Difference between revisions of "Resolving UWindsor Internet Connectivity Issues"

From SHARCNETHelp
Jump to navigationJump to search
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
=University of Windsor 2022 Connectivity Issues=
=University of Windsor 2022 Connectivity Issues=
==Notice==
==Notice==
Since various persons (as of this writing August 15, 2022) are on vacation or will be on vacation, the (initial) text on this page has been written by Paul Preney (i.e., the SHARCNET staff person located at the University of Windsor) with limited input from other SHARCNET staff. Hopefully any issues below are sufficiently/completely resolved before the fall semester starts. That said, a limited work-around to obtain some terminal and file transfer abilities is discussed below (i.e., using JupyterLab).
The content of this page is current as of Nov. 4, 2022. Should you have issues please create a SHARCNET ticket [mailto:help@sharcnet.ca help@sharcnet.ca] or [mailto:preney@sharcnet.ca email Paul Preney] (SHARCNET staff at UWindsor) to seek more assistance.


==Overview==
==Overview==
Earlier this summer the University of Windsor experienced a serious cyber-security incident, e.g., [https://www.uwindsorsupport.ca/node/3|notice/update page for the incident]. Since the University of Windsor has significantly restricted network service access that likely affects all researchers using external resources to do their research, e.g., using SHARCNET / Compute Ontario / Alliance, etc. resources.


One is using the University of Windsor's network when:
In June 2022, the University of Windsor experienced a serious cyber-security incident, e.g., [https://www.uwindsorsupport.ca/node/3 notice/update page for the incident]. Since the University of Windsor has significantly restricted network service access that affects everyone using the University of Windsor's network.
 
To be clear, one is using the University of Windsor's network when:
* one is physically connected to such on-campus,
* one is physically connected to such on-campus,
* one is using the campus wireless network, or
* one is using any of the campus wireless networks, or
* one is using GlobalProtect VPN (when it is activated/connected).
* one is using GlobalProtect VPN (when it is activated/connected).
otherwise one is not on the University of Windsor's network. If one is not on the University of Windsor's network (and also has GlobalProtect VPN inactive on that computer), then one should be able to connect normally without issues (assuming your network is not otherwise blocking you from connecting to various network services) and the content of this page is not a concern. On the other hand, if one needs to use the University of Windsor's network (even from home or elsewhere with GlobalProtect VPN activated) then the content of this page matters as it may well (at this time, August 2022) be the only way access to external resources to do one's research work.
otherwise one is not on the University of Windsor's network.  


Throughout the summer, the University of Windsor's ITS has been activity working to bring back various network services and has the following pages detailing their progress:
If one is '''not''' on the University of Windsor's network (assuming GlobalProtect VPN, if it is installed, is inactive on your computer), then one should be able to connect normally to external-to-the-UWindsor network resources without issues assuming your network, ISP, etc. is not otherwise blocking you from connecting to various network services.
* [https://uwindsor.teamdynamix.com/TDClient/1975/Portal/KB/ArticleDet?ID=145164|campus restoration of (network) services], and,
 
* [https://uwindsor.teamdynamix.com/TDClient/1975/Portal/KB/ArticleDet?ID=144970|security requirements] for connecting to the University of Windsor's network.
If one needs to use the University of Windsor's network, e.g., from home or elsewhere using GlobalProtect VPN installed and activated, then the content of this should help you connect to Digital Research Alliance of Canada (formerly Compute Canada) / SHARCNET resources.
 
Finally, should you need to submit a ticket to UWindsor's ITS, you can do so via [https://uwindsor.teamdynamix.com/TDClient/1975/Portal/Requests/ServiceCatalog the appropriate link on this page].
 
===Unofficial Open Source Linux Global Protect Client===
 
The official (proprietary) Linux GlobalProtect VPN client program does not work properly under all Linux distributions, e.g., under Ubuntu it reports an "SSL handshake error" just when it should start working. Additionally, the official client also doesn't remember one's credentials for 30 days, etc. and prompts one to enter their login, password, and do MFA every single time.
 
