Difference between revisions of "Virtual private network for employees"

From WSU Technology Knowledge Base
Jump to: navigation, search
(Step 3: Connect to Cisco AnyConnect)
 
(45 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{TOC_Float_Right}}
 
{{TOC_Float_Right}}
{{Revision}}
+
{{WSU}} Information Technology Services provides a secure '''virtual private network for employees''' working from off-campus locations. To maintain data security, access to some online systems and services requires a direct connection to our private campus network. Using our virtual private network (VPN), employees working remotely can emulate this direct, private connection and access these services as if they were on campus. Most employees do not need a continuous VPN connection when working remotely. Employees cannot establish a VPN connection using a personally-owned device and must use multi-factor authentication to verify their credentials when connecting to our VPN.
{{WSU}} Information Technology Services provides a secure '''virtual private network for employees''' working from off-campus locations. To maintain data security, access to some {{WSU}} online services requires a direct connection to our private campus network. Using our virtual private network (VPN), employees working remotely can emulate this direct, private connection and access these services as if they were on campus.
 
 
 
==Is VPN required for telework?==
 
No. Most {{WSU}} employees do not need a continuous VPN connection for [[Telework|telework]]. It's only required for certain services with elevated restrictions, and then only for the duration of your transaction. Once that work is complete, you can disconnect VPN and continue working without it. Below are some services that either require or don't require a VPN connection for off-campus access. Contact the {{TSC}} for a full list and if you have any questions.
 
===Some services that require VPN===
 
*Department network drives (e.g., S drive)
 
*Printing to a department printer
 
*Marketplace
 
 
 
===Some services that do not require VPN===
 
*Office 365
 
*D2L Brightspace
 
*Zoom
 
 
 
==Does VPN require multi-factor authentication?==
 
Yes. You will need to verify your credentials using a second step available only to you. Specifically, you will enter a one-time password (a random sequence of digits) generated by an authenticator app installed on your phone, tablet, or laptop. The first step in preparing to use VPN is to install a supported authenticator app.
 
  
 
==Setting up VPN==
 
==Setting up VPN==
 
===Step 1: Install an authenticator app===
 
===Step 1: Install an authenticator app===
{{WSU}} Information Technology Services supports two authenticator apps for use with VPN:
+
{{WSU}} Information Technology Services supports two authenticator apps for use with our VPN:
 
*'''Microsoft Authenticator (recommended):''' [[Microsoft Authenticator|Install this app]] if you prefer using your phone or tablet to verify your VPN credentials.  
 
*'''Microsoft Authenticator (recommended):''' [[Microsoft Authenticator|Install this app]] if you prefer using your phone or tablet to verify your VPN credentials.  
 
*'''Authy:''' [[Authy|Install this app]] if you prefer using your WSU laptop to verify your VPN credentials.
 
*'''Authy:''' [[Authy|Install this app]] if you prefer using your WSU laptop to verify your VPN credentials.
  
 
===Step 2: Add your VPN account to your authenticator app===
 
===Step 2: Add your VPN account to your authenticator app===
 +
This step must be completed while on the Winona or Rochester campus. Please use Google Chrome to complete this step. There are known issues with other browsers. If using a {{WSU}} laptop, you must be connected to the [[Wazoo|Wazoo wireless network]]. You can also complete this step using your office desktop with a secure wired network connection.
 +
#If using a laptop, ensure that it's connected to the [[Wazoo|Wazoo wireless network]] wireless network
 +
#Use Chrome to go to the VPN enrollment site at [https://otp.winona.edu https://otp.winona.edu]
 +
#Select the link, '''"Proceed to set up my StarID for campus VPN access"'''
 +
#Enter your StarID (e.g., ab1234cd) in the Username field and select Submit
 +
#Enter your StarID password and select Submit
 +
#Click the '''Add OATH Token''' button
 +
#Click the radio button next to '''Online''' then click '''Add'''. You will be presented with a QR code and a manual code.
 +
#Open your authenticator app. If using Microsoft Authenticator on your phone or tablet, tap '''Add Accounts''', then '''Work or School account'''. The app will ask for permission to use your camera, tap '''Allow'''. Then, use your phone to scan the QR code on your computer screen. Your account will be added to the app. If you are using Authy, select the '''"+"''' icon, copy and paste the manual account code from the VPN enrollment screen to the field in Authy, and select the '''Add Account''' button.
 +
#IMPORTANT: Select the '''Done''' button on your computer screen to complete the enrollment process.
 +
#Close and reopen your authenticator to ensure that the '''Winona online''' account was added. You will use the rolling code for that account to verify your VPN credentials. Note that you may have other accounts listed in your authenticator app with their own rolling codes.
  
