Secure Remote Access Service
SRAS allows a user to connect to their department server from anywhere using any one of Information Systems and Computing supported browser. The service is designed to provide file access to a remote user who has an account in a windows domain but whose machine Mac or PC is not a member of the domain. For example, a user traveling with laptop needs access to shares, or students or staff working from home or satellite offices. Users authenticate to their Windows domain through the secure appliance to access resources; Windows domain security policies on the domain user accounts are in effect. A Windows domain administrator can manage the user account through the active directory snap-in.
File share access -
Remote Desktop to a user workstation plus file share access -
A user connects to file shares in the school domain through the use of a standard Penn supported web browser. A school specific link https://secureaccess.upenn.edu/schoolname, also referred to as a realm, is a gateway for user logon and domain authentication. Domain authentication information is passed from the secure appliance to school Domain Controllers. All NTFS domain account settings and file share permissions are in effect for each user logon through the SRA realm. Authentication and file share traffic back and forth between the user web browser and the secure remote access appliance traverses the network encrypted. Traffic between the Domain Controller and the secure appliance is encrypted through the use of a hardware Firewall VPN tunnel.
This option offers a user a secure way to access folder and files on a department server from anywhere.
Like the file share access option, the same link (https://sra.tss.isc.upenn.edu/schoolname) is used to initiate logon and authentication to the school realm for access to Remote Desktop through the use of a standard Penn supported web browser. Domain Authentication works the same as in option one. Once authenticated a user has access to their RDP profile and file share access on to the department server. The RDP user profile is configured to provide access to individual workstation. The screen size and resolution, local drive and printer mapping can also be defined if needed.
This option offers a user a secure way to remote desktop to their workstation from home or anywhere on the road. This option is especially useful if the workstation is on a private vLAN where only internal traffic is allowed through the use of a hardware firewall policy.
- Administration: Administrative access to Windows Domain
- Authentication: Windows 2003 domain controller with Thawte Certificate
- Authentication: Installation of 2 Thawte Certificates
- Authentication: Distinguished Name (DN) of User Account designated for this service
- Authentication: Establish VPN tunnel between firewalls (client firewall and TSS firewalls)
- Configuration: Realm configuration on the SRAS appliance
- Permission: Distinguished Name for group container as shown within an LDAP browser
- Permission: Define type of access for each group. (See below for access features)
- RDP: List of IP addresses and full names for staff requiring RDP access to their workstation (requires client input)
- Acquire and install the Thawte Certificates on the 2 domain controllers hosted on TSS hardware on behalf of the client (Client budget number is required)
- Configuration and customization of department Realm (Client feedback is appreciated regarding look and feel of realm)
- Configuration and maintenance of all backend technology to provide option 1/2.
- Work with LTS consultants on verification of usability and quality assurance prior to rolling out the service in production.
- Notify LTS of planned or emergency changes to the client domain infrastructure preferrably prior to making the changes to the production environment
Guaranted Service Level Agreement:
Generally, the SRA is available 24 hours a day, 7 days a week. When a service outage occurs, TSS staff attempts to restore service as quickly as possible. During weekdays (Monday through Friday) from 8:00am through 6:00pm TSS staff is available to monitor, diagnose, and correct any system failures that might occur. After-hours support (University work days, 6:00pm to 11:30pm and Saturday 8:00am to 11:30pm) is performed remotely by on-call staff members. During all other hours TSS staff monitor and respond on a "best effort" basis only.
For more information on the Secure Remote Access Service please send email to magida@isc. Problems should be reported to LAN Technology Services, lan@isc.