VPN

MAX IV users can access some of the internal resources at MAX IV from an external location via a VPN connection. Users with an active account in DUO can establish a connection to the “white network” which gives access to various web based services and the offline HPC system. When on site at MAX IV there is no need to use the VPN. Directly connecting to maxiv_guest wifi gives a faster connection and access to the same resources (see WiFi section).

Some beamlines allow for remote operation of the experiment. The degree of access varies between the beamlines, and hence there are specific VPN options for each beamline. For information about what level of remote access the beamline can offer, see the individual beamline information under Beamlines & accelerators.

Multi factor authentication

To access MAX IV remotely you need to authenticate with your username and password, plus a One-Time Password. Before continuing with the download instructions, see the guidelines in the One Time Password section to setup your phone for generating an OTP.

VPN client software

MAX IV is using the Ivanti Connect Secure software product as a VPN server. It was formerly called Pulse Connect Secure but has recently been acquired by the company Ivanti.

The client software, Ivanti Secure Access Client, is the preferred client on all platforms. OpenConnect is a possible alternative. In particular on Linux, where it provides a much better integration into the Desktop. A relatively recent version of OpenConnect is needed. The Desktop client is not openly distributed and must be downloaded from MAX IV.

For mobile phones, the client is available from the normal app stores.

Download and install

The client software can be dowloaded with a web browser from the VPN server at MAX IV after authenticating. All platforms will require local admin privileges to install the client.

In a web browser, open https://vpn-white.maxiv.lu.se .

Select the “DUO User Realm” and use the username and password from your DUO registration.

VPN_login

A new page will ask you to enter the OTP code from your OTP App.

vpn_otp

On Windows computers, an automated script will try to initiate the installation. If the installation is successful, you will see a new icon for Ivanti Secure Access Client in your program tray and you can proceed to connect to MAX IV.

The automatic install does not always succeed. If not, download the installer package and install manually.

To interrupt the application launcher, click on “here” in the sentence at the bottom of the screen.

VPN_launcher

Opting out of the automatic install will take you to a browser like screen.

Click on “VPN Clients” in the Files menu and a list of available downloads will appear

VPN_browser

Download and install the appropriate file for your computer.

  • For Windows, pick the 64 bit .msi file.
    There is also an installer for Windows on the ARM64 architecture
  • For MacOS, select the .dmg installer.
  • And for Linux pick the package format that matches your distribution.
File list for downloads of VPN client software.

OpenConnect on Linux.

OpenConnect is an open source VPN client that has a much better desktop integration than Ivanti Connect Secure Client. Unfortunately, due to protocol changes in Ivanti Connect Secure Server, a very recent version of OpenConnect is needed. Preferably version 9.01 or newer. Some distributions may be backporting these changes into OpenConnect 8.x series. Depending on version and patch level of OpenConnect, you may have to try which protocol works. Two of the available protocols can work, “pulse” or “nc”.

Command line examples:
sudo openconnect --protocol pulse https://vpn-white.maxiv.lu.se
sudo openconnect --protocol nc https://vpn-white.maxiv.lu.se

Connecting to MAX IV

  • Start the client by clicking on the taskbar icon, looks like a white key in a grey background when un-connected.
  • The name of the connection can be anything, it’s just an identifier if you have several (e.g., “White MAX IV”).
  • The server URL is “vpn-white.maxiv.lu.se”. Hit connect.
    (Users connecting to the beamline for remote experiments use a different VPN server; please consult the beamline specific documentation).
  • Select “DUO User Realm” as the realm and hit connect
  • The username and the password are the same as the DUO account credentials
  • Finally enter the OTP code from your OTP App.
  • When the connection is established the taskbar icon turns red with a green upper right corner
  • Proceed to the documentation for using ThinLinc, a remote desktop application used on the HPC cluster..