There is a better, unofficial open source '''Global Protect OpenConnect''' client program that establishes the VPN, behaves better, and is configurable, e.g., one can have to NOT set the default route to rout everything through the UWindsor VPN. The latter may be an issue, e.g., if nothing is done then when you are not at the U traffic not destined to UWindsor can be routed through the UWindsor VPN. (Instructions concerning this appear later on this page.)
 
==Connectivity From Outside the UWindsor Network==
 
You should have no issues when outside the UWindsor network accessing Digital Research Alliance of Canada / SHARCNET resources. If you do have issues:
 
* ensure that if Global Protect VPN is installed, it is turned off / not active, and,
* your own and/or your ISP's firewall is not blocking access.


==Connectivity From the UWindsor Network==
==Connectivity From the UWindsor Network==


As of this writing, August 15, 2022, it appears that from the University of Windsor's network:
If you are inside the UWindsor Network using a wired or a wireless connection, without SentinelOne or Global Protect VPN installed, know you will only be able to connect to HTTP and HTTPS pages using your web browser. Nothing else will work without further configuration. If all you need to access are web pages using HTTP and/or HTTPS links, then nothing further needs to be done.
* using a device that is '''not owned''' by the University of Windsor one can only access HTTP (port 80) and HTTPS (port 443) ports to external sites, and,
** Apparently this can only be done '''only if''' one is '''also''' running GlobalProtect VPN. Contact [https://www.uwindsor.ca/itservices/|Information Technology Services (ITS)] for further assistance concerning obtaining and installing this software. (SHARCNET, Compute Ontario, the Alliance, etc. are '''not''' the appropriate entities to assist with such.)
* using a device that is owned by the University of Windsor '''only if''' a program called ''SentinelOne'' is installed on that computer (and any other possible requirements as required by [https://www.uwindsor.ca/itservices/|Information Technology Services (ITS)].
** i.e., see [https://www.uwindsorsupport.ca/node/2#install|this link] and contact ITS for any and all aspects concerning such. (SHARCNET, Compute Ontario, the Alliance, etc. are '''not''' the appropriate entities to assist with such.)


Since many research teams (i.e., faculty, students, staff, etc.) often use personal devices and may not even have University of Windsor-owned devices to use, this essentially means all of those persons will not be able to access any resources that are not exclusive to HTTP or HTTPS outside the University of Windsor. These resources include:
Should you need to use anything other than HTTP and/or HTTPS web pages, then you must either:
* any and all SHARCNET, Compute Ontario, and Alliance resources which are not exclusive to HTTP and/or HTTPS, and
* if the machine you are using is '''owned by the University of Windsor''', then the SentinelOne software can be installed on it for full Internet access (local or external to the University network), or,
** e.g., including but not limited to systems and resources mentioned in the [https://docs.alliancecan.ca/wiki/Technical_documentation|Alliance wiki].
* if the machine you are using is '''not owned by the University of Windsor''', then the Global Protect VPN software must be installed.
* any and all CERN, XSEDE (Access), EuroHPC, etc. systems and resources which are not exclusive to HTTP and/or HTTPS.
** NOTE: Obviously, SHARCNET, Compute Ontario, and the Alliance do not support such systems but many researchers using our systems do also use systems in these and other locales and/or collaboratively conduct research and/or data exchange with these and others around the world so it is entirely appropriate to mention this here.


It also appears that important services such as Globus, which is used to transfer files, also do not currently work from the University of Windsor network.
If you are unsure if the SentinelOne software is installed on your computer, see [https://uwindsor.teamdynamix.com/TDClient/1975/Portal/KB/ArticleDet?ID=144482 this link]. Your department's computer staff will be able to help you with installing SentinelOne.
** e.g., per some testing on August 15, 2022 it appears that using the [https://globus.computecanada.ca|Globus web interface] and using the Globus Connect Personal client application cannot be used to transfer files to/from the University of Windsor network.


