Difference between revisions of "Resolving UWindsor Internet Connectivity Issues"

From SHARCNETHelp
Jump to navigationJump to search
 
(One intermediate revision by the same user not shown)
Line 23: Line 23:
The official (proprietary) Linux GlobalProtect VPN client program does not work properly under all Linux distributions, e.g., under Ubuntu it reports an "SSL handshake error" just when it should start working. Additionally, the official client also doesn't remember one's credentials for 30 days, etc. and prompts one to enter their login, password, and do MFA every single time.
The official (proprietary) Linux GlobalProtect VPN client program does not work properly under all Linux distributions, e.g., under Ubuntu it reports an "SSL handshake error" just when it should start working. Additionally, the official client also doesn't remember one's credentials for 30 days, etc. and prompts one to enter their login, password, and do MFA every single time.


There is a better, unofficial open source '''Global Protect OpenConnect''' client program that establishes the VPN, behaves better, and is configurable, e.g., one can have to NOT set the default route to rout everything through the UWindsor VPN. The latter may be an issue, e.g., when you not at the U traffic not destined to UWindsor will be routed through UWindsor. (Instructions concerning this appear later on this page.)
There is a better, unofficial open source '''Global Protect OpenConnect''' client program that establishes the VPN, behaves better, and is configurable, e.g., one can have to NOT set the default route to rout everything through the UWindsor VPN. The latter may be an issue, e.g., if nothing is done then when you are not at the U traffic not destined to UWindsor can be routed through the UWindsor VPN. (Instructions concerning this appear later on this page.)


==Connectivity From Outside the UWindsor Network==
==Connectivity From Outside the UWindsor Network==

Latest revision as of 15:00, 5 November 2022

University of Windsor 2022 Connectivity Issues

Notice

The content of this page is current as of Nov. 4, 2022. Should you have issues please create a SHARCNET ticket help@sharcnet.ca or email Paul Preney (SHARCNET staff at UWindsor) to seek more assistance.

Overview

In June 2022, the University of Windsor experienced a serious cyber-security incident, e.g., notice/update page for the incident. Since the University of Windsor has significantly restricted network service access that affects everyone using the University of Windsor's network.

To be clear, one is using the University of Windsor's network when:

  • one is physically connected to such on-campus,
  • one is using any of the campus wireless networks, or
  • one is using GlobalProtect VPN (when it is activated/connected).

otherwise one is not on the University of Windsor's network.

If one is not on the University of Windsor's network (assuming GlobalProtect VPN, if it is installed, is inactive on your computer), then one should be able to connect normally to external-to-the-UWindsor network resources without issues assuming your network, ISP, etc. is not otherwise blocking you from connecting to various network services.

If one needs to use the University of Windsor's network, e.g., from home or elsewhere using GlobalProtect VPN installed and activated, then the content of this should help you connect to Digital Research Alliance of Canada (formerly Compute Canada) / SHARCNET resources.

Finally, should you need to submit a ticket to UWindsor's ITS, you can do so via the appropriate link on this page.

Unofficial Open Source Linux Global Protect Client

The official (proprietary) Linux GlobalProtect VPN client program does not work properly under all Linux distributions, e.g., under Ubuntu it reports an "SSL handshake error" just when it should start working. Additionally, the official client also doesn't remember one's credentials for 30 days, etc. and prompts one to enter their login, password, and do MFA every single time.

There is a better, unofficial open source Global Protect OpenConnect client program that establishes the VPN, behaves better, and is configurable, e.g., one can have to NOT set the default route to rout everything through the UWindsor VPN. The latter may be an issue, e.g., if nothing is done then when you are not at the U traffic not destined to UWindsor can be routed through the UWindsor VPN. (Instructions concerning this appear later on this page.)

Connectivity From Outside the UWindsor Network

You should have no issues when outside the UWindsor network accessing Digital Research Alliance of Canada / SHARCNET resources. If you do have issues:

  • ensure that if Global Protect VPN is installed, it is turned off / not active, and,
  • your own and/or your ISP's firewall is not blocking access.

Connectivity From the UWindsor Network

If you are inside the UWindsor Network using a wired or a wireless connection, without SentinelOne or Global Protect VPN installed, know you will only be able to connect to HTTP and HTTPS pages using your web browser. Nothing else will work without further configuration. If all you need to access are web pages using HTTP and/or HTTPS links, then nothing further needs to be done.

Should you need to use anything other than HTTP and/or HTTPS web pages, then you must either:

  • if the machine you are using is owned by the University of Windsor, then the SentinelOne software can be installed on it for full Internet access (local or external to the University network), or,
  • if the machine you are using is not owned by the University of Windsor, then the Global Protect VPN software must be installed.

If you are unsure if the SentinelOne software is installed on your computer, see this link. Your department's computer staff will be able to help you with installing SentinelOne.

To obtain and install Global Protect VPN on your computer:

  • If using Windows or MacOS:
    1. Go to https://securelogin.uwindsor.ca to download the appropriate Global Protect VPN client.
    2. Install the downloaded client.
    3. Run the Global Protect VPN client program.
    4. In the window that pops up (or look in your status/task bar for an "Earth" icon and click it) prompting you for a connection gateway, enter securelogin.uwindsor.ca and click the Connect icon.
    5. A browser window will open prompting you to login using your UWinID, password, and will require you to use MFA (e.g., approve the login using your phone).
  • If using Linux (unofficial open source client):
    • NOTE: Generally using this is better than using the official GP VPN client which doesn't work under all Linuxes (including common ones such as Ubuntu).
    1. Follow the installation instructions at [1].
    2. After installation, the connection gateway to use is securelogin.uwindsor.ca. Test that this works.
    3. Optional: To have only UWindsor traffic flow through the VPN, install vpn-slice following the instructions on that page (after checking whether or not your distribution's package manager has a package for this).
      • Edit /etc/gpservice/gp.conf so that openconnect-args is set to be: openconnect-args=--script "vpn-slice 137.207.0.0/16 10.0.0.0/8 %192.168.0.0/16 %172.17.0.0/16".
      • %192.168.0.0/16 ensures the 192.168/16 network address range is not part of the VPN. Most person's home LAN addresses are in the 192.168. range. Modify or delete accordingly per your situation.
      • %172.17.0.0/16 is a typical docker0 network address. Modify (if you use Docker) or delete.
      • NOTE: Running vpn-slice --help will output help concerning command line options.
      • Reconnect to the UWindsor VPN for these settings to take effect.
  • If using Linux (official client):
    • NOTE: Currently Global Protect VPN does not appear to work properly with at least Ubuntu --use the unofficial Global Protect OpenConnect software as that does work (see above) instead.
    1. On the https://www.uwindsor.ca page search for Global Protect VPN Linux and look in the results for sometihng like "Installing GlobalProtect VPN client on Linux" and click on that link.
    2. If you are not already logged in to the UWindsor page, you will need to log in by clicking the Sign in link at the top-right hand side of the page.
      • ASIDE: Logging in is necessary to see the content which links to the download link.
    3. Under Related Articles there will be a link to download Global Protect VPN for Linux. Click the link.
    4. On the page that comes up download the appropriate file(s) for your Linux. To help determine which file(s) are needed, note the following:
      • If your computer runs on an Intel or Ryzen/Threadripper/EPYC CPU you will need to download the amd64 file(s).
      • If your computer runs on an ARM CPU you will need to download the arm file(s).
      • If your computer is running Debian or Ubuntu Linux you will need to download the .deb file(s).
      • If your computer is running RedHat, Fedora, SUSE, etc. Linux you will need to download the .rpm file(s).
      • Realistically, you'll only need the UI file(s) which installs a graphical tool to use. (The non-UI file installs a command-line only tool that isn't easy to use.)
      • If your Linux doesn't support .deb or .rpm files then you will need to download the .tar file and manually install the program. (Follow the instructions given in the tarball.)
    5. If you are not using the KDE desktop environment, before installing Global Protect VPN install KDE, e.g.,
      • Under Debian/Ubuntu run sudo apt install kde-standard.
      • Otherwise consult your distribution's documentation on how to install KDE.
      • ASIDE: Global Protect VPN requires libraries such as QtNetwork, etc.
    6. Install Global Protect VPN.
    7. In the window that pops up (or look in your status/task bar for an "Earth" icon and click it) prompting you for a connection gateway, enter securelogin.uwindsor.ca and click the Connect icon.
    8. A browser window will open prompting you to login using your UWinID, password, and will require you to use MFA (e.g., approve the login using your phone).

After Global Protect VPN is installed and active, you should be able to do the following:

  • connect to any Digital Research Alliance of Canada (formerly Compute Canada) compute cluster login node using SSH

That said, one still cannot do the following:

  • Globus Connect Personal to transfer files
  • SSH to any of your Digital Research Alliance of Canada cloud nodes
    • NOTE: You will need to open a ticket with ITS to have them allow this for you and your research team.
  • Connect using VNC to Digital Research Alliance of Canada VDI nodes
    • NOTE: You will need to open a ticket with ITS to have them allow this for you and your research team.
  • Connect using SSH, rsync, and other protocols/tools to any other HPC clusters, e.g., CERN, EuroHPC, XSEDE (Access), etc.
    • NOTE: You will need to open a ticket with ITS to have them allow this for you and your research team.

Work-Around: Connecting to SHARCNET/Compute Ontario/Alliance Resources If Only HTTP/HTTPS Are Available

If only HTTP and/or HTTPS are only available then the ability to make full use of various tools to access SHARCNET, Compute Ontario, and/or Alliance systems and resources is limited. Fortunately, a number of clusters are running instances of JupyterHub which will allow you to connect to the various Alliance clusters to use JupyterLab which will enable you to:

  • use a terminal window on that cluster,
  • use a graphical environment on that cluster (if such is needed),

Using JupyterHub

  1. Go to the JupyterHub web page of the desired cluster.
  2. Log in with your Alliance username and password.
  3. Select the desired account (if you've more than one available).
  4. Specify the amount of time (maximum) you want for this session.
    • NOTE: The session is a Slurm job. Once the maximum time has been reached, the job will be killed. It is recommended to keep the time asked for restricted to the amount of time you will actively use Jupyter, e.g., 2 or 3 hours.
  5. Specify the number of cores needed.
    • Typically this should be one unless you want to test your program with multiple cores, etc.
    • If you will be using MPI programs, remember to use srun to run your MPI programs in the terminal window within Jupyter.
  6. Specify the total amount of RAM needed.
    • Ideally keep this figure low to below 4000M per CPU core.
  7. Only if you will be using a GPU, specify the desired GPU configuration.
  8. Specify JupyterLab for the user interface. (This is the newest and most useful interface.)
  9. Click the Start button.

After clicking the Start button, wait for Jupyter to start.

  • It will timeout after 5 minutes. If it times out, then try it again. It such persists reduce the number of cores, RAM, GPUs, etc. being asked for and try again. If needed, submit a ticket to support@computecanada.ca ask for help with his and/or report a problem connecting.

Once JupyterLab starts use the Launcher (or File > New Launcher) to start a Terminal window or Desktop to start a graphical environment.

Know there is no need to use an salloc session since one is inside a Slurm job within JuptyerLab. Consequently since this is within a Slurm job, $SLURM_TMPDIR is also set and can/should be used when relevant.

Work-Around: Connecting to a Cloud Node With SSH

If you are unable to SSH to your cloud node but you are able to SSH to a compute cluster login node, then you can use SSH's "JumpHost" feature to connect to your cloud node's SSH server. To do this run the following command:

  • ssh -J YOUR_DRAC_USERNAME@DRAC_COMPUTE_CLUSTER.computecanada.ca YOUR_CLOUD_USERNAME@YOUR_CLOUD_IP_ADDRESS

where:

  • YOUR_DRAC_USERNAME is your Digital Research Alliance of Canada username
  • DRAC_COMPUTE_CLUSTER is a desired Digital Research Alliance of Canada's compute cluster name
  • YOUR_CLOUD_USERNAME is the username you log in with SSH on your cloud node
  • YOUR_CLOUD_IP_ADDRESS is your cloud node's IP address or DNS name

What the "JumpHost" feature does is connect to the "JumpHost" machine first and then connects to the desired target machine. This does mean you will need to enter in your password twice: the first time is on the compute cluster login node and the second time will be the password for your cloud instance.

NOTE: You can also use JupyterHub (see earlier on this page), open a Terminal window, and then ssh to your cloud node as well.

Other Items

Running a Licence Server @uwindsor.ca

If you need to use proprietary software on SHARCNET, Compute Ontario, Alliance systems where the software requires a licence server which must be physically located on the University of Windsor campus, know this can be done and has always involved doing the following:

  1. Set up the licence server at a specific IP and port on campus.
    • It is advised to enlist the help of a UWindsor Technician and/or ITS to do this.
  1. Enlist the help of a UWindsor Technician and ITS to ensure that IP and Port will be able to be accessed from outside of the UWindsor network.
  2. If the cluster you want to use does not allow Internet access from its compute nodes, or, if ITS wants more security than anyone from anywhere on the Internet can access that IP and port, then submit a ticket to support@computecanada.ca asking for a tunnel to be opened up with your research team's jobs to the IP and port AND ask from which DNS name (or IPs) where such queries will appear to be coming from.
    • The latter allows ITS to limit the ability to successfully connect to that IP and Port which helps reduce possible security issues.
  1. Arrange to test such with after such as been set up.

This is very manual process and involves staff within SHARCNET/Compute Ontario/Alliance as well as University of Windsor staff (e.g., technicians and ITS) and requires testing. Nicely, after such has been successfully tested, however, one is able to focus on running research jobs on the cluster (as long as the licence server is up-and-running). Before going down this path, however, we encourage all researchers to first search for and have a look at (if it exists) the software they are using in our Documentation Wiki --a number of programs have specific pages detailing what needs to be done in order to get things to work.

Opening a Ticket With UWindsor's ITS

To open a ticket with UWindsor's ITS, see this link, or: