Cisco Anyconnect Uva



With your UVA computing ID, Eservices password, and Duo Mobile in hand, you must run the Cisco AnyConnect software to start a UVA High Security VPN connection every time you use any Ivy resource. AnyConnect will authenticate to the UVA network using a digital certificate installed on your workstation. More information on VPN from ITS. To access the VPN on university-managed computers (MESA or Jamf Pro), you will need to use the Cisco AnyConnect client. The client is available on all university-managed computers in the Software Center (MESA) or in Mason Self Service (Jamf Pro). Select the Cisco Anyconnect compatible VPN option. Fill in the blanks for a new VPN. Off-Grounds Rivanna users should use the ITS more-secure network. The gateway for that VPN is moresecure-vpn-1.itc.virginia.edu. How to install a personal digital certificate to allow authentication to numerous UVA services. Cisco Anyconnect VPN client uses two kinds of Web security. First is On-premise Cisco Web Security Appliance and the other is Cloud-based Cloud Web Security Offering.

Instructions to setup Remote Desktop to connect to a Windows 10 workstation from a Windows or MAC computer.

Setup HOST Computer

Log on to the HOST Machine (the workstation you will remotely log into) and self-elevate to admin.

BME IT SUPPORT Temp Admin Request (opens in new tab)

Once you have TempAdmin privileges, add your userID to the Remote Desktop Users Group:

Cisco anyconnect uva football

On the Host PC open File Explorer, right click on This PC, and click Manage. Enter admin credentials.

Under Computer Management -> Local Users and Groups -> Groups, select the Remote Desktop Users Group.

Click Add, enter your UVA userID, click Check Names, & click OK. Exit all open windows.

Find the IP Address of the Host PC.

Open Command Prompt and type IPCONFIG.

Note the IPv4 Address. This is the IP Address of your Host Machine which may change if it shuts down or restarts.

From the Windows computer you are connecting FROM:

You'll need the Cisco Anyconnect VPN software with the UVA Anywhere Profile and a valid digital certificate to connect from Off Grounds.

https://in.virginia.edu/vpn (opens in new tab)

Open the Remote Desktop Client Application, enter IP Address, click Connect.

Enter your credentials as: ESERVICES[your UVA userID] and PASSWORD.

From the MAC OS X computer you are connecting FROM:

You'll need the Cisco Anyconnect VPN software with the UVA Anywhere Profile and a valid digital certificate to connect from Off Grounds.

Setup instructions at: https://in.virginia.edu/vpn (opens in new tab)

Download the Microsoft Remote Desktop App from the App Store.

Open the Remote Desktop Client, Add a new connection, enter IP Address, click SAVE. Open connection.

Enter your credentials as: ESERVICES[your UVA userID] and PASSWORD.

Contact BME IT Support if you have trouble connecting

Ivy

Ivy is a secure computing environment for researchers consisting of virtual machines (Linux and Windows).Researchers can use Ivy to process and store sensitive data with the confidence that the environment is secure and meets HIPAA or CUI requirements.

Ivy consists of both virtual computing environments and secure storage. In order to obtain access to either system, users must 1. Submit an account request, 2. Complete the Information Security Awareness Training, and 3. Ensure their personal computer meets all High Security VPN requirements.

University of Virginia tenure stream and academic general faculty, research faculty, research scientists, and postdoctoral associates may request an account on Ivy. UVA graduate and undergraduate students are not permitted to request accounts—this must be done by their faculty advisor(s).

Access to Ivy resources is project-based, limited to PIs and their designees, and requires approval. Once a project is approved a PI and her/his researchers must sign a RUDA (one for every researcher on each project).

In order to use Ivy, researchers must complete the High Security Awareness Training (HSAT). This training takes approximately 10 minutes to complete.

If you have a Workday account, please complete the training at the following link: Workday HSAT.

If you are a student and do not have a Workday account, please complete contact infosec-training@virginia.edu for access to alternate training materials.

The High Security VPN (HSVPN) allows researchers to connect to Ivy securely both on and off grounds. In order to use the HSVPN, users must ensure that their personal machines meet the following requirements. More information on HSVPN compliance can be found on the ITS website: https://in.virginia.edu/vpncheck

  1. Install the Cisco AnyConnect Secure Mobility Client.This can be found at the UVA ITS Software Gateway. Be sure to install the version of VPN Client HS 4.6 that is compatible with your personal computer’s operating system. More detailed instructions for installing the VPN client can be found on the ITS website.

  2. Install Opswat.Opswat checks if your computer is compliant with HSVPN requirements. Opswat can be downloaded from the UVA ITS Software Gateway.

  3. Install Anti-malware software (Cylance recommended).Anti-malware software must be installed on your machine. Cylance is behavioral-based antimalware software and meets UVA’s HSVPN requirements. Cylance can downloaded from the UVA ITS Software Gateway.

1 Authentication

You will sign in to all Ivy resources using your UVA computing ID and Eservices password. Because of Ivy's high security requirements, your Eservices password must be changed every 60 days.

Need help resetting your Eservices password?

If you are working from a secure Health Systems workstation you are ready to connect. If you are working from elsewhere on or off Grounds you will need Duo MFA and a High Security VPN connection.