Locally at the University of Windsor, if a research team is using lab/research team network services to know that such cannot be accessed unless whitelisted by ITS and/or ''SentinelOne'' is run on those servers. (Please don't submit a ticket to SHARCNET, Compute Ontario, the Alliance, etc. as we cannot do anything about this: this is purely a University of Windsor matter so contact ITS to address such issues.)
To obtain and install Global Protect VPN on your computer:
* If using Windows or MacOS:
*# Go to https://securelogin.uwindsor.ca to download the appropriate Global Protect VPN client.
*# Install the downloaded client.
*# Run the Global Protect VPN client program.
*# In the window that pops up (or look in your status/task bar for an "Earth" icon and click it) prompting you for a connection gateway, enter '''securelogin.uwindsor.ca''' and click the '''Connect''' icon.
*# A browser window will open prompting you to login using your UWinID, password, and will require you to use MFA (e.g., approve the login using your phone).
* If using Linux (unofficial open source client):
** NOTE: Generally using this is better than using the official GP VPN client which doesn't work under all Linuxes (including common ones such as Ubuntu).
*# Follow the installation instructions at [https://github.com/yuezk/GlobalProtect-openconnect].
*# After installation, the connection gateway to use is <code>securelogin.uwindsor.ca</code>. Test that this works.
*# Optional: To have only UWindsor traffic flow through the VPN, install [https://github.com/dlenski/vpn-slice vpn-slice] following the instructions on that page (after checking whether or not your distribution's package manager has a package for this).
*#* Edit <code>/etc/gpservice/gp.conf</code> so that <code>openconnect-args</code> is set to be: <code>openconnect-args=--script "vpn-slice 137.207.0.0/16 10.0.0.0/8 %192.168.0.0/16 %172.17.0.0/16"</code>.
*#* %192.168.0.0/16 ensures the 192.168/16 network address range is not part of the VPN. Most person's home LAN addresses are in the 192.168. range. Modify or delete accordingly per your situation.
*#* %172.17.0.0/16 is a typical docker0 network address. Modify (if you use Docker) or delete.
*#* NOTE: Running <code>vpn-slice --help</code> will output help concerning command line options.
*#* Reconnect to the UWindsor VPN for these settings to take effect.
* If using Linux (official client):
** NOTE: Currently Global Protect VPN does not appear to work properly with at least Ubuntu --use the unofficial Global Protect OpenConnect software as that does work (see above) instead.
*# On the https://www.uwindsor.ca page search for '''Global Protect VPN Linux''' and look in the results for sometihng like "Installing GlobalProtect VPN client on Linux" and click on that link.
*#* As of this writing it is [https://uwindsor.teamdynamix.com/TDClient/1975/Portal/KB/ArticleDet?ID=120611 this link].
*# If you are not already logged in to the UWindsor page, you will need to log in by clicking the '''Sign in''' link at the top-right hand side of the page.
*#* ASIDE: Logging in is necessary to see the content which links to the download link.
*# Under '''Related Articles''' there will be a link to download Global Protect VPN for Linux. Click the link.
*# On the page that comes up download the appropriate file(s) for your Linux. To help determine which file(s) are needed, note the following:
*#* If your computer runs on an Intel or Ryzen/Threadripper/EPYC CPU you will need to download the '''amd64''' file(s).
*#* If your computer runs on an ARM CPU you will need to download the '''arm''' file(s).
*#* If your computer is running Debian or Ubuntu Linux you will need to download the '''.deb''' file(s).
*#* If your computer is running RedHat, Fedora, SUSE, etc. Linux you will need to download the '''.rpm''' file(s).
*#* Realistically, you'll only need the '''UI''' file(s) which installs a graphical tool to use. (The non-UI file installs a command-line only tool that isn't easy to use.)
*#* If your Linux doesn't support .deb or .rpm files then you will need to download the .tar file and manually install the program. (Follow the instructions given in the tarball.)
*# If you are not using the KDE desktop environment, before installing Global Protect VPN install KDE, e.g.,
*#* Under Debian/Ubuntu run <code>sudo apt install kde-standard</code>.
*#* Otherwise consult your distribution's documentation on how to install KDE.
*#* ASIDE: Global Protect VPN requires libraries such as QtNetwork, etc.
*# Install Global Protect VPN.
*# In the window that pops up (or look in your status/task bar for an "Earth" icon and click it) prompting you for a connection gateway, enter '''securelogin.uwindsor.ca''' and click the '''Connect''' icon.
*# A browser window will open prompting you to login using your UWinID, password, and will require you to use MFA (e.g., approve the login using your phone).


