the way through.
+
====Authenticators====
  
As part of the MFA setup process, you will end up having to choose an Authenticator program.  ''Note:'' We have found that for Windows users, the [http://www.it.johnshopkins.edu/services/directoryservices/jhea/MFA/MFA_Instructions/Video%20Pages/WinAuth%20Setup%20Instructions%20for%20Windows WinAuth] program seems to work well for authenticating your MyIT codeDetailed WinAuth instructions in PDF format can be found [http://www.it.johnshopkins.edu/services/directoryservices/jhea/MFA/MFA_Instructions/WinAuth_Instructions.html here])
+
:As part of the MFA setup process, you will end up having to choose an '''authenticator''' method to useThere are several authenticator methods:
  
You will need your ''myIT Login Code'' in order to access the JHU VPN in the next step.  
+
* Text your phone:  When JHU needs you to enter your MFA code during login to JHU's MFA-required pages/apps, they will text your phone with the MFA code that you will use to enter into whatever prompt they send you.
  
<span style="color:#ff0000">'''NOTE:'''  If you have any issues with setting up Multi-factor authentication, ''you must contact'' JHU IT's support helpdesk by phone at 410-516-HELP.</span>
+
* Use an app/program:  Alternatively, you can choose to install an authenticator  program on your computer (or phone.)  The authenticator program, when run, will provide the 6-digit number  to enter when you are prompted at JHU for your MFA code.  JHU suggests you use the Microsoft Authenticator App (for Windows) to generate that numerical code.  You can download Microsoft Authenticator according to instructions from the enrollment process video.  Additionally, you can choose to run other authenticators to run (under Windows) instead, including a program called WinAuth.  Macs, Androids and IPhones have various authenticators available as well.  Note that the codes are generated using time-based factors... so, the code you generate needs to be entered soon (up to a minute) when you are prompted, otherwise, you need to generate another code.
 +
 
 +
:Please install your Authenticator program before continuing.
 +
 
 +
::NOTE: If you want to change your authenticator method or manage your MFA at some point, please first visit the main [https://it.johnshopkins.edu/services/directoryservices/jhea/AzureMFA/AzureLoginMFA Azure MFA page] and then click on ''Manage Azure MFA''.
 +
 
 +
You will need your MFA configured in order to access the JHU VPN in the next step.
 +
 
 +
{{red|'''NOTE:'''  If you have any issues with setting up Multi-factor authentication, ''you should contact'' [https://support.cs.jhu.edu/wiki/Contacting_JHU_IT_Support  JHU IT's support helpdesk]}}
  
 
<br>
 
<br>
  
===STEP 2:  Installing the JHU VPN Client Program, JH Pulse Secure===
+
===STEP 2:  Installing and Running the JHU VPN Client Program, JH Pulse Secure (From Ivanti)===
  
Please visit the [https://cds.johnshopkins.edu/vpn JHU VPN FAQ page.]
+
:Please visit the [https://cds.johnshopkins.edu/vpn JHU VPN Resource page.]
  
Once there, click through each FAQ entry.  
+
:Once there, Under '''VPN Quick Links''' on the right, choose '''Request VPN Access'''.  It's possible you might already have VPN access (and if you think you already do, you can skip below the next step.) {{red|'''NOTE:'''  As of 2020, we're told that you might not need to request VPN access, as access is now granted automatically.}}
  
You'll see that the first ''two'' FAQ entries define ''VPN'' and discuss the ''myIT login code'' (from Multi-factor Authentication.)
+
:Next, below the VPN Quick Links section on that page, you'll find '''VPN CLient Installs (for New VPN Installs).'''  Click on the operating system you're downloading for.  This will download the '''''Ivanti Pulse Secure''''' software that will run on your computer as your gateway to the JHU VPN.
  
The third FAQ entry on that page, ''How do I connect to the VPN with a Windows, Mac or Linux computer?'', provides a [http://www.it.johnshopkins.edu/services/network/VPN/VPNInstructionalVideos  link with videos on how to download and install the VPN client] called '''''JH Pulse Secure''''' that will be used to connect to the VPN.  
+
:Install the Ivanti Pulse Secure package.  
  
On that page, ''Step 1'' once again discusses Multi-factor authentication setupSince you've already done that, you want to start with that page's ''Step 2'' that contains videos for showing how to download and install the VPN client software, JH Pulse Secure'' for your operating system (Windows/MacOS.) Please watch these videos carefully.
+
:Run the Ivanti Pulse Secure programThe following is for a Windows systems running Pulse Secure.  Other operating systems may be similar.
  
