A trend in remote access to campus via cable modems and ISPs and a grant from the Telecommunications Infrastructure Fund Board (TIFB) has prompted CIS to pursue a solution that will give authorized remote users the same full access to campus resources that on-campus users currently enjoy. This Virtual Private Network (VPN) solution provides secure connections to the campus network, allowing an increase in service to remote users without compromising the security of the campus firewall. There is no direct charge for this service.
Why Should I Use the VPN Service?
The VPN service is useful for remote (outside of the campus firewall) users who need the same level of TCP/IP (IPX and AppleTalk are not supported) access to campus resources as if they were directly connected to the campus network. The remote user's traffic is tunnelled past the campus firewall via a software client installed on their computer. This avoids the need to open up exceptions in the firewall for services that remote users wish to access. The result is added convenience for remote users and increased security for system administrators.
If administrators begin to move their remote users over to this service, we strongly encourage them to request the removal of any previously requested exceptions in the firewall. This will increase the overall level of security for the entire campus network.
What Happens if I Don't Use the VPN Service?
Nothing. This is a purely optional service that does not affect any existing procedures or functionality of the campus network. We consider it a value-added service that we encourage customers to take advantage of.
Note to System Administrators
If you have network based access lists that restrict access to your systems to the campus network (i.e. 128.194.0.0/16 and 165.91.0.0/16) you will need to modify your access list to include 172.16.32.0/19. This is a private network that is being used to allocate the addresses used on the campus network end of the VPN tunnel. In other words, users of the VPN client will appear to be coming from this new network.
If you are doing restrictions by domain name, all of the IP addresses in the 172.16.32.0/19 network will inverse resolve to domain names in the tamu.edu domain.
If you have upgraded your machine to Windows XP Service Pack 2, you may run into an issue with needed ports being blocked by the Microsoft firewall. This will cause the VPN client to no longer work. To fix this, a rule will need to be added to the Microsoft firewall to allow UDP port 62515. This can be added either through the firewall GUI by adding an Exception rule, or you can add it by entering the following command from a DOS prompt:
netsh fi add port UDP 62515 "Cisco VPN Service" enable allVPN Login and Password
Access to the VPN resource is granted with the use of your NetID and password. For more information on obtaining your NetID click here
Timeout Information
The current timeout for VPN connections is set at 4 hours for idle connections and 14 hours maximum. This means if your VPN connection is idle for more than 4 hours, you will be required to log in upon return. The maximum time you can stay connected is 14 hours. After this time, you will be required to re-connect.
Obtaining the Client
Cisco VPN Client:
Click on the appropriate link below to download the Cisco VPN client. You will be prompted to enter your NetID and password. You may also download any specific release notes that might be available for your particular Operating System. Note: These clients are subject to United States cryptographic export regulations. Do not redistribute these clients.
Client Software Version Client Documentation TAMU Specific Instructions Windows 2k/XP/Vista
*Note Advisory Below*5.0.00.0340 User Guide Configuring and using the Windows client Windows 2k/XP 4.8.01 User Guide Configuring and using the Windows client Linux 4.8.00 User Guide Configuring and using the Linux client SPARC Solaris OS 2.6 & Later 4.6.02 User Guide
Release NotesConfiguring and using the Solaris client Mac OS X (10.4 - 10.5.x) 4.9.01 ReadMe Notes Universal Binary Mac OS X (10.0 - 10.3.9) 4.8.00 User Guide Configuring and using the Macintosh client
Uninstalling the VPN 5000 clientMac OS 9 Apani Document Advisory (from Cisco Systems): Windows Vista does NOT support the following:
* Upgrades from Windows XP to Vista.
* Start Before Logon
* SmartCard Authentication
* Integrated Firewall
* InstallShield
* 64bit support
* AutoUpdate
* Online Help - Provided only in English
Be sure to Enable Transparent Tunneling during the configuration of your VPN client. Instructions on this can be found at Help Desk Central's page.
PPTP is a deprecated service. If you are using it, you should switch to the Cisco IPSEC client. Support on the VPN server for pptp may end with little or no notice.
Need Help?
Help Desk Central is our main contact point for computer and network related questions. Contact them via e-mail at helpdesk@tamu.edu or by calling (979) 845-8300.