==Connecting to SHARCNET/Compute Ontario/Alliance Resources If Only HTTP/HTTPS Are Available==
After Global Protect VPN is installed and active, you should be able to do the following:
* connect to any Digital Research Alliance of Canada (formerly Compute Canada) compute cluster login node using SSH


If only HTTP and/or HTTPS are only available then the ability to make full use of various tools to access SHARCNET, Compute Ontario, and/or Alliance systems and resources is limited. Realize that the following (non-exhaustive) items will '''not''' work:
That said, one still cannot do the following:
* using any Secure Shell clients (e.g., <code>ssh</code>, <code>scp</code>, <code>sftp</code>, <code>WinSCP</code>, editors that use SSH to transfer files, IDEs using SSH (such as VisualStudio Code) that use SSH, etc.) will not work,
* Globus Connect Personal to transfer files
* using <code>rsync</code> will not work,
* SSH to any of your Digital Research Alliance of Canada '''cloud''' nodes
* using VNC (even with the equivalent of HTTPS security will not work, e.g., connecting to <code>gra-vdi.computecanada.ca</code> will not work),
** NOTE: You will need to open a ticket with ITS to have them allow this for you and your research team.
* etc.
* Connect using VNC to [https://docs.alliancecan.ca/wiki/VNC Digital Research Alliance of Canada VDI nodes]
** NOTE: You will need to open a ticket with ITS to have them allow this for you and your research team.
* Connect using SSH, rsync, and other protocols/tools to any other HPC clusters, e.g., CERN, EuroHPC, XSEDE (Access), etc.
** NOTE: You will need to open a ticket with ITS to have them allow this for you and your research team.


Many Alliance systems (not just SHARCNET systems) do run instances of [https://docs.alliancecan.ca/wiki/JupyterHub#JupyterHub_for_universities_and_schools JupyterHub] which will allow you to connect to the various Alliance clusters to use [https://docs.alliancecan.ca/wiki/JupyterHub#JupyterLab JupyterLab] which will enable you to:
==Work-Around: Connecting to SHARCNET/Compute Ontario/Alliance Resources If Only HTTP/HTTPS Are Available==
 
If only HTTP and/or HTTPS are only available then the ability to make full use of various tools to access SHARCNET, Compute Ontario, and/or Alliance systems and resources is limited. Fortunately, a number of clusters are running instances of [https://docs.alliancecan.ca/wiki/JupyterHub#JupyterHub_for_universities_and_schools JupyterHub] which will allow you to connect to the various Alliance clusters to use [https://docs.alliancecan.ca/wiki/JupyterHub#JupyterLab JupyterLab] which will enable you to:
* use a terminal window on that cluster,
* use a terminal window on that cluster,
* use a graphical environment on that cluster (if such is needed),
* use a graphical environment on that cluster (if such is needed),
** ASIDE: Since SSH cannot be used, no SSH tunnelling can be done. Since VNC cannot be used <code>gra-vdi</code> isn't available to be used for visualizations. Consequently, this is the only remaining visualization option for University of Windsor-network-using researchers to use a graphical environment to visualize and explore their research especially when very large data sets are involved.
With JupyterHub, one will not be able to do the following (non-exhaustive) items:
* use the equivalent of pipes with <code>ssh</code> (since SSH is not available)
** This includes using such in scripts, software that internally uses SSH, etc.
* local machine/servers that regularly run SSH and/or scp and/or rsync commands, etc. will not work
** NOTE: Such will now have to manually be done by a human being.
* Globus and the Data Transfer Nodes (DTNs) cannot be used so any files that cannot be transferred in the amount of time available to a JupyterHub session, cannot be transferred.
** If this is an issue, please submit a ticket to [mailto:support@computecanada.ca support@computecanada.ca] mentioning this problem and how much data needs to be transferred so we can figure out how that data can be moved to/from our systems.


