Secure Remote Access Service
SRAS allows a user to connect to their department server from anywhere using any one of Information Systems and Computing supported browser. The service is designed to provide file access to a remote user who has an account in a windows domain but whose remote machine Mac or PC is not a member of the domain. For example, a user traveling with laptop needs access to shares, or students or staff working from home or satellite offices. Users authenticate to their Windows domain through the secure appliance to access resources; Windows domain security policies on the domain user accounts are in effect. A Windows domain administrator can manage the user account through the active directory snap-in.
Three Service Options:
1. File share access -
A user connects to file shares in the school domain through the use of a standard Penn supported web browser. A school specific link https://secureaccess.upenn.edu/schoolname, also referred to as a realm, is a gateway for user logon and domain authentication. Domain authentication information is passed from the secure appliance to school Domain Controllers. All NTFS domain account settings and file share permissions are in effect for each user logon through the SRA realm. Authentication and file share traffic back and forth between the user web browser and the secure remote access appliance traverses the network encrypted. Traffic between the Domain Controller and the secure appliance is encrypted through the use of a hardware Firewall VPN tunnel.
This option offers a user a secure way to access folder and files on a department server from anywhere.
2. Client-Server application access -
Like the file share access option, the same link (https://sra.tss.isc.upenn.edu/schoolname) is used to initiate logon and authentication to the departmental domain. Domain Authentication works the same as in option one. Once authenticated, however, the user is presented with a web page containing specific client/server application links. An example of some commonly used applications is Microsoft’s Remote Desktop (RDP) or Filemaker. This option offers a user a secure way to remote desktop to their workstation from home or anywhere on the road. This option is especially useful if the destination workstation is on a private vLAN where only internal traffic is allowed through the use of a hardware firewall policy.
3. VPN access (JunosPulse) –
This is the most full-featured of all of the options. It requires additional software (JunOS Pulse VPN client) to be installed (on Widows/MacOS/iOS). As in the previous two options, the user must access the SRAS (https://sra.tss.isc.upenn.edu/schoolname) and enter their departmental ID/Password. However, this info must be inputted into the VPN client (and not the web browser, as is the case with the first two options). Once authenticated, the user’s system has a virtual network connect (and associated PennNet IP address) that is used to access Penn resources. A PennNet IP is used makes it easy for departmental system/network administrators to allow access thru the various firewalls that are protecting their resources.
- Administration: Administrative access to Windows Domain
- Authentication: Windows Active Directory Domain Controller (AD DC)
- Authentication: Installation of a Secure Sockets Layer (SSL) Certificate in each AD DC.
- Authentication: Distinguished Name (DN) of User Account designated for this service
- Authentication: Establish VPN tunnel between firewalls (client firewall and TSS firewalls)
- Configuration: Realm configuration on the SRAS appliance
- Permission: Distinguished Name for group container as shown within an LDAP browser
- Permission: Define type of access for each group.
- Client Software:
- File Share access: Support Web browser
- Client-Server application: ex. RDP, Filemaker Pro, etc.
- VPN: JunOS Pulse VPN software (Window 32-bit/64-bit, MacOS, iOS)
- Work with client to acquire and install the SSL Certificates on the domain controllers that will be used for authentication.
- Configuration and customization of department Realm (Client feedback is appreciated regarding look and feel of realm)
- Configuration and maintenance of all backend technology (an LTS consultant will work with the client throughout this process).
- Work with LTS consultants on verification of usability and quality assurance prior to rolling out the service in production.
- Notify LTS of planned or emergency changes to the client domain infrastructure preferrably prior to making the changes to the production environment
Guaranteed Service Level Agreement:
Generally, the SRA is available 24 hours a day, 7 days a week. When a service outage occurs, TSS staff attempts to restore service as quickly as possible. During weekdays (Monday through Friday) from 8:00am through 6:00pm TSS staff is available to monitor, diagnose, and correct any system failures that might occur. After-hours support (University work days, 6:00pm to 11:30pm and Saturday 8:00am to 11:30pm) is performed remotely by on-call staff members. During all other hours TSS staff monitor and respond on a "best effort" basis only.
For more information on the Secure Remote Access Service please send email to magida@isc. Problems should be reported to LAN Technology Services, lan@isc.