'''NOTE: Please use Google Chrome to complete these steps. Mozilla Firefox is known to present errors during this process.'''
+
===Step 3: Test your VPN connection===
# You must have access to an [https://www.login.gov/help/signing-in/what-is-an-authentication-app/ Authenticator app]. This is typically a mobile phone app that can generate six-digit verification codes to allow [https://en.wikipedia.org/wiki/Multi-factor_authentication multi-factor authentication.]
+
You can now test your VPN connection from off-campus. You can also test it using your laptop while on campus if you are connected to the Eduroam wireless network. To log in to Eduroam, use the StarID@minnstate.edu format of your username and do not enable the connection to reconnect automaticallyWhen you are done testing disconnect your VPN connection.   
# Ensure your computer is connected to the [[Wazoo]] wireless network on campus
+
*[[Connect your laptop to our virtual private network|Connect your PC laptop to our VPN]]
::* If you are on a desktop computer your wired network connection should suffice
+
*[[Connect your laptop to our virtual private network|Connect your Mac laptop to our VPN]]
# All employees must start by setting up their One-Time Password (OTP) at this link '''while on campus''': https://otp.winona.edu
 
# Once on that page, enter your StarID in the Username field
 
# Enter your network password on the next screen
 
# Click Add OAUTH Token
 
# Click the radio button next to Online then click Add
 
# On the next page, scan the QR code with the authenticator app of your choice
 
 
 
::* '''You MUST click 'Done' after you scan your QR code!'''
 
:::* We recommend [https://www.microsoft.com/en-us/account/authenticator Microsoft Authenticator] or [https://authy.com/download/ Authy]
 
 
 
===Step 3: Connect to Cisco AnyConnect===
 
 
 
For the next steps you must be connected to an off-campus (home) network or it will fail with error:  Connection attempt has timed out. Please verify Internet connectivity. 
 
 
 
If you are on campus and would like to test your VPN connection, temporarily switch to the '''EduRoam''' Wi-Fi network with your '''StarID@minnstate.edu'''. 
 
 
 
====Connect to Cisco AnyConnect on Windows 10====
 
* Open the Start Menu and type Cisco
 
* Select 'Cisco AnyConnect Secure Mobility Client' when it appears
 
** If Cisco AnyConnect does not appear in your start menu, open your internet browser and go to https://ot.winona.edu
 
[[file:CACVPNPC.png]]
 
* Once Cisco AnyConnect opens, '''replace tunnel.winona.edu with ot.winona.edu''' then hit '''Connect'''
 
* Select your group from the drop down list. If you do not know your group, just choose '''grp_employee''' as shown in the screenshot below.
 
** Username format is '''StarID-six digit auth code''' (ex: pp7998kk-042565). Do not forget the dash between your StarID and the six-digit code from your [https://www.microsoft.com/en-us/account/authenticator Microsoft Authenticator] or [https://authy.com/download/ Authy] app that you setup to use for VPN. It will be the one called WINONA online under accounts for Microsoft Authenticator.   
 
** Password is the one you use with your Starid.   
 
[[file:VPNmfa.png]]
 
 
 
====Connect to Cisco AnyConnect on macOS====
 
 
 
* Click on Spotlight in the upper right corner of your Mac
 
* Type in "Cisco"
 
* Select "Cisco AnyConnect Secure Mobility Client" when it appears
 
** If Cisco AnyConnect does not appear, open your internet browser and go to https://ot.winona.edu
 
[[File:VPN_Mac_Cisco_Search.png|400px]]
 
* Once Cisco AnyConnect opens, replace tunnel.winona.edu with ot.winona.edu then hit Connect
 
[[File:otVPN.png|400px]]
 
* You will be prompted to login with your StarID, your six-digit authentication code, and your StarID password
 
* Select your group from the drop down list. If you do not know your group, just choose grp_employee as shown in the screenshot below.
 
** Username format is '''StarID-six digit auth code''' (ex:  pp7998kk-042565). Do not forget the dash between your StarID and the six-digit code from your [https://www.microsoft.com/en-us/account/authenticator Microsoft Authenticator] or [https://authy.com/download/ Authy] app that you setup to use for VPN
 
[[file:macVPNmfa.png|400px]]
 
 
 
==How do I access my network storage off-campus?==
 
 
 
'''You will first need to connect to your VPN client Cisco AnyConnect.''' Next follow steps below:
 
 
 
===Windows 10===
 
 
 
* Open your Start Menu and click the "Click to Map Network Drives" tile located at the top middle of the screen
 
* Re-open your Start Menu and click the "File Explorer" tile in the middle of the screen
 
* Your network storage drives will be located under the "Network locations" heading. You may have to scroll down to find it.
 
[[File:ConnectToServer.png|frame|Fig 2. Here is a sample of the server addresses you may need to connect to.]]
 
===macOS===
 
 
 
* In Finder, press and hold the '''<Command>''' key then tap the '''<K>''' key to bring up the "Connect to Server" prompt
 
* Connect to one of the network locations listed in Fig 2.
 
* Just copy/paste one of the addresses below if your list is not pre-populated
 
* Personal storage: smb://store.winona.edu/users/
 
* Department drive: smb://store.winona.edu/department/
 
 
 
 
 
==Related information==
 
  
 +
==More articles==
 +
*[[Frequently asked questions about our virtual private network]]
 +
*[[Access network storage from off campus]]
 
*[[Cisco AnyConnect Secure Mobility Client]]
 
*[[Cisco AnyConnect Secure Mobility Client]]
 
*[[Local network storage]]
 
*[[Local network storage]]
*[[VPN for Employees]]
 
 
*[[VPN for Students]]
 
*[[VPN for Students]]
*[[Installing VPN]]
 
 
*[[VPN]]
 
*[[VPN]]
 +
 +
==External links==
 +
*[https://en.wikipedia.org/wiki/Virtual_private_network Virtual private network (Wikipedia)]
 +
*[https://www.howtogeek.com/133680/htg-explains-what-is-a-vpn What's a VPN and why would I need one? (How-To Geek)]
 +
 +
[[Category:VPN]][[Category:Security]][[Category:Keep Working]][[Category:Keep Teaching]]

Latest revision as of 07:16, 30 March 2020

Winona State University Information Technology Services provides a secure virtual private network for employees working from off-campus locations. To maintain data security, access to some online systems and services requires a direct connection to our private campus network. Using our virtual private network (VPN), employees working remotely can emulate this direct, private connection and access these services as if they were on campus. Most employees do not need a continuous VPN connection when working remotely. Employees cannot establish a VPN connection using a personally-owned device and must use multi-factor authentication to verify their credentials when connecting to our VPN.

Setting up VPN

Step 1: Install an authenticator app

Winona State University Information Technology Services supports two authenticator apps for use with our VPN:

  • Microsoft Authenticator (recommended): Install this app if you prefer using your phone or tablet to verify your VPN credentials.
  • Authy: Install this app if you prefer using your WSU laptop to verify your VPN credentials.

Step 2: Add your VPN account to your authenticator app

This step must be completed while on the Winona or Rochester campus. Please use Google Chrome to complete this step. There are known issues with other browsers. If using a Winona State University laptop, you must be connected to the Wazoo wireless network. You can also complete this step using your office desktop with a secure wired network connection.

  1. If using a laptop, ensure that it's connected to the Wazoo wireless network wireless network
  2. Use Chrome to go to the VPN enrollment site at https://otp.winona.edu
  3. Select the link, "Proceed to set up my StarID for campus VPN access"
  4. Enter your StarID (e.g., ab1234cd) in the Username field and select Submit
  5. Enter your StarID password and select Submit
  6. Click the Add OATH Token button
  7. Click the radio button next to Online then click Add. You will be presented with a QR code and a manual code.
  8. Open your authenticator app. If using Microsoft Authenticator on your phone or tablet, tap Add Accounts, then Work or School account. The app will ask for permission to use your camera, tap Allow. Then, use your phone to scan the QR code on your computer screen. Your account will be added to the app. If you are using Authy, select the "+" icon, copy and paste the manual account code from the VPN enrollment screen to the field in Authy, and select the Add Account button.
  9. IMPORTANT: Select the Done button on your computer screen to complete the enrollment process.
  10. Close and reopen your authenticator to ensure that the Winona online account was added. You will use the rolling code for that account to verify your VPN credentials. Note that you may have other accounts listed in your authenticator app with their own rolling codes.

Step 3: Test your VPN connection

You can now test your VPN connection from off-campus. You can also test it using your laptop while on campus if you are connected to the Eduroam wireless network. To log in to Eduroam, use the StarID@minnstate.edu format of your username and do not enable the connection to reconnect automatically. When you are done testing disconnect your VPN connection.

More articles

External links