===Using JupyterHub===
===Using JupyterHub===


# Go to the [https://docs.alliancecan.ca/wiki/JupyterHub#JupyterHub_on_clusters|JupyterHub web page] of the desired cluster.
# Go to the [https://docs.alliancecan.ca/wiki/JupyterHub#JupyterHub_on_clusters JupyterHub web page] of the desired cluster.
# Log in with your Alliance username and password.
# Log in with your Alliance username and password.
# Select the desired account (if you've more than one available).
# Select the desired account (if you've more than one available).
Line 79: Line 122:
Know there is no need to use an <code>salloc</code> session since one is inside a Slurm job within JuptyerLab. Consequently since this is within a Slurm job, <code>$SLURM_TMPDIR</code> is also set and can/should be used when relevant.
Know there is no need to use an <code>salloc</code> session since one is inside a Slurm job within JuptyerLab. Consequently since this is within a Slurm job, <code>$SLURM_TMPDIR</code> is also set and can/should be used when relevant.


==Odds and Ends==
==Work-Around: Connecting to a Cloud Node With SSH==
 
If you are unable to SSH to your cloud node but you are able to SSH to a compute cluster login node, then you can use SSH's "JumpHost" feature to connect to your cloud node's SSH server. To do this run the following command:
* <code>ssh -J YOUR_DRAC_USERNAME@DRAC_COMPUTE_CLUSTER.computecanada.ca YOUR_CLOUD_USERNAME@YOUR_CLOUD_IP_ADDRESS</code>
where:
* <code>YOUR_DRAC_USERNAME</code> is your Digital Research Alliance of Canada username
* <code>DRAC_COMPUTE_CLUSTER</code> is a desired Digital Research Alliance of Canada's compute cluster name
* <code>YOUR_CLOUD_USERNAME</code> is the username you log in with SSH on your cloud node
* <code>YOUR_CLOUD_IP_ADDRESS</code> is your cloud node's IP address or DNS name
 
What the "JumpHost" feature does is connect to the "JumpHost" machine first and then connects to the desired target machine. This does mean you will need to enter in your password twice: the first time is on the compute cluster login node and the second time will be the password for your cloud instance.
 
NOTE: You can also use JupyterHub (see earlier on this page), open a Terminal window, and then ssh to your cloud node as well.
 
==Other Items==


===Running a Licence Server @uwindsor.ca===
===Running a Licence Server @uwindsor.ca===
Line 92: Line 149:
# Arrange to test such with after such as been set up.
# Arrange to test such with after such as been set up.


This is very manual process and involves staff within SHARCNET/Compute Ontario/Alliance as well as University of Windsor staff (e.g., technicians and ITS) and requires testing. Nicely, after such has been successfully tested, however, one is able to focus on running research jobs on the cluster (as long as the licence server is up-and-running). Before going down this path, however, we encourage all researchers to first search for and have a look at (if it exists) the software they are using in our [https://docs.alliancecan.ca|Documentation Wiki] --a number of programs have specific pages detailing what needs to be done in order to get things to work.
This is very manual process and involves staff within SHARCNET/Compute Ontario/Alliance as well as University of Windsor staff (e.g., technicians and ITS) and requires testing. Nicely, after such has been successfully tested, however, one is able to focus on running research jobs on the cluster (as long as the licence server is up-and-running). Before going down this path, however, we encourage all researchers to first search for and have a look at (if it exists) the software they are using in our [https://docs.alliancecan.ca Documentation Wiki] --a number of programs have specific pages detailing what needs to be done in order to get things to work.
 
===Opening a Ticket With UWindsor's ITS===
 
To open a ticket with UWindsor's ITS, see [https://uwindsor.teamdynamix.com/TDClient/1975/Portal/KB/ArticleDet?ID=11372 this link], or:
* Go to https://www.uwindsor.ca .
* Search for "ITS Open Ticket".
* Click on the [https://www.uwindsor.ca/itservices/support/ticket Open a Ticket] link.

Latest revision as of 15:00, 5 November 2022

University of Windsor 2022 Connectivity Issues

Notice

The content of this page is current as of Nov. 4, 2022. Should you have issues please create a SHARCNET ticket help@sharcnet.ca or email Paul Preney (SHARCNET staff at UWindsor) to seek more assistance.