Additionally, links to PDFs of step-by-step instructions for doing the VPN client installs are located on that page too for  
+
* Look for ''Connections''.
[http://www.it.johnshopkins.edu/services/network/VPN/Documents/WindowsInstall.pdf Windows] and [http://www.it.johnshopkins.edu/services/network/VPN/Documents/MACInstall.pdf Mac]
+
 
 +
* If for some reason, there are no connections listed, follow the steps directly below...
 +
** Click on the + symbol right next to the word Connections.
 +
** The + sign opens up the '''Add Connections''' section.
 +
***Leave the '''Type''' as is.
 +
***Give the VPN connection a '''Name''' (e.g. ''JHU VPN''), just so you can identify it.
 +
***Then, enter in the '''Server URL'''  (which is basically, the VPN address.  Use '''vpn.''jh''.edu'''  (Notice that it's "jh" and not "jhu" in the server name.)
 +
***Now, click Add, and you should have a new connection ready to go.
 +
 
 +
*Choose the JHU VPN from your list of connections.
 +
 
 +
*Click Proceed
 +
 
 +
* You will be prompted for your JHED credentials.  Enter them.
 +
 
 +
*You'll see '''Enter code'''.  This is where you need your  MFA ''Authenticator'' code from Step 1 above.  So, depending how you set up your MFA, you might receive a code via Text or you might need to run your Authenticator program (e.g., Microsoft Authenticator, WinAuth, etc.) and enter in the 6-digit code it provides you.  
 +
** You MFA code changes every minute, so if you don't type in your code in time, refresh your Authenticator and try the next code it gives you.
 +
 
 +
* Once you enter that code, Pulse Secure will complete making the VPN connection.
 +
 
 +
*When you are done for the work day, go back to the Pulse Secure App and click Disconnect.
 +
**Note that when you are on the VPN, you are now passing all your computer's  network traffic through JHU before it goes out to the rest of the Internet.  When you are done using the VPN, disconnecting from Pulse Secure will allow your computer's network traffic to run through your ISP's network directly out to the Internet (as it normally does.)
 +
 
 +
 
 +
{{red|'''NOTE:'''  If you have any issues with installing or using the JH Pulse Secure (Ivanti) client on your computer, ''you should contact'' [https://support.cs.jhu.edu/wiki/Contacting_JHU_IT_Support  JHU IT's support helpdesk].}}
  
 
<br>
 
<br>
  
===Step 3: Connecting to the JHU VPN with JHU Pulse Secure===
+
==Changing your default JHU VPN authentication Method==
  
Once again, please visit JHU's page on [http://www.it.johnshopkins.edu/services/network/VPN/VPNInstructionalVideos Step by Step Setup Instructions for Connecting with the Pulse Secure VPN]
+
:By default, the new JHU VPN (hosted by Microsoft Azure) seems to make texting your phone the way to provide you your MFA authentication code to use to connect to the VPN.  Some users might want to change from the texting method to using an '''Authenticator app''' (e.g., Microsoft Authenticator, WinAuth, or similar) instead, as it was before JHU moved to using Azure.
 +
 
 +
: To change your default authentication method, simply log into [https://mysignins.microsoft.com/security-info https://mysignins.microsoft.com/security-info] ''Once logged in, if you're not directed directly to the Security Info page, simply click '''Security info''' on the left.''  You'll see a list of your authentication options, and you can change the default option to using a Hardware Token (Authenticator App) instead of the Phone (text) option.  You can also add additional methods if you choose to.
 +
 
 +
{{red|'''NOTE:'''  If you have any issues with setting up your Authenticators, ''you should contact'' [https://support.cs.jhu.edu/wiki/Contacting_JHU_IT_Support JHU IT's support helpdesk]}}
 +
 
 +
<br>
  
Visit Step 3 of that page for getting connecto to the JHU VPN using JH Pulse Secure.  You'll see videos there for your operating system.  Please watch the videos carefully.
 
  
Additionally, links to PDFs of step-by-step instructions for making the VPN connections with the JH Pulse Secure can be located within that step as well.  You'll see links for both [http://www.it.johnshopkins.edu/services/network/VPN/Documents/WindowsInstall.pdf  Windows] client installs are located on that page too for
+
[[Category:Security]]
[http://www.it.johnshopkins.edu/services/network/VPN/Documents/WindowsInstall.pdf Windows] and [http://www.it.johnshopkins.edu/services/network/VPN/Documents/MACInstall.pdf Mac]
+
[[Category:Networking]]

Latest revision as of 17:21, 14 October 2024

INTRO

Several JHU IT-based resources require your computer to be connected to the JHU network for access. For example, JHU-located share drives and certain JHU websites/services. If you're outside of JHU, for instance, at home or at a hotel, you are not on the JHU network, and therefore, cannot access the JHU Network-only resources.
Enter the VPN. A VPN (Virtual Private Network) is a way to access resources of another network, for example, a business's network, without physically residing on that network. You can connect to a VPN from home/mobile, and it will look to your computer and to the business's server as if you were on that server's network, even if physically, you're not.
JHU hosts its own VPN. The JHU VPN will allow JHU users' home/mobile/etc. computers who are outside of the JHU network to connect to JHU as if they were physically on campus.


