Back to top

Remote Access

Remote access is available in a number of ways

SSH gateway

The Secure Shell (SSH) gateway provides remote access chiefly to departmental Linux desktops and servers

Who is this service for?

Those needing to remotely connect to the department using the SSH protocol, e.g. with ssh, scp, sftp and rsync commands. For those with fast connectivity it is also possible to use X11 forwarding with SSH to support access to graphical X-applications.

Once connected to the gateway please do not use it as a compute server, just as a connectivity gateway, and make internal connections to compute servers and desktops as necessary.

If you need to download a lot of data, please be aware that most desktops and servers within the department can initiate direct outgoing connections to remote hosts on the Internet, avoiding any need for the traffic to actually flow through the gateway server itself.

Please remember this is a shared resource often being used by many of your colleagues, resources are finite including bandwidth.

Why is this service necessary?

The SSH gateway provides a reasonably secure remote access path to desktops and servers within the department where direct inbound access is always denied.

Using the SSH Gateway from Linux

Internet connected remote Linux and UNIX based systems can usually connect with the command:

ssh -l username

Where username is your Stats login name.

If you require X-forwarding the -X option is required and depending on connection speed data compression may also help and is available via the -C option.

If you then wish to SSH to an internal host e.g. a desktop or compute server then you will have to perform this as a two-stage SSH:


ssh internalhost

Using the SSH gateway from Windows

The simplest way to connect to a Linux system from a Windows PC is to use software known as PuTTY (please see below).


What is PuTTY?

PuTTY is a simple applications which can be used to connect securely from a Windows PC to a Linux (or Unix) system. The latest version can be downloaded from the PuTTY website.

How to use PuTTY

Before you start you need to know the hostname or IP address of the system you will be connecting to. In most cases it will be when accessing Statistics.

  • Double click on the PuTTY icon.
  • The PuTTY Configuration window will appear.

  • Enter the hostname in the “HostName (or IPaddress)” box. Make sure that SSH is selected.
  • You may see a PuTTY security alert like this:

  • If you are using this alert appears if you haven’t downloaded our SSH keys.
  • A login window appears. Enter your Statistics username and password.
  • Use logout or exit to finish your session.

Running X-applications from a PuTTY session

It can be convenient to use PuTTY and Exceed to run X applications. This is usually quicker than using Exceed to connect to an Exceed server and is more flexible because any public access Linux PC can be used. For home laptop users we recommend xming rather than Exceed.

Software required

  • PuTTY v 0.53b or later. To check the version open PuTTY and click on the About button.
  • Exceed v 7.1 or later (alternatively you can use xming)


Start Exceed with All Programs -> Hummingbird Connectivity 10 -> Exceed. This will start Exceed in passive mode.
Open a PuTTY window. Enter the hostname in the HostName (or IPaddress) box but do not click on Open yet.
Click on X11 on the Category box on the lefthand side. A window like this appears:

  • Check the Enable X11 forwarding box and click on Open.
  • A login window appears. Enter your Statistics username and password. A simple test that X applications can be displayed is to use the xclock & command. A clock should appear on your desktop.
  • Use logout or exit to finish your session. If you have open X applications then you should exit from these in order to complete the logout process.
  • The Exceed session can now be closed.

Unsafe PuTTY software

Sadly in 2015 there were reports of malicious fake versions of PuTTY circulating. The simplest way to check whether you have a safe version or not, is to open PuTTY and click on the ‘About’ button.

Good safe version of PuTTY

Bad unsafe version of PuTTY

In the unsafe version, the text under PuTTY reads ‘Unidentified build…’.

In the very unlikely event that you have been using a malicious version, please contact ithelp.

PuTTY can be safely downloaded from here:

Virtual Private Network (VPN)

Virtual Private Network (VPN) allows remote computers to connect to the department and access internal resources as if they were located here in the building.

Who is the service for?

The Virtual Private Network (VPN) service is for members of the Department using computers located outside Statistics, either in Colleges or other University Departments, or from a connection anywhere in the world.

VPN SSL Service

To use the Fortinet VPN SSL service please email in order to have your account registered. Once that has been completed please open a web browser to the VPN SSL web page and login using your Statistics (Linux) username and password.

If this fails, please email to allows us to investigate further. After successful login the following page should appear:

Naturally you need to install some suitable software to use the VPN SSL service. As the name implies this uses SSL (Secure Sockets Layer) which is the standard security technology used for establishing an encrypted link, e.g. between web servers and browsers, or almost anything else these days. At least two software options are available, the first is Forticlient provided by Fortinet and the second is openfortivpn which has been found to work better with the latest Linux and Apple releases (December 2018). Probably the easiest way to configure your client is just to use the FortiClient for your specific system, but if that fails, or you know you have a very new release, try openfortivpn instead.


Although some downloads for the Forticlient are available from the page shown above, a much fuller and newer selection is available from the Forticlient website itself.

As of October 2018 this included software for:

  • Android 4.1 or higher
  • Google Chromebook and Chrome Browser
  • iOS 9.0.0 or higher
  • Mac OSX v10.11 El Capitan or higher
  • Linux Ubuntu 16.04 or higher, Red Hat, CentOS 7.4 or higher
  • Windows 7 or higher
  • Windows App for Windows 10 and Windows Phone 10

The features offered by each FortiClient varies between platforms, full details are available on the Fortinet website.

WARNING!! Please check the options for components to be installed. The Windows and MacOS installers include an anti-malware security solution. If you already have anti-malware (for example Sophos) on your computer you are advised NOT to install this component.

Start the client and perform the following configuration.  The essentials include

  • Server
  • Port             10443
  • User            Your Statistics username
  • Password    Your Statistics (Linux) password
  • It is worth enabling certificate checking.  Note if you used an IP address instead of as the server name the certificate check will fail.

Next please attempt a VPN SSL connection, which should succeed reporting connecting.

Finally as one final check, please open a web browser to to confirm connectivity.


Full information about installing and/or building openfortivpn is available from their website with support offered for both Linux and macOS.  When openfortivpn runs you will need to enter:

as the host and port for the connection.

Ubuntu 20.04 users please note if you see an error message like this one when trying to connect

ERROR:  SSL_connect: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

… you will need to add the option --seclevel-1 to your command-line.  (We hope to remove this limitation in the near future.)

Mapping Your Home Directory

Windows Users

When using the Statistics VPN, your home directory is not automatically mapped to the P: drive as it happens when you log in to a Departmental desktop; this is due to your computer not being part of our Active Directory domain. Also, the folder path we use inside the domain will not work from outside.

Should you need to access your home directory when connected to the Statistics VPN, you can map the SaMBa-shared folder to a drive by using the full path to the shared folder:

  • Connect to the Statistics VPN
  • Right-click on Computer (either on your desktop or your Start menu) and select Map network drive…
  • On the Map Network Drive window, select the drive letter you want to use; for example P:
  • Type the path to the folder: \\\username, where fs0x is the name of your P: drive file server and username is your Statistics username; for example \\\testuser
  • If you are not sure which of fs01, fs02, or fs03 you are using try each in turn.
  • If you are going to use this repeatedly, check Reconnect at logon
  • Check Connect using different credentials
  • Click Finish
  • On the new Windows Security window, type in your Statistics username (in the form STATS\username) and password
  • Click OK

Mac Users

  • In the Finder, click on the Go menu and select Connect to Server.
  • Enter the server address: as smb://, where fs0x is the name of your home directory file server and username is your Statistics username; for example smb://
  • If you are not sure which of fs01, fs02, or fs03 you are using try each in turn.
  • Click the + button to save this as a Favourite Server
  • Click Connect and then enter your Statistics username and password when prompted
Remote Desktop Gateway

The Windows remote desktop gateway using Microsoft RDP provides access to Windows desktops within the department via

Who is this service for?

Academics and other members of staff who have a departmental Windows desktop.

What is the service for?

The Remote Desktop Gateway allows you to connect to a departmental Windows desktop from outside the Department. You can use an up-to-date Remote Desktop Client to then login to the departmental desktop and operate it as if you were sitting at your desk, including access to your P:\ drive and other services only accessible from inside the Department.

Why is this service necessary?

The Remote Desktop Gateway provides a reasonably secure connection (using SSL) to Windows desktops within the department whereas direct, possibly insecure, remote access is denied.


You must have access to an up-to-date Remote Desktop Client application to be able to connect through the Gateway. So far we have only found two clients which allow gateway connections:

  • The Remote Desktop Connection application installed by default on Windows XP and later, and
  • The iTap mobile RDP for Macs and Linux systems.

The first comes free with Windows, the latter has to be purchased separately (it is available in the App Store).

To connect through the Remote Desktop Gateway, we have to configure it to allow you to log through, and then to allow you to log in remotely to your desktop. This means we will need to know your departmental username (not your password; never send your password to anyone, even us) and the hostname of your desktop before you can access the service. Your Windows desktop will need to be rebooted before you can try the service.

It is advisable to have a fast broadband Internet connection where you are, as the Remote Desktop protocol requires more bandwidth than a text-based one (like SSH) to have a satisfactory experience.

Using the service with Remote Desktop Connection

  • Open Remote Desktop Connection (Start > All Programs > Accessories > Remote Desktop Connection in Windows XP and 7)
  • Type in the hostname of the TARGET machine, i.e.
  • Click Options >>
  • Click on the Advanced tab
  • Click Settings…
  • Select Use these TS Gateway server settings:
  • Server name:
  • Logon method: Allow me to select later
  • Click OK
  • Click Connect
  • Type in your departmental credentials to log in to the RD Gateway, i.e. STATS\username
  • Click OK
  • Log in to the TARGET system using your departmental credentials again
  • Once finished, remember to log out unless you want the session on the TARGET system to persist; if so just disconnect (Start > Disconnect)

Using the service with iTap mobile RDP

  • Start iTap mobile RDP
  • Click on Preferences
  • Click on the add button (bottom left) of the Gateway preferences
  • Type in a meaningful label for these preferences, i.e. Oxford Statistics
  • Hostname:
  • Domain: STATS
  • Quit the Preferences window
  • Click New
  • Type in a meaningful label for this connection, e.g. Statistics Desktop
  • Type in the host name of the TARGET machine, e.g.
  • Domain: STATS
  • Select the gateway preferences you created above, i.e. Oxford Statistics
  • Quit the new host window
  • Double-click on the host entry you have just created, i.e. Statistics Desktop
  • Type in your departmental username and password when prompted, i.e. STATS\username