Overview

In June 2022, the University of Windsor experienced a serious cyber-security incident, e.g., notice/update page for the incident. Since the University of Windsor has significantly restricted network service access that affects everyone using the University of Windsor's network.

To be clear, one is using the University of Windsor's network when:

  • one is physically connected to such on-campus,
  • one is using any of the campus wireless networks, or
  • one is using GlobalProtect VPN (when it is activated/connected).

otherwise one is not on the University of Windsor's network.

If one is not on the University of Windsor's network (assuming GlobalProtect VPN, if it is installed, is inactive on your computer), then one should be able to connect normally to external-to-the-UWindsor network resources without issues assuming your network, ISP, etc. is not otherwise blocking you from connecting to various network services.

If one needs to use the University of Windsor's network, e.g., from home or elsewhere using GlobalProtect VPN installed and activated, then the content of this should help you connect to Digital Research Alliance of Canada (formerly Compute Canada) / SHARCNET resources.

Finally, should you need to submit a ticket to UWindsor's ITS, you can do so via the appropriate link on this page.

Unofficial Open Source Linux Global Protect Client

The official (proprietary) Linux GlobalProtect VPN client program does not work properly under all Linux distributions, e.g., under Ubuntu it reports an "SSL handshake error" just when it should start working. Additionally, the official client also doesn't remember one's credentials for 30 days, etc. and prompts one to enter their login, password, and do MFA every single time.

There is a better, unofficial open source Global Protect OpenConnect client program that establishes the VPN, behaves better, and is configurable, e.g., one can have to NOT set the default route to rout everything through the UWindsor VPN. The latter may be an issue, e.g., if nothing is done then when you are not at the U traffic not destined to UWindsor can be routed through the UWindsor VPN. (Instructions concerning this appear later on this page.)

Connectivity From Outside the UWindsor Network

You should have no issues when outside the UWindsor network accessing Digital Research Alliance of Canada / SHARCNET resources. If you do have issues:

  • ensure that if Global Protect VPN is installed, it is turned off / not active, and,
  • your own and/or your ISP's firewall is not blocking access.

Connectivity From the UWindsor Network

If you are inside the UWindsor Network using a wired or a wireless connection, without SentinelOne or Global Protect VPN installed, know you will only be able to connect to HTTP and HTTPS pages using your web browser. Nothing else will work without further configuration. If all you need to access are web pages using HTTP and/or HTTPS links, then nothing further needs to be done.

Should you need to use anything other than HTTP and/or HTTPS web pages, then you must either:

  • if the machine you are using is owned by the University of Windsor, then the SentinelOne software can be installed on it for full Internet access (local or external to the University network), or,
  • if the machine you are using is not owned by the University of Windsor, then the Global Protect VPN software must be installed.

If you are unsure if the SentinelOne software is installed on your computer, see this link. Your department's computer staff will be able to help you with installing SentinelOne.

To obtain and install Global Protect VPN on your computer:

