VPN

MAX IV users can access a some of the internal computer resources at MAX IV from an external location via a VPN connection. Currently, active users with a DUO account can establish a connection to the “white network” that gives access to the offline HPC system and various web based services.

Some beamlines allow for remote operation of the experiment. The degree of access varies between the beamlines, and hence there are specific VPN options for each beamline. For information about what level of remote access the beamline can offer, see the individual beamline information under Beamlines & accelerators.

One Time Password (OTP)

All remote access to MAX IV resources requires two-factor authentication via temporary one-time password. The one-time password can be distributed via SMS or be generated via an app. Before connecting to MAX IV, there must a be a valid cell phone number in the user’s DUO profile. This is required in order to receive an otp (“one time password”) via SMS. It is very much preferred, for practical and security reasons, that for subsequent logins, a mobile application that generate the otp keys is activated.

VPN client software

MAX IV is using the Pulse Secure product as a VPN server. It has recently been acquired by the company Ivanti. At the moment, Ivanti is re-branding the product, removing the word “Pulse” and inserting “Ivanti”. This leads to some confusion regarding the client names and the version numbering. Hopefully this should eventually sort out.

The client software, Pulse Secure Client, is now called Ivanti Secure Access Client, this is the preferred client on all platforms, except perhaps on Linux where OpenConnect provides a much better integration into the Desktop, but sometimes breaks when Ivanti makes subtle changes to the API and OpenConnect has to play catchup. For mobile phones, the client is available from the app stores, The Desktop client is not distributed and must be downloaded from MAX IV.

Download and install

The client software can be dowloaded with a web browser from the VPN server after authentication. All platforms will require local admin privileges to install the client.

  1. In a web browser, open https://vpn-white.maxiv.lu.se . Select the “DUO User Realm” and use the username and password from your DUO registration. A new page will ask you to enter the OTP code sent to your phone. Note that the OTP will expire after a minute or two, if you cannot type it in immediately, you will have to restart the login process to receive a new code.
  2. Download the VPN client application and install it on your computer.
    • On Windows computers, an automated script will try to initiate the installation. If the installation is successful, you will see the pulse secure icon in your program tray. However, it does not always succeed. If not, download the Windows installer package and install manually.
      • To interrupt the automated install, click on “here” in the sentence
        If you don’t want to proceed please click here to go back.
      • Click on “VPN Clients” in the Files menu and a list of available downloads will appear
    • For Linux and Mac, select the appropriate installer from the displayed list, download and install it.
  3. OpenConnect on Linux.
    • This client has a much better desktop integration than the the one from Pulse Secure. Unfortunately, due to recent changes in Pulse Secure Server, a very recent version of OpenConnect is needed. Preferrably 9.01 or newer. Some distributions may be backporting these changes into the 8.0x series. Use “pulse” as protocol for openconnect.
    • Command line example:
      sudo openconnect --protocol pulse https://vpn-white.maxiv.lu.se

Connect to MAX IV

  • Start the client by clicking on the taskbar icon, looks like a white key in a grey background when un-connected.
  • The name of the connection can be anything, it’s just an identifier if you have several (e.g., “White MAX IV”).
  • The server URL is “vpn-white.maxiv.lu.se”. Hit connect.
    (Users connecting to the beamline network for remote experiments must use a different server; please consult the beamline specific documentation).
  • Select “DUO User Realm” as the realm and hit connect
  • The username and the password are the same as the DUO account credentials
  • Finally, enter the otp code you receive as an SMS on your phone after successful authentication.
  • When the connection is established the taskbar icon turns red with a green upper right corner
  • Proceed to the documentation for using ThinLinc, a remote desktop application used on the HPC cluster..