Back to top

Remote Access

Remote access is available in a number of ways

SSH gateway

The Secure Shell (SSH) gateway provides remote access chiefly to departmental Linux desktops and servers

Who is this service for?

Those needing to remotely connect to the department using the SSH protocol, e.g. with ssh, scp, sftp and rsync commands. For those with fast connectivity it is also possible to use X11 forwarding with SSH to support access to graphical X-applications.

Once connected to the gateway please do not use it as a compute server, just as a connectivity gateway, and make internal connections to compute servers and desktops as necessary.

If you need to download a lot of data, please be aware that most desktops and servers within the department can initiate direct outgoing connections to remote hosts on the Internet, avoiding any need for the traffic to actually flow through the gateway server itself.

Please remember this is a shared resource often being used by many of your colleagues, resources are finite including bandwidth.

Why is this service necessary?

The SSH gateway provides a reasonably secure remote access path to desktops and servers within the department where direct inbound access is always denied.

Using the SSH Gateway from Linux

Internet connected remote Linux and UNIX based systems can usually connect with the command:

ssh -l username gate.stats.ox.ac.uk

Where username is your Stats login name.

If you require X-forwarding the -X option is required and depending on connection speed data compression may also help and is available via the -C option.

If you then wish to SSH to an internal host e.g. a desktop or compute server then you will have to perform this as a two-stage SSH:

ssh gate.stats.ox.ac.uk

ssh internalhost

Using the SSH gateway from Windows

The simplest way to connect to a Linux system from a Windows PC is to use the built-in SSH client from a Windows Terminal – a tutorial is available on the Microsoft Learn website:

https://learn.microsoft.com/en-us/windows/terminal/tutorials/ssh

Virtual Private Network (VPN)

Virtual Private Network (VPN) allows remote computers to connect to the department and access internal resources as if they were located here in the building.

Who is the service for?

The Virtual Private Network (VPN) service is for members of the Department using computers located outside Statistics, either in Colleges or other University Departments, or from a connection anywhere in the world.


VPN SSL Service

To use the Fortinet VPN SSL service please email ithelp@stats.ox.ac.uk in order to have your account registered. Once that has been completed please open a web browser to the VPN SSL web page and login using your Statistics (Linux) username and password.

If this fails, please email ithelp@stats.ox.ac.uk to allows us to investigate further. After successful login the following page should appear:

Naturally you need to install some suitable software to use the VPN SSL service. As the name implies this uses SSL (Secure Sockets Layer) which is the standard security technology used for establishing an encrypted link, e.g. between web servers and browsers, or almost anything else these days. At least two software options are available, the first is Forticlient provided by Fortinet and the second is openfortivpn which has been found to work better with the latest Linux and Apple releases (December 2018). Probably the easiest way to configure your client is just to use the FortiClient for your specific system, but if that fails, or you know you have a very new release, try openfortivpn instead.

FortiClient

Although some downloads for the Forticlient are available from the page shown above, a much fuller and newer selection is available from the Forticlient website itself.

As of October 2018 this included software for:

  • Android 4.1 or higher
  • Google Chromebook and Chrome Browser
  • iOS 9.0.0 or higher
  • Mac OSX v10.11 El Capitan or higher
  • Linux Ubuntu 16.04 or higher, Red Hat, CentOS 7.4 or higher
  • Windows 8.1 or higher
  • Windows App for Windows 10 and Windows Phone 10

The features offered by each FortiClient varies between platforms, full details are available on the Fortinet website.

WARNING!! Please check the options for components to be installed. The Windows and MacOS installers include an anti-malware security solution. If you already have anti-malware (for example Sophos) on your computer you are advised NOT to install this component.

Start the client and perform the following configuration.  The essentials include

  • Server         vpnssl.stats.ox.ac.uk
  • Port             10443
  • User            Your Statistics username
  • Password    Your Statistics (Linux) password
  • It is worth enabling certificate checking.  Note if you used an IP address instead of vpnssl.stats.ox.ac.uk as the server name the certificate check will fail.

Next please attempt a VPN SSL connection, which should succeed reporting connecting.

Finally as one final check, please open a web browser to internal.stats.ox.ac.uk to confirm connectivity.

Openfortivpn

Full information about installing and/or building openfortivpn is available from their website with support offered for both Linux and macOS.  When openfortivpn runs you will need to enter:

vpnssl.stats.ox.ac.uk:10443

as the host and port for the connection.

Ubuntu 20.04 users please note if you see an error message like this one when trying to connect

ERROR:  SSL_connect: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

… you will need to add the option --seclevel-1 to your command-line.  (We hope to remove this limitation in the near future.)

