The IT Center offers a secure and encrypted access to the RWTH network from outside. Depending on the user group there are different usage scenarios.
After the end-user's computer established a VPN connection (Virtual Private Network), an encrypted, so called "tunnel" between the computer and the VPN gateway is generated. All traffic towards the RWTH network (and depending on the operation mode also beyond) is routed through that tunnel. Only after the VPN gateway, the data goes its normal un-encrypted way. Logically, the users computer has been moved into the VPN gateway's network: For third parties it only appears with the IP address from RWTH Aachen University.
The IT Center operates a central and high-performance VPN gateway which is, for reasons of availability, designed to be redundant. Authorized to use the VPN service are all users with a username (format: ab123456) who have this feature activated in their identity management. This means that all students and employees of the RWTH Aachen University are authorized users. The usage of the VPN service requires the download and installation of the Cisco VPN client as well as the corresponding access profiles which are available at the website of the IT Center.
By using the client and the corresponding profile, a strongly encrypted tunnel connection with the RWTH network is established. For the duration of the connection, an RWTH network internal IP address is assigned to the user. Thus, the access to internal RWTH ressources from external locations (e.g. during business trips) is possible. Examples include the usage of RWTH University library resources or hardware and software portals. Activation for the RWTH VPN IP range at institute network level is also quite common. This way, the access to institute internal websites is possible for institute employees who are on business trips or working at home.
Institutes often need to restrict internal resources and allow access only to a certain group of users. For this purpose, the IT Center provides VPN as an individual service.
This is implemented through a dedicated Cisco VPN router which can be procured via the IT Center by institutes at their own expense. Depending on the expected number of users and usage profiles, devices of different performance and price levels are available. Usually, the selection of the appropriate device is done after a consultation with the IT Center.
The VPN router is configured individually, based on customer specifications and the outcome of consultation done by the IT Center.
Configurations on the size of the address range, installation of access profiles or additional data package settings for further access restriction in the institute network are some examples of customer based specifications.
The device usually runs in the institute's premises and the installation can be carried out by either the IT Center or the customer. By default, the VPN routers are centrally monitored by the IT Center.
The administration of the VPN service users is carried out by the institute through the Selfservice. The institute designates an authorized contact person whom the IT Center registers as the admin.
The admin receives a link to a portal operated by the IT Center, where they can manage the VPN users. A quick guide on how to manage the users is also provided.
Connecting an entire external network to an institute LAN via VPN tunnel is a special case. This can also be configured with the CISCO VPN router and has been implemented multiple times. However, two VPN routers are required - one on the premises of the RWTH Aachen and the other on the site of the external network.
Virtual Private Network
Rights and Duties
A computer which is connected to a RWTH VPN gateway can access RWTH internal content in the RWTH Aachen network. Therefore, the computer is subject to all restrictions and the terms and conditions that apply on the RWTH Aachen University network.
In order to establish a VPN connection, a VPN client software is required. The client sets up the encrypted tunnel which enables it to act as if it is within the local networks of the RWTH Aachen university. Currently, there are two different VPN connection technologies available with different client softwares.
|Connection technology||Client software||Description|
|SSLVPN||Cisco AnyConnect Client|
latest and manufacturer supported client software; for Windows, Mac OS X, Linux, Android and Apple iOS available
|OpenConnect Client||alternative client software among others for Linux; not supported by the IT Center of RWTH Aachen University|
|IPsec-VPN (IKEv1, ISAKMP)||Cisco VPN-Client||older client software, not supported by the manufacturer; for older versions of Windows and Mac OS X|