Connecting to the JHU VPN

STEP 1: Setting Up Multi-Factor Authentication

JHU requires Multi-Factor Authentication (MFA) to access some of its services... including the JHU VPN. JHU uses Microsoft Azure for providing JHU's Multi Factor Authentication service.
(Besides this page we're providing you, WSE IT has put together a document discussing MFA here as well.)
To get started with MFA, you will need to visit the Azure MFA Resource Center's Enrollment Page to enroll.
That page and its video will show you how to enroll your JHED ID with the Azure MFA. The video is very helpful in explaining the process. You are encouraged to watch it all the way through.

Authenticators

As part of the MFA setup process, you will end up having to choose an authenticator method to use. There are several authenticator methods:
  • Text your phone: When JHU needs you to enter your MFA code during login to JHU's MFA-required pages/apps, they will text your phone with the MFA code that you will use to enter into whatever prompt they send you.
  • Use an app/program: Alternatively, you can choose to install an authenticator program on your computer (or phone.) The authenticator program, when run, will provide the 6-digit number to enter when you are prompted at JHU for your MFA code. JHU suggests you use the Microsoft Authenticator App (for Windows) to generate that numerical code. You can download Microsoft Authenticator according to instructions from the enrollment process video. Additionally, you can choose to run other authenticators to run (under Windows) instead, including a program called WinAuth. Macs, Androids and IPhones have various authenticators available as well. Note that the codes are generated using time-based factors... so, the code you generate needs to be entered soon (up to a minute) when you are prompted, otherwise, you need to generate another code.
Please install your Authenticator program before continuing.
NOTE: If you want to change your authenticator method or manage your MFA at some point, please first visit the main Azure MFA page and then click on Manage Azure MFA.

You will need your MFA configured in order to access the JHU VPN in the next step.

NOTE: If you have any issues with setting up Multi-factor authentication, you should contact JHU IT's support helpdesk


STEP 2: Installing and Running the JHU VPN Client Program, JH Pulse Secure (From Ivanti)

Please visit the JHU VPN Resource page.
Once there, Under VPN Quick Links on the right, choose Request VPN Access. It's possible you might already have VPN access (and if you think you already do, you can skip below the next step.) NOTE: As of 2020, we're told that you might not need to request VPN access, as access is now granted automatically.
Next, below the VPN Quick Links section on that page, you'll find VPN CLient Installs (for New VPN Installs). Click on the operating system you're downloading for. This will download the Ivanti Pulse Secure software that will run on your computer as your gateway to the JHU VPN.
Install the Ivanti Pulse Secure package.
Run the Ivanti Pulse Secure program. The following is for a Windows systems running Pulse Secure. Other operating systems may be similar.
  • Look for Connections.
  • If for some reason, there are no connections listed, follow the steps directly below...
    • Click on the + symbol right next to the word Connections.
    • The + sign opens up the Add Connections section.
      • Leave the Type as is.
      • Give the VPN connection a Name (e.g. JHU VPN), just so you can identify it.
      • Then, enter in the Server URL (which is basically, the VPN address. Use vpn.jh.edu (Notice that it's "jh" and not "jhu" in the server name.)
      • Now, click Add, and you should have a new connection ready to go.
  • Choose the JHU VPN from your list of connections.
  • Click Proceed
  • You will be prompted for your JHED credentials. Enter them.
  • You'll see Enter code. This is where you need your MFA Authenticator code from Step 1 above. So, depending how you set up your MFA, you might receive a code via Text or you might need to run your Authenticator program (e.g., Microsoft Authenticator, WinAuth, etc.) and enter in the 6-digit code it provides you.
    • You MFA code changes every minute, so if you don't type in your code in time, refresh your Authenticator and try the next code it gives you.
  • Once you enter that code, Pulse Secure will complete making the VPN connection.
  • When you are done for the work day, go back to the Pulse Secure App and click Disconnect.
    • Note that when you are on the VPN, you are now passing all your computer's network traffic through JHU before it goes out to the rest of the Internet. When you are done using the VPN, disconnecting from Pulse Secure will allow your computer's network traffic to run through your ISP's network directly out to the Internet (as it normally does.)


NOTE: If you have any issues with installing or using the JH Pulse Secure (Ivanti) client on your computer, you should contact JHU IT's support helpdesk.


Changing your default JHU VPN authentication Method

By default, the new JHU VPN (hosted by Microsoft Azure) seems to make texting your phone the way to provide you your MFA authentication code to use to connect to the VPN. Some users might want to change from the texting method to using an Authenticator app (e.g., Microsoft Authenticator, WinAuth, or similar) instead, as it was before JHU moved to using Azure.
To change your default authentication method, simply log into https://mysignins.microsoft.com/security-info Once logged in, if you're not directed directly to the Security Info page, simply click Security info on the left. You'll see a list of your authentication options, and you can change the default option to using a Hardware Token (Authenticator App) instead of the Phone (text) option. You can also add additional methods if you choose to.

NOTE: If you have any issues with setting up your Authenticators, you should contact JHU IT's support helpdesk