Role-Based Networking
What is Role-Based Networking?
Role-based networks are small networks that are built to serve a specific function or set of users, as compared to large, general-purpose building networks. Role-based networks are helpful to simplify firewall Access Control Lists (ACLs), manage customer devices, and in some cases, to segment network traffic.
What types of Role-Based Networks are currently available?
- Role-Based VPN services (available 6/10/2020)
- Role-Based wired networks (available 9/1/2020)
- Role-Based wireless networks (available 7/1/2021)
What is a Role-Based network service?
Role-based network service creates a small network that only your customers land in.
For VPN and wireless role-based service, access is managed by an AD security group within your Business Unit’s OU that controls which of your customers can access your services. Once users are added to your security group for your role-based network, the user will obtain an IP address in your role-based network.
For wired role-based service, access is controlled at the jack level. Only jacks designed by you are moved to the new VLAN.
What are the technical details for the Role-Based network services?
- /22’s, which support up to 1000 concurrent customers (Wireless only)
- /23’s, which support up to 500 concurrent customers (Wireless only)
- /24’s, which support up to 250 concurrent customers (VPN, Wired, and Wireless)
- /25’s, which support up to 120 concurrent customers (VPN, Wired, and Wireless)
- /26’s, which support up to 60 concurrent customers (VPN, Wired, and Wireless)
Each role-based network will be in private IP space and will have a dedicated NAT IP. The private client IP will be within your role-based network, and outbound traffic will NAT using your dedicated IP address.
Role-based networks utilize DHCP. DHCP reservations can be made for wired and wireless clients only. Access can be delegated to the unit to manage the role-based network IP space allocated to the unit.
DHCP reservations are not available for the role-based VPN service.
What are the current restrictions on Role-Based network services?
We are currently limiting role-based network service to requests that segment users along high-level organizational boundaries (i.e., Area and Department) or to support those users and systems subject to external audit requirements. Once these initial needs are met, we will expand the service to support more granular networks.
Additionally, if ITS runs low on available networks, ITS reserves the right to re-assign networks whose 12-month rolling average usage of IP addresses drops below 25%.
Finally, ITS will never resize a role-based network. If a new network size is needed, ITS will allocate a new network.
How do I submit a request for a Role-Based network service?
To request a role-based VPN service, complete the Role Based Network Request form with the following information:
- The Canonical Name (CN) of the security group in your OU that you wish to use to manage authorized users of your role-based network (VPN and wireless only)
- The size of the network you are requesting (options are listed below by service offering)
-
Role-Based Network Service Network Size Options VPN /24, /25, /26 Wired /24, /25, /26 Wireless /22, /23, /24, /25, /26 - The name of the Business Unit or audit control group that is being served by the network (e.g., College of Business or Office of Research PCI Users)
What do I need to be aware of when using the role-based network service?
Firewall rules that allow your customers access to services will need to be updated to reflect the new range of IP addresses.
Individuals wishing to access WSU resources via VPN who have a Friend ID, including visiting scholars, vendors, and other WSU associates, please continue to use the Cisco SSL/VPN as shown below. All current students, faculty, and staff please use the GlobalProtect tools for Mac or Windows that are available via the links above.
Washington State University offers SSL VPN access for those departments and users that require secure remote user access to specific, restricted university services and data. The SSL VPN service provides authenticated and encrypted access to resources such as the administration of departmental servers, administrative systems and applications, and/or systems that house sensitive information.
The SSL VPN service uses the Cisco AnyConnect client over SSL (Secure Socket Layer). Use of the WSU SSL VPN service requires the installation of the Cisco SSL VPN AnyConnect Mobility client. Users are able to manually download and install the mobility client for desktops and laptops from the following location: SSL VPN Client Download.
(Users of mobile devices, tablets, etc. will need to download AnyConnect Mobility clients from their local app stores, as these are not provided by WSU.)
- SSLVPN
- OS Requirements & Client Download Information
- Installation Instructions
- Remote Desktop Instructions
SSL VPN
Audience
- All sponsored contractors, vendors, guests and any others (including 3rd parties) requiring remote access
Currently Supported Operating Systems
- Windows 7, 8, 8.1, and 10 (32 and 64 bit)
- Mac OS X 10.8, 10.9, 10.10, and 10.11
- Ubuntu 12.04 (LTS), 14.04 (LTS) (64 bit only)
(other linux distributions may work as well but are untested) - RedHat Linux 6 and 7
- And many smartphones or tablets
Scope
The SSL VPN service allows secured communication from remote sites to the WSU campus. The SSL VPN service establishes a split tunnel that will route traffic intended for WSU over a secured link and provide a separate path for all other traffic via the local service provider’s internet connection.
