VPN Support#

Setting up a VPN for prod5#

Note you will need to do this once for the Tier 2 VPN and once for the Tier 3 VPN. The example below is for VPN3

  1. Create new enterprise app - Identity > Applications > Enterprise Applications

  2. Create a Palo Alto - Global protect app

  3. Modify name in properties to say something useful! (e.g. Prod5 VPN3 - Palo Alto - Global Protect)

  4. Manage > Single Sign-on > Select SAML

  5. Fill in metadata in Basic SAML Configuration

    • Sign on URL = https://vpn3.prod5.turingsafehaven.ac.uk

    • Reply URL = https://vpn3.prod5.turingsafehaven.ac.uk:443/SAML20/SP/

    • Identifier URL = https://vpn3.prod5.turingsafehaven.ac.uk:443/SAML20/SP

  6. Add useful address to notification email addresses

  7. Download Federation Data XML from SAML Certificates (section 3)

  8. Securely send XML to IT to update config on their side (we did this via the TRESA Sharepoint)

  9. Create a new DNS zone for the VPN in the Azure portal

    • Home > DNS zones > Create

    • Subscription = [Prod] Safe Havent Management V5

    • Resource Group = shm-prod5-rg

    • zone is a child of existing zone = True

    • name = vpn3 or vpn2

    • Once created go to the Record Sets and add three records (per the Microsoft docs)

    • CAA record

      • name = @

      • flags = 0

      • tags = issue

      • value = sectigo.com

    • CNAME record

      • name = given by IT

      • Alias = given by IT

    • A record

      • name = @

      • value = IP address given by IT

  10. Once this is done, IT can set up the Global Protect download page at this URL (vpn3.prod5.turingsafehaven.ac.uk)

  11. Go there and download the Global Protect app appropriate for your device

  12. If you already have Global Protect installed, you’ll need to add a new Portal - this will be the VPN URL (vpn3.prod5.turingsafehaven.ac.uk)

  13. Once this is done, you’ll need to test the VPN

  14. Add your user account (ideally a normal user not an admin) as a user of the Entra application

    • you can also add groups which is probably easier for SREs

  15. You should then be able to log into the VPN

    • note that the Tier 3 VPN is configured to only allow Chromebooks to connect

  16. Test your IP address - it should be the appropriate one for the VPN you’re connected to

VPN3 IP Address#

193.60.220.240

VPN2 IP Address#

193.60.220.242

Access for ChromeBook users#

For users with (Turing) Chromebooks (T3):

  1. Global protect will already be installed - IT will have given you credentials to sign onto the Chromebook

  2. Use your (TRESA supplied) prod5 credentials

  3. If first time logging on click forgotten password and go through the steps - Note alphanumeric is probably easiest for keyboard mapping

  4. Try signing onto Global Protect with your (full) prod5 credentials and the new password

  5. Confirm your IP address is as expected

  6. navigate to the SRE page https://YourProjectName.prod5.turingsafehaven.ac.uk

  7. User name will be firstname.lastname

  8. Password will be the one you just set up

IP address for an SRE#

Sometimes it is necessary to provide the IP address for the SRE if other institutions’ VPNs are used, as their IT teams may need to add them to the allow list.

The IP address for a given SRE can be found either by:

  • NSlookup SREName@prod5.turingsafehaven.ac.uk

  • Looking at the “A” record in the SRE’s resource group’s DNS zone

Global Protect Error#

Users who have devices from- or recently visited other countries have come across a GlobalProtect error: Matching Client Config Not Found. This is something that IT can (trivially) fix, by adding specific countries to the allow list, as long as connections are allowed from that country. Trusted research team should raise a ticket with IT if they believe this is the case, confirming with the user the location of their device.