Cornell University Cornell Information Technologies

Remote Connections to Server Farm Machines:
VPN and SSH Jumper

In order to allow authorized access to CIT servers from remote locations, Systems and Operations (S&O) has implemented:

• A Virtual Private Network (VPN) service
• A Secure Shell (SSH) Jumper machine using using Two-Factor Authentication (T-FA).

Both tools require either a client installation and configuration and/or initial setup.

VPN

The Server Farm VPN is for CIT staff only. A public, campus-wide VPN service is available separately. The Server Farm VPN is kept separate to restrict access to servers to authorized server farm users and because some private networks exist.

VPN allows remote computers to connect and assume an IP address in the Cornell address space. This allows off-campus connections to campus resources that would not be possible because of routing or firewall restrictions. Connection can be established through one of many VPN clients available for Windows and Macintosh workstations.

Who Can Use the Server Farm VPN?

The Server Farm VPN is available to any staff member who can authenticate against the "CITSTAFF.CORNELL.EDU" domain. Other users can be added in special circumstances. Submit a request to systems-support@cornell.edu.

Fees

The Server Farm VPN establishes a connection to a LAN on Cornell's address space. Because this LAN is subject to NUBB charges, Server Farm VPN usage is for business use only. Establish the connection only long enough to accomplish the work necessary via VPN, then close it. The Server Farm VPN closes inactive connections automatically.

Using VPN outside the United States

If you plan to take VPN out of the country on a computer or plan to download it while abroad, be aware that the US Department of Commerce has restricted the export of cryptographic software. The use of VPN is illegal in any of the following countries: Cuba, Iran, Libya, North Korea, Sudan, and Syria.

Systems and Operations LAN/Technical Support Services team offers support to CIT staff to install software and connect through the Server Farm VPN. Send an email to cit_support@cornell.edu.

Connect to the Server Farm VPN

Choose the Server Farm VPN connection you need and then follow the instructions to set up the connection.

• Connect Using a Cisco Client and Windows XP

You'll need to download the Cisco client, but won't need to change firewall settings.
• Connect Using the Built-in Windows Client and Windows XP

No client to download. If you are running the Symantec Client Firewall, you will need to configure it.
• Connect Using a Cisco Client and Macintosh OSX

You'll need to download the Cisco client.
• Connect Using the Built-in Macintosh Client and Macintosh OSX

No client to download.

SSH Jumper

The SSH Jumper machine accepts SSH connections from anywhere on the internet. Once successfully logged in to the jumper machine, you can establish secure connections to other CIT Unix systems via SSH. X11 tunneling can also be used, if desired, for graphical applications on Unix.

The SSH jumper is a good option for making secure connections if your machine doesn't support VPN or you don't have it installed.

Individuals with user IDs defined in Single Sign On (SSO) and who possess a SecurID key fob can connect to the jumper machine. SSO is implemented using Lightweight Directory Access Protocol (LDAP). The SecurID key fob is a Two-Factor Authorization mechanism.

To obtain an SSO ID or key fob send email to systems-support@cornell.edu.

Make an SSH Connection Using the Jumper Machine

1. If necessary, download and install an SSH client. For more information, see "Installing an SSH Client."
2. Start the SSH client.
3. Click Quick Connect.



4. In Connect to Remote Host window, in the Host Name box, enter the name of the jumper machine, hopper.cit.cornell.edu. In the User Name box, enter your NetID, and then click Connect.

   

5. In the Host Identification window, click Yes. (You'll only see this window the first time you connect.)

   

6. In the Enter Password window, enter your LDAP password.

7. After you enter your password, the SSH Client prompts you to enter your passcode. Your passcode is your PIN number followed by the number from your SecureID keyfob. Do not put a space between the numbers. Continue with Step 10.

   Note: If you do not have a PIN, enter just the number from your SecurID keyfob. You'll be prompted to create a PIN. Continue with Step 8.

   

8. If you need to set up a PIN, you'll be asked if you're ready to enter a new PIN. Enter Y. Next you'll be prompted to enter a PIN and then to confirm it. Your PIN should be 4-8 digits long.

   

9. After you enter your PIN, the SSH Client prompts you to enter a new passcode. Your passcode is your PIN number followed by the number from your SecureID keyfob. Do not put a space between the numbers.

   

10. The SSH Client displays PASSCODE accepted. At the prompt, enter the ssh command for the server you want to connect to, for example, ssh wherever.cit.cornell.edu.