  • If using Windows or MacOS:
    1. Go to https://securelogin.uwindsor.ca to download the appropriate Global Protect VPN client.
    2. Install the downloaded client.
    3. Run the Global Protect VPN client program.
    4. In the window that pops up (or look in your status/task bar for an "Earth" icon and click it) prompting you for a connection gateway, enter securelogin.uwindsor.ca and click the Connect icon.
    5. A browser window will open prompting you to login using your UWinID, password, and will require you to use MFA (e.g., approve the login using your phone).
  • If using Linux (unofficial open source client):
    • NOTE: Generally using this is better than using the official GP VPN client which doesn't work under all Linuxes (including common ones such as Ubuntu).
    1. Follow the installation instructions at [1].
    2. After installation, the connection gateway to use is securelogin.uwindsor.ca. Test that this works.
    3. Optional: To have only UWindsor traffic flow through the VPN, install vpn-slice following the instructions on that page (after checking whether or not your distribution's package manager has a package for this).
      • Edit /etc/gpservice/gp.conf so that openconnect-args is set to be: openconnect-args=--script "vpn-slice 137.207.0.0/16 10.0.0.0/8 %192.168.0.0/16 %172.17.0.0/16".
      • %192.168.0.0/16 ensures the 192.168/16 network address range is not part of the VPN. Most person's home LAN addresses are in the 192.168. range. Modify or delete accordingly per your situation.
      • %172.17.0.0/16 is a typical docker0 network address. Modify (if you use Docker) or delete.
      • NOTE: Running vpn-slice --help will output help concerning command line options.
      • Reconnect to the UWindsor VPN for these settings to take effect.
  • If using Linux (official client):
    • NOTE: Currently Global Protect VPN does not appear to work properly with at least Ubuntu --use the unofficial Global Protect OpenConnect software as that does work (see above) instead.
    1. On the https://www.uwindsor.ca page search for Global Protect VPN Linux and look in the results for sometihng like "Installing GlobalProtect VPN client on Linux" and click on that link.
    2. If you are not already logged in to the UWindsor page, you will need to log in by clicking the Sign in link at the top-right hand side of the page.
      • ASIDE: Logging in is necessary to see the content which links to the download link.
    3. Under Related Articles there will be a link to download Global Protect VPN for Linux. Click the link.
    4. On the page that comes up download the appropriate file(s) for your Linux. To help determine which file(s) are needed, note the following:
      • If your computer runs on an Intel or Ryzen/Threadripper/EPYC CPU you will need to download the amd64 file(s).
      • If your computer runs on an ARM CPU you will need to download the arm file(s).
      • If your computer is running Debian or Ubuntu Linux you will need to download the .deb file(s).
      • If your computer is running RedHat, Fedora, SUSE, etc. Linux you will need to download the .rpm file(s).
      • Realistically, you'll only need the UI file(s) which installs a graphical tool to use. (The non-UI file installs a command-line only tool that isn't easy to use.)
      • If your Linux doesn't support .deb or .rpm files then you will need to download the .tar file and manually install the program. (Follow the instructions given in the tarball.)
    5. If you are not using the KDE desktop environment, before installing Global Protect VPN install KDE, e.g.,
      • Under Debian/Ubuntu run sudo apt install kde-standard.
      • Otherwise consult your distribution's documentation on how to install KDE.
      • ASIDE: Global Protect VPN requires libraries such as QtNetwork, etc.
    6. Install Global Protect VPN.
    7. In the window that pops up (or look in your status/task bar for an "Earth" icon and click it) prompting you for a connection gateway, enter securelogin.uwindsor.ca and click the Connect icon.
    8. A browser window will open prompting you to login using your UWinID, password, and will require you to use MFA (e.g., approve the login using your phone).

After Global Protect VPN is installed and active, you should be able to do the following:

  • connect to any Digital Research Alliance of Canada (formerly Compute Canada) compute cluster login node using SSH

That said, one still cannot do the following:

  • Globus Connect Personal to transfer files
  • SSH to any of your Digital Research Alliance of Canada cloud nodes
    • NOTE: You will need to open a ticket with ITS to have them allow this for you and your research team.
  • Connect using VNC to Digital Research Alliance of Canada VDI nodes
    • NOTE: You will need to open a ticket with ITS to have them allow this for you and your research team.
  • Connect using SSH, rsync, and other protocols/tools to any other HPC clusters, e.g., CERN, EuroHPC, XSEDE (Access), etc.
    • NOTE: You will need to open a ticket with ITS to have them allow this for you and your research team.

Work-Around: Connecting to SHARCNET/Compute Ontario/Alliance Resources If Only HTTP/HTTPS Are Available

If only HTTP and/or HTTPS are only available then the ability to make full use of various tools to access SHARCNET, Compute Ontario, and/or Alliance systems and resources is limited. Fortunately, a number of clusters are running instances of JupyterHub which will allow you to connect to the various Alliance clusters to use JupyterLab which will enable you to:

  • use a terminal window on that cluster,
  • use a graphical environment on that cluster (if such is needed),