Mapping Your Home Directory

Windows Users

When using the Statistics VPN, your home directory is not automatically mapped to the P: drive as it happens when you log in to a Departmental desktop; this is due to your computer not being part of our Active Directory domain. Also, the folder path we use inside the domain will not work from outside.

Should you need to access your home directory when connected to the Statistics VPN, you can map the SaMBa-shared folder to a drive by using the full path to the shared folder:

  • Connect to the Statistics VPN
  • Right-click on Computer (either on your desktop or your Start menu) and select Map network drive…
  • On the Map Network Drive window, select the drive letter you want to use; for example P:
  • Type the path to the folder: \\fs0x.stats.ox.ac.uk\username, where fs0x is the name of your P: drive file server and username is your Statistics username; for example \\fs02.stats.ox.ac.uk\testuser
  • If you are not sure which of fs01, fs02, fs03 or fs04 you are using try each in turn.
  • If you are going to use this repeatedly, check Reconnect at logon
  • Check Connect using different credentials
  • Click Finish
  • On the new Windows Security window, type in your Statistics username (in the form STATS\username) and password
  • Click OK

Mac Users

  • In the Finder, click on the Go menu and select Connect to Server.
  • Enter the server address: as smb://fs0x.stats.ox.ac.uk/username, where fs0x is the name of your home directory file server and username is your Statistics username; for example smb://fs02.stats.ox.ac.uk/testuser
  • If you are not sure which of fs01, fs02, fs03 or fs04 you are using try each in turn.
  • Click the + button to save this as a Favourite Server
  • Click Connect and then enter your Statistics username and password when prompted
Remote Desktop Gateway

The Windows remote desktop gateway using Microsoft RDP provides access to Windows desktops within the department via wingate.stats.ox.ac.uk

Who is this service for?

Academics and other members of staff who have a departmental Windows desktop.

What is the service for?

The Remote Desktop Gateway allows you to connect to a departmental Windows desktop from outside the Department. You can use an up-to-date Remote Desktop Client to then login to the departmental desktop and operate it as if you were sitting at your desk, including access to your P:\ drive and other services only accessible from inside the Department.

Why is this service necessary?

The Remote Desktop Gateway provides a reasonably secure connection (using SSL) to Windows desktops within the department whereas direct, possibly insecure, remote access is denied.

Requirements

You must have access to an up-to-date Remote Desktop Client application to be able to connect through the Gateway. So far we have only found two clients which allow gateway connections:

  • The Remote Desktop Connection application installed by default on Windows 8.1 and later, and
  • The iTap mobile RDP for Macs and Linux systems.

The first comes free with Windows, the latter has to be purchased separately (it is available in the App Store).

To connect through the Remote Desktop Gateway, we have to configure it to allow you to log through, and then to allow you to log in remotely to your desktop. This means we will need to know your departmental username (not your password; never send your password to anyone, even us) and the hostname of your desktop before you can access the service. Your Windows desktop will need to be rebooted before you can try the service.

It is advisable to have a fast broadband Internet connection where you are, as the Remote Desktop protocol requires more bandwidth than a text-based one (like SSH) to have a satisfactory experience.


Using the service with Remote Desktop Connection

  • Open Remote Desktop Connection (in Windows 10 via Start menu > Windows Accessories > Remote Desktop Connection)
  • Type in the hostname of the TARGET machine, i.e. test.stats.ox.ac.uk
  • Click Show Options
  • Click on the Advanced tab
  • Click Settings…
  • Select ‘Use these TS Gateway server settings’
    • Server name: wingate.stats.ox.ac.uk
    • Log-on method: Ask for password
    • Log-on settings: Use my RD Gateway credentials for the remote computer
  • Click OK
  • Click Connect
  • Type in your departmental credentials to log in to the RD Gateway, i.e. STATS\username
  • Click OK
  • On first connection, acknowledge any warnings about certificates
  • Once finished, remember to ‘Sign out’ unless you want the session on the TARGET system to persist (i.e. your files remain open and desktop session locked); if so just disconnect (Start > Disconnect)

Using the service with iTap mobile RDP

  • Start iTap mobile RDP
  • Click on Preferences
  • Click on the add button (bottom left) of the Gateway preferences
  • Type in a meaningful label for these preferences, i.e. Oxford Statistics
  • Hostname: wingate.stats.ox.ac.uk
  • Domain: STATS
  • Quit the Preferences window
  • Click New
  • Type in a meaningful label for this connection, e.g. Statistics Desktop
  • Type in the host name of the TARGET machine, e.g. test.stats.ox.ac.uk
  • Domain: STATS
  • Select the gateway preferences you created above, i.e. Oxford Statistics
  • Quit the new host window
  • Double-click on the host entry you have just created, i.e. Statistics Desktop
  • Type in your departmental username and password when prompted, i.e. STATS\username