2 Duo MFA

To connect to the Ivy environment with VPN you will need to install the Duo Mobile multi-factor authentication (MFA) app on your smartphone.

In the context of Ivy, Duo allows you two ways to provide a second factor of authentication beyond your password: via a random 6-digit key, or via a push message direct to your phone.

3 High Security VPN

With your UVA computing ID, Eservices password, and Duo Mobile in hand, you must run the Cisco AnyConnect software to start a UVA High Security VPN connection every time you use any Ivy resource. AnyConnect will authenticate to the UVA network using a digital certificate installed on your workstation.

More information on VPN from ITS:

  • High Security VPN installation and connection instructions.
  • How to create, install, and use digital certificates.
Location

Once you have completed these three steps, you will be connected to the secure Ivy network. From there you can connect to a Virtual Machine, or use a web browser to access JupyterLab.

A virtual machine (VM) is a computing instance dedicated to your project. Multiple users can sign into a single VM.

Virtual machines come in two platforms, CentOS7 Linux and Windows Server 2012R2. Each platform is available in three instance types. Refer to the grid below for specifics.

Note that Windows VMs only support concurrent access by 2 users at a time.

Cisco
TypeSpecsCost
Mini2 cores / 2GB mem$4/month
Small4 cores / 16GB mem$12/month
Medium8 cores / 32GB mem$48/month
Large16 cores / 64GB mem$96/month
Xlarge16 cores / 124GB mem$176/month

Once created, your instance will be assigned a private IP address that you will use to connect to it (in the format 10.xx.xx.xx). VMs exist in a private, secure network and cannotreach outside resources on the Internet. Most inbound and outbound data transfer is managed through the Data Transfer Node (see below).

Connecting to your VM

To connect to your VM, you must install either an SSH client to connect to your VM using the command-line interface (CentOS VMs only), orremote desktop software to connect to the desktop GUI of your VM. These options are outlined below.

MacOSX Users:

  • Terminal (for SSH, built-in. Can be found in Applications -> Utilities -> Terminal)
  • Microsoft Remote Desktop (for remote desktop to Windows or CentOS VMs, download here

Windows Users:

  • PuTTy (for SSH, download here)
  • Microsoft Remote Desktop (built-in, for remote desktop to Windows or CentOS VMs)

Cisco Anyconnect Vpn Client Download

To connect to Ivy follow the platform-specific steps below:

  • Open your High Security VPN connection
  • Reference the IP address of your Ivy VM.
  • For SSH access:
    ssh uva-id@ip-address
  • For Remote Desktop access: Enter the IP address of your VM in a web browser (https://10.xxx.xxx.xxx) and sign in with your Eservices username and password.
  • Open your High Security VPN connection
  • Reference the IP address of your Ivy VM.
  • For Remote Desktop access: Start an RDP client and point to the IP address of your VM and sign in with your Eservices password and your computing ID prefixed by ESERVICES as the user name (i.e. ESERVICESmst3k)

Software

Every virtual machine (Linux or Windows) comes with a base installation of software by default. These help researchers byproviding the basic tools for data processing and manipulation. Additional software packages are pre-approved and available for installationupon request. See the lists below for options.

Cisco Anyconnect Vpn Install

Preinstalled Software

Click on each for details:
  • RStudio 1.0.136
  • RStudio Server 1.2.1335
  • Atom Text Editor 1.14.3
  • Emacs 24.3.1
  • FastX Server 2.4.16
  • JupyterHub 1.1.0
  • JupyterLab 0.32.1
Click on each for details:
  • RStudio 1.1.414
  • Notepad++ 7.3.3

Python/R Packages - Anaconda Python and R packages are available to users through the normal pip, conda, and CRAN and library installation methods.

Additional Approved Software (Available by Request)

If you require additional software not listed, you must submit a request. Requests are reviewed by the UVA ISPRO office for securityand regulatory compliance and, if approved, will be installed for you.

Click on each for more information:
Click on each for more information:

To request installation of optional software packages, please use the web request form provided through this link:

Installing Python Packages on Your VM

Creating a Conda Environment

Cisco Anyconnect Uva Football

Researchers often require Python packages that are not included in the base install of Anaconda. Users can install additional Python packages on their VMs using conda environments. Conda environments allows users to install packages in isolated environments to avoid version conflicts with other users on the VM.

Windows

Cisco Anyconnect Uvalde

  1. Launch “Anaconda Prompt” from the Start Menu.

  2. From the prompt, issue the command:

    conda create -n my_env package1 package2

    where my_env is the name you wish to give your new conda environment, and package1 and package2 are the names of the Python packages you want to install.

  3. To activate and use your new environment, issue the command:

    conda activate my_env

Linux

  1. Log into your VM via SSH or log in through your web browser and launch the Terminal.

  2. From the prompt, issue the command:

    conda create -n my_env package1 package2

    where my_env is the name you wish to give your new conda environment, and package1 and package2 are the names of the Python packages you want to install.

  3. To activate and use your new environment, issue the command:

    conda activate my_env

Creating a Conda Environment with a