Using JupyterHub

  1. Go to the JupyterHub web page of the desired cluster.
  2. Log in with your Alliance username and password.
  3. Select the desired account (if you've more than one available).
  4. Specify the amount of time (maximum) you want for this session.
    • NOTE: The session is a Slurm job. Once the maximum time has been reached, the job will be killed. It is recommended to keep the time asked for restricted to the amount of time you will actively use Jupyter, e.g., 2 or 3 hours.
  5. Specify the number of cores needed.
    • Typically this should be one unless you want to test your program with multiple cores, etc.
    • If you will be using MPI programs, remember to use srun to run your MPI programs in the terminal window within Jupyter.
  6. Specify the total amount of RAM needed.
    • Ideally keep this figure low to below 4000M per CPU core.
  7. Only if you will be using a GPU, specify the desired GPU configuration.
  8. Specify JupyterLab for the user interface. (This is the newest and most useful interface.)
  9. Click the Start button.

After clicking the Start button, wait for Jupyter to start.

  • It will timeout after 5 minutes. If it times out, then try it again. It such persists reduce the number of cores, RAM, GPUs, etc. being asked for and try again. If needed, submit a ticket to support@computecanada.ca ask for help with his and/or report a problem connecting.

Once JupyterLab starts use the Launcher (or File > New Launcher) to start a Terminal window or Desktop to start a graphical environment.

Know there is no need to use an salloc session since one is inside a Slurm job within JuptyerLab. Consequently since this is within a Slurm job, $SLURM_TMPDIR is also set and can/should be used when relevant.

Work-Around: Connecting to a Cloud Node With SSH

If you are unable to SSH to your cloud node but you are able to SSH to a compute cluster login node, then you can use SSH's "JumpHost" feature to connect to your cloud node's SSH server. To do this run the following command:

  • ssh -J YOUR_DRAC_USERNAME@DRAC_COMPUTE_CLUSTER.computecanada.ca YOUR_CLOUD_USERNAME@YOUR_CLOUD_IP_ADDRESS

where:

  • YOUR_DRAC_USERNAME is your Digital Research Alliance of Canada username
  • DRAC_COMPUTE_CLUSTER is a desired Digital Research Alliance of Canada's compute cluster name
  • YOUR_CLOUD_USERNAME is the username you log in with SSH on your cloud node
  • YOUR_CLOUD_IP_ADDRESS is your cloud node's IP address or DNS name

What the "JumpHost" feature does is connect to the "JumpHost" machine first and then connects to the desired target machine. This does mean you will need to enter in your password twice: the first time is on the compute cluster login node and the second time will be the password for your cloud instance.

NOTE: You can also use JupyterHub (see earlier on this page), open a Terminal window, and then ssh to your cloud node as well.

Other Items

Running a Licence Server @uwindsor.ca

If you need to use proprietary software on SHARCNET, Compute Ontario, Alliance systems where the software requires a licence server which must be physically located on the University of Windsor campus, know this can be done and has always involved doing the following:

  1. Set up the licence server at a specific IP and port on campus.
    • It is advised to enlist the help of a UWindsor Technician and/or ITS to do this.
  1. Enlist the help of a UWindsor Technician and ITS to ensure that IP and Port will be able to be accessed from outside of the UWindsor network.
  2. If the cluster you want to use does not allow Internet access from its compute nodes, or, if ITS wants more security than anyone from anywhere on the Internet can access that IP and port, then submit a ticket to support@computecanada.ca asking for a tunnel to be opened up with your research team's jobs to the IP and port AND ask from which DNS name (or IPs) where such queries will appear to be coming from.
    • The latter allows ITS to limit the ability to successfully connect to that IP and Port which helps reduce possible security issues.
  1. Arrange to test such with after such as been set up.

This is very manual process and involves staff within SHARCNET/Compute Ontario/Alliance as well as University of Windsor staff (e.g., technicians and ITS) and requires testing. Nicely, after such has been successfully tested, however, one is able to focus on running research jobs on the cluster (as long as the licence server is up-and-running). Before going down this path, however, we encourage all researchers to first search for and have a look at (if it exists) the software they are using in our Documentation Wiki --a number of programs have specific pages detailing what needs to be done in order to get things to work.

Opening a Ticket With UWindsor's ITS

To open a ticket with UWindsor's ITS, see this link, or: