2. VPN Service Upgrade
The OUCS VPN service allows any University member with an Internet connection outside of the University network to make use of a University IP to access services limited to such addresses, including internal websites, library facilities and OXAM. It is a popular service, peaking at over 800 concurrent users, with many thousands of registered Remote Access accounts.
Currently the service runs on a Cisco 3000 series concentrator, which has received End of Life notification from the vendor (although we have a number of years of support still available). The key issue, however, is that the IPSec based VPN client that OUCS currently distributes will also not receive further development from Cisco, other than bug fixes. Newer operating system platforms such as Windows 7, XP/Vista 64bit, and OS X Snow Leopard are not able to use this VPN client.
The long-term replacment for this product line is the ASA security appliance, and thanks to funding obtained from the PRAC ICT subcommittee (PICT) with the support of the Office of the Director of IT (Paul Jeffreys), we have been able to purchase new VPN concentrators. For new operating systems, they make use of a new client application called AnyConnect, although all current working client installations will continue to operate seamlessly with the new ASA devices.
There are a number of other feature improvements with our new concentrators. A pair of the ASA devices will provide failover resilience, operating in active-active mode. The crypto throughput will also greatly be improved from the current 100 MBits/sec to 950 MBits/sec across the failover pair. As before, we can support up to 5,000 concurrent user sessions and these can now use either IPSec or SSL based technologies. We will continue to support the current VPN client (IPSec) for existing installations for the time being, and the AnyConnect client (SSL) can be deployed for new operating system platforms.
When the new concentrators are to go live, they will provide service from a new IP block we have set aside for VPN services. This will require any local firewall which permits connections to the OUCS VPN service to be updated. An email will be sent to IT Officers with further details, closer to the time.