CITES | University of Illinois

VPN Networking Diagram

For IT Pros
This page contains advanced information about the campus Virtual Private Networking (VPN) system, which allows authenticated access to University of Illinois computing resources from any location.

Note: Advanced content

This page describes the behind-the-scenes routing that takes place when your computer makes a VPN-secured connection to the campus VPN server. It's intended for advanced users, for troubleshooters, and for system administrators.

You don't need to know any of the information on this page in order to successfully connect to the VPN server; it's here for those who need a look "under the hood," so to speak.

The networking path of VPN client users

network diagram

The QuickConnect network ranges

When a user first connects to UIUCnet Wireless or Walkup, the user's computer (pictured in blue above) connects to the uiuc-quickc-net network. A computer in this network is assigned an IP address in one of the IP ranges listed here.

The CITES VPN network range

Once the user authenticates and makes the encrypted connection to the VPN server, the VPN server handles unencrypted communication with the rest of the network and represents the original computer's identity as a part of the VPN-assigned network address range.

Firewall implications

If your systems' users need access from off-campus locations, or from ports that QuickConnect doesn't allow, you can permit authorized CITES VPN users to access your systems by configuring the firewall(s) between your systems and the Internet as follows:

  • Campus firewalls
    Systems can be placed in any campus firewall group, including Fully Closed, and CITES VPN users will be provided access through the campus firewalls. The CITES VPN IP space is defined as on-campus IP space, and the campus perimeter blocks won't apply to VPN users.
     
  • Departmental firewalls: IP ranges
    If you wish to let VPN users access campus systems that are protected by a departmental firewall, configure your firewall to permit access from computers in the IP Range listed here.

    (If you control printer access by IP address, make sure to update your printers as well.)
     
  • Off-campus firewalls: Ports
    If you manage a network that's located outside campus IP space, computers on that network will need specific ports opened in order to be able to maintain a connection with the VPN server and claim an on-campus identity. For more information about the ports involved, see Firewall Ports Used for VPN Connections.

Security considerations

Note that from the blue computer to the VPN server and back, all transmissions are encrypted. From the VPN server out to the rest of the world, communications are NOT encrypted. The goal of the VPN server is not to make wireless transmissions end-to-end secure; the goal is to permit wireless and off-campus users to access resources on the UIUCnet network without revealing sensitive data such as login names and passwords to anyone close enough to "overhear" it.

The VPN server carries the transmissions securely into the wired part of the UIUCnet network. From that point on, however, the wireless users' communications are subject to the same protections and vulnerabilities as any wired computer on the UIUCnet network. For more information, see Security and VPN.

 

 

Last updated Monday, June 2, 2014, 5:10 pm