VPN

MAX IV users can access some of the internal computer resources at MAX IV from an external location via a VPN connection. Currently, active users with a DUO account can establish a connection to the “white network” that gives access to various web based services and the offline HPC system. Users should not need to use the VPN while on site and should use the maxiv_guest wifi instead (see WiFi section).

Some beamlines allow for remote operation of the experiment. The degree of access varies between the beamlines, and hence there are specific VPN options for each beamline. For information about what level of remote access the beamline can offer, see the individual beamline information under Beamlines & accelerators.

One Time Password (OTP)

All remote access to MAX IV resources requires two-factor authentication via temporary one-time password. The one-time password can be distributed via SMS or be generated via an app. Before connecting to MAX IV, there must a be a valid cell phone number in the user’s DUO profile. This is required in order to receive the one-time password via SMS. It is very much encouraged, that after the initial login, a mobile application that generates the otp keys is installed and activated.

Activating a TOTP application

Using a mobile application to generate the Time-based One-Time Password (TOTP) has many advantages over receiving a SMS message, both from security and practical point of views. The activation can only be done once connected to the MAX IV VPN. The documentation is also only available on the internal network at this URL: https://wiki.maxiv.lu.se/index.php/VPN_-_Mobile_App_Token_as_OTP

VPN client software

MAX IV is using the Pulse Secure product as a VPN server. It has recently been acquired by the company Ivanti. At the moment, Ivanti is re-branding the product, removing the word “Pulse” and inserting “Ivanti”. This leads to some confusion regarding the client names and the version numbering. Hopefully this should eventually sort out.

The client software, Pulse Secure Client, is now called Ivanti Secure Access Client, this is the preferred client on all platforms, except perhaps on Linux where OpenConnect provides a much better integration into the Desktop, but occasionally breaks because Ivanti makes subtle changes to the API and OpenConnect has to play catchup and adapt their code. For mobile phones, the client is available from the normal app stores, The Desktop client is not openly distributed and must be downloaded from MAX IV.

Download and install

The client software can be dowloaded with a web browser from the VPN server at MAX IV after authenticating. All platforms will require local admin privileges to install the client.

In a web browser, open https://vpn-white.maxiv.lu.se .

Select the “DUO User Realm” and use the username and password from your DUO registration.

VPN_login

A new page will ask you to enter the OTP code sent as an SMS message to your phone.

Note that the OTP will expire after a minute or two, if you cannot type it in immediately, you will have to restart the login process to receive a new code.

vpn_otp

On Windows computers, an automated script will try to initiate the installation. If the installation is successful, you will see a new icon for Ivanti Secure Access Client in your program tray and you can proceed to connect to MAX IV.

The automatic install does not always succeed. If not, download the installer package and install manually.

To interrupt the application launcher, click on “here” in the sentence at the bottom of the screen.

VPN_launcher

Opting out of the automatic install will take you to a browser like screen.

Click on “VPN Clients” in the Files menu and a list of available downloads will appear

VPN_browser

Download and install the appropriate file for your computer.

  • For Windows, pick the 64 bit .msi file.
  • For MacOS, select the .dmg installer.
  • And for Linux pick the package format of your choice.
VPN_filelist

OpenConnect on Linux.

This open source VPN client has a much better desktop integration than the one from Pulse Secure. Unfortunately, due to recent changes in Pulse Secure Server, a very recent version of OpenConnect is needed. Preferably 9.01 or newer. Some distributions may be backporting these changes into the 8.0x series. Depending on which version and patch level of openconnect, you need to try the two different protocols “pulse” and “nc” and choose theone that works for you.

Command line examples:
sudo openconnect --protocol pulse https://vpn-white.maxiv.lu.se
sudo openconnect --protocol nc https://vpn-white.maxiv.lu.se

Connect to MAX IV

  • Start the client by clicking on the taskbar icon, looks like a white key in a grey background when un-connected.
  • The name of the connection can be anything, it’s just an identifier if you have several (e.g., “White MAX IV”).
  • The server URL is “vpn-white.maxiv.lu.se”. Hit connect.
    (Users connecting to the beamline network for remote experiments must use a different server; please consult the beamline specific documentation).
  • Select “DUO User Realm” as the realm and hit connect
  • The username and the password are the same as the DUO account credentials
  • Finally, enter the otp code you receive as an SMS on your phone after successful authentication.
  • When the connection is established the taskbar icon turns red with a green upper right corner
  • Proceed to the documentation for using ThinLinc, a remote desktop application used on the HPC cluster..