Examples of where the SSL VPN service are required:
- Where secure communications to restricted information at WSU is needed
- At home or traveling and needing access to secure WSU services
- Administrators at WSU who need secure remote communications to their on-campus equipment and services
Examples where the SSL VPN service is not required:
- Applications that are in use by a large number of users
- Applications that have little to no access restrictions
Standards
- The WSU SSL VPN service can only be initiated from networks off the Pullman campus.
- Custom Active Directory attributes are created for SSL VPN users upon registration. Faculty, staff, student or third party individuals are granted access to the SSL VPN service if they have a current active status with WSU. These attributes are systematically reviewed and updated daily.
- Users will authenticate with their WSU NID or FID.
- WSU reserves the right to remove users from the SSL VPN users group. Users who have been removed and later determine they need access may request through Coug Tech that they be given access again.
Security Notes
- Active SSL VPN connections must never be left unattended.
- Always disconnect an active SSL VPN connection when finished with a session.
- Connections that remain idle (no interaction) for 30 minutes, will be automatically disconnected.
Login again to reconnect. - WSU recommends the use of local host firewalls for enhanced security.
- Computers should have the latest service packs, critical updates, and security patches before connecting to the SSL VPN.
- Anti-virus software must be enabled with up-to-date virus definitions installed.
Procedures to Connect
- Make sure your system satisfies the SSL VPN operating system and browser requirements
- Complete the Mandatory one time self-registration
- Connect to the WSU SSL VPN Service
- Follow prompts for one time client installation
SSL VPN Client Download for pre-installation on appropriate systems.
Policy
The WSU SSL VPN service will provide users secure and encrypted access to restricted WSU resources when connected to the internet from outside of the wsu.edu domain. SSL VPN is intended to provide authenticated/encrypted access to restricted resources. Users who access WSU resources via the SSL VPN are subject to the same policies as users within the wsu.edu domain.
Compliance
All parties as delineated under Audience are required to comply with this policy.Note that all network activity while connected to the traditional or SSL VPN is subject to the University’s normal acceptable use policies.
Individuals who discover or strongly suspect the violation of this policy must promptly notify the IT Security Office at
509-335-HELP(4357) (8:00am – 5:00pm) or abuse@wsu.edu.
OS Requirements & Client Download Information
SSL VPN Client Download & Set-up
| Operating System | Link |
|---|---|
| Windows 64 bit: | Windows SSL VPN Client |
| Windows Set-up Instructions | |
| AnyConnect for Windows Mobile 6.5 | |
| Linux: | Linux 32 Bit SSL VPN Client |
| Linux 64 Bit SSL VPN Client | |
| Linux Set-up Instructions | |
| Mac OS X: | Mac OS X SSL VPN Client |
| Mac OS X Set-up Instructions | |
| iPhone | iPhone Client & Set-up Instructions |
Mobile Requirements
| Device | OS |
|---|---|
| iPad Air | 7.0 or later |
| iPad 2 | 6.0 or later |
| iPad (3rd generation) | 6.0 or later |
| iPad (4th generation) | 6.0 or later |
| iPad mini | 6.0 or later |
| iPad mini (with Retina display) | 7.0 or later |
| iPhone 3GS | 6.0 - 6.1.6 |
| iPhone 4 | 6.0 - 7.1.2 |
| iPhone 4S | 6.0 or later |
| iPhone 5 | 6.0 or later |
| iPhone 5C | 7.0 or later |
| iPhone 5S | 7.0 or later |
| iPhone 6 | 8.0 or later |
| iPhone 6 Plus | 8.0 or later |
| iPod Touch (4th generation) | 6.0 - 6.16 |
| iPod Touch (5th generation) | 6.0 or later |
| ATT Tilt 3.57.502.2 WWE Note: TouchFLO must be disabled. | Windows Mobile 6.1 Professional |
| Axim X51v with ROM: A03 (23092007 | Windows Mobile 6.0 Classic |
| HTC Touch Pro | Windows Mobile 6.1 Professional |
| HTC Touch | Windows Mobile 6.0 |
| HTC Imagio | Windows Mobile 6.5 |
| HTC Tilt 2 | |
| HTC TyTN | Windows Mobile 5.0 |
| iPAQ 2790 | Windows Mobile 5.0 PocketPC |
| Palm Treo 700wx: | Windows Mobile 5.0+AKU2 PDA Phone |
| Sprint TREO 700WX-1.15-SPNT | |
| Palm Treo 750: | Windows Mobile 6.0 Professional |
| AT&T TREO750-2.27-RWE | |
| AT&T TREO 750-2.25-ATT | |
| T-Mobile TREO750-2.27-RWE | |
| Palm Treo 800-Sprint Treo 800w-1.03-SPNT | Windows Mobile 6.1 Professional |
| Palm Treo Pro: | Windows Mobile 6.1 Professional |
| AT&T T850UNA-1.01-NAE | |
| Sprint T850EWW-1.03-SPT | |
| T-Mobile T850UNA-1.01-NAE | |
| Samsung | Windows Mobile 6.1 Professional |
| Epix SGH-i907 | |
| Omnia SCH-i910 | |
| Saga SCH-i770 | |
| Samsung Omnia Pro 4 | Windows Mobile 6.5 |
| Sprint Touch with ROM: 3.03.651.4 | Windows Mobile 6.1 Professional |
| Note: TouchFLO must be disabled. | |
| T-Mobile Wing 4.26.531.1 WWE | Windows Mobile 6.0 Professional |
| Verizon XV6800 with ROM: 1.00.00.H: | Windows Mobile 6.0 P |
| Verizon 2.09.605.8 | |
| Verizon 3.57.605.1 |
Workstation Requirements
| Operating System | Requirement | |
|---|---|---|
| Windows | System Requirements | Pentium class processor or greater 100 MB hard disk space Microsoft Installer, version 3.1 Windows 7, 8, 8.1, and Windows 10 x86 (32-bit) or x64 (64-bit) Internet Explorer 6.0 is no longer supported Cisco will not offer Windows XP and Vista as a supported operating system for present or future AnyConnect releases. AnyConnect is not supported on Windows RT. There are no APIs provided in the operating system to implement this functionality. Cisco has an open request with Microsoft on this topic. |
| Mac OS | OS Requirements | Mac OS X 10.8, 10.9, 10.10 and 10.11 Max OS X Support Notes Mac OS X 10.5, 10.6, and 10.7 are no longer supported by Cisco. AnyConnect requires 50MB of hard disk space. To operate correctly with Mac OS X, AnyConnect requires a minimum display resolution of 1024 by 640 pixels. Mac OS X 10.8 introduces a new feature called Gatekeeper that restricts which applications are allowed to run on the system. You can choose to permit applications downloaded from: Mac App Store Mac App Store and identified developers Anywhere The default setting is Mac App Store and identified developers (signed applications). AnyConnect release 4.1 is a signed application, but it is not signed using an Apple certificate. This means that you must either select the Anywhere setting or use Control-click to bypass the selected setting to install and run AnyConnect from a pre-deploy installation. Users who web deploy or who already have AnyConnect installed are not impacted. For further information see: http://www.apple.com/macosx/mountain-lion/security.html |
| Linux | OS Requirements | x86 instruction set. 64-bit processor. 32 MB RAM. 20 MB hard disk space. Superuser privileges are required for installation. libstdc++ users must have libstdc++.so.6(GLIBCXX_3.4) or higher, but below version 4. Java 5 (1.5) or later. The only version that works for web installation is Sun Java. You must install Sun Java and configure your browser to use that instead of the default package. zlib - to support SSL deflate compression xterm - only required if you're doing initial deployment of AnyConnect via Web launch from ASA clientless portal. gtk 2.0.0. gdk 2.0.0 libpango 1.0 or a compatible build such as package pangox-compat-0.0.2-2.el7.x86_64.rpm or pangox-compat-0.0.2-3.fc20.x86_64.rpm iptables 1.2.7a or later. tun module supplied with kernel 2.4.21, 2.6 |
| Web based installation of the sslvpn client utilizes either ActiveX (with IE) or Oracle Java to download and install the clients. Because of the numerous security issues that Java and ActiveX poses, it is highly recommended that users download the clients from the following web page and manually install them and not have to deal with Java or ActiveX. http://infotech.wsu.edu/NetworkService/VPN/VPN.aspx | ||
Installation Instructions for Windows, WinMobile, iPad, iPhone, OS X Linux, Ubuntu
Remote Desktop Instructions for Win, Mac, Linux, OS X to Win RDP, Win to Linux RDP
OneDrive
- OneDrive – What do you get?
- OneDrive Limitations
- OneDrive – Sharing Your Files and Folders with Others
- Accessing your OneDrive Files and Folders via a Web Browser
- Restore/View previous version of documents in OneDrive
- Add and sync shared folders to OneDrive
- Managing OneDrive Space and Sync Folders
Office 365
- Office 365 Applications – What do you get?
- List of Office 365 Applications Available by Device
- Co-Editing Word, Excel and PowerPoint files between Teammates
- Compatibility Matrix for Office 365 Click-to-Run and Visio/Project Standalone Installations
- Using Office Online via a Web Browser
- Deactivating Office 365 for a Windows PC or Mac