Vanderbilt Enterprise VPN and Access to Licensed Resources (e.g., journals)

VUIT put new VPN hardware into service on Tuesday, Jan. 28, and with that change also implemented “split tunneling” for the VPN.   This has impacted one means that some Vanderbilt users have utilized to access licensed scholarly resources (e.g., journals).   A solution has been put in place to serve the users who exercise that particular means of access.

Split tunneling is a VPN configuration that allows VUIT to limit VPN traffic to just communications that involve Vanderbilt systems.   Without split tunneling (as on the retired VPN), when a user off-campus had a VPN connection open to Vanderbilt, all network traffic from that user’s computer—to Exchange, say, but also to Facebook and eBay—passed through the VPN connection and through the Vanderbilt network.   With split tunneling (the present configuration), traffic destined to non-Vanderbilt systems—like Facebook and eBay—does not go through the VPN connection, but rather goes directly into the internet from the user’s computer.  Only Vanderbilt-bound traffic uses the VPN connection.

This has affected one mode of accessing online journals and other licensed resources.   Looking at access from on campus and from off campus, with and without VPN, and using or not using the proxy service and links provided by the Vanderbilt Library, the table below explains how the access is handled and the impact of the new configuration of the VPN.

The users affected by the change to the VPN configuration are those who, with a VPN connection open, attempt to access an online journal or similar licensed resource by addressing it directly (at, say, www.sciencemag.org).   Because this connection attempt now does not pass through the VPN, it goes to the journal’s system with the user’s home (or Starbucks’, etc.) IP address rather than with the Vanderbilt IP address the VPN would provide.   The journal then refuses access because the connection is not “coming from” a paid subscriber (e.g., Vanderbilt) as identified by IP address.

To alleviate this problem, VUIT has created a new ‘role’ on the VPN. Users placed in this role are automatically configured not to use split tunneling when on the VPN. To be placed in this role, users should submit a help desk ticket requesting that their VUnetIDs be added to the VUIT_No_Tunneling Active Directory group.
Please note:

  • ONLY users exercising the described mode of access need to be placed into this role.
  • ALL modes of access (on or off campus, with or without VPN) that navigate through Vanderbilt Library web pages succeed.
    • This is the Library’s preferred solution.   Not only does it always automatically route traffic through the proxy service as needed, it has the added benefit that the Library continuously updates links to external resources as those change.  Further, once a resource is located through the library’s web pages, the URL can be bookmarked to include the proxy service information allowing for easier access in the future.
    • URLs supplied by the Library for such access will incorporate “library.vanderbilt.edu”.  For example: 

ALL modes of access from on-campus systems with Vanderbilt IP addresses (129.59.y.z, 160.129.y.z, 10.x.y.z) succeed.

Network location

Means of accessing external subscribed materials

What happens

Issue resolution requires membership in the VUIT_No_Tunneling AD group (the no-split-tunneling policy on the VPN)?

On campus, with a public IP address (in 160.129.y.z or 129.59.y.z)

Using links in indices and finding aids provided by or referencing Vanderbilt libraries

The Library proxy server redirects your connection directly to the external service which accepts your Vanderbilt IP

No

Addressing a particular service (e.g. www.sciencemag.org) directly in the browser

Your connection goes directly to the external service which accepts your Vanderbilt IP; you may be prompted to authenticate

No

On campus, with a private IP address (10.x.y.z)

Using links in indices and finding aids provided by or referencing Vanderbilt libraries

The Library proxy server makes a proxy connection to the external service on your behalf, presenting a Vanderbilt public IP recognized by the service

No

Addressing a particular service (e.g. www.sciencemag.org) directly in the browser

The NAT service at the perimeter of the Vanderbilt network performs network address translation, effecively giving you--for that connection--a Vanderbilt public IP recognized by the external service

No

 

Off campus using new VPN with split tunneling, which gives you a private IP address (10.x.y.z) on the Vanderbilt network and your personal non-VU IP for all non-VU purposes

Using links in indices and finding aids provided by or referencing Vanderbilt libraries

The Library proxy server makes a proxy connection to the external service on your behalf, presenting a Vanderbilt public IP recognized by the service

No

Addressing a particular service (e.g. www.sciencemag.org) directly in the browser

The VPN client identifies your target as a non-VU resource and directs your traffic directly into the Internet, and not into the Vanderbilt network.  You arrive at the external service with a non-VU (Comcast, ATT, etc.) IP which the external service rejects.

Yes

Off campus and not using VPN

Using links in indices and finding aids provided by or referencing Vanderbilt libraries

The Library proxy server makes a proxy connection to the external service on your behalf, presenting a Vanderbilt public IP recognized by the service

No

Addressing a particular service (e.g. www.sciencemag.org) directly in the browser

You go directly to the external service with a non-VU (Comcast, ATT, etc.) IP which the external service rejects.

No.  The AD group only modifies the behavior of the VPN, and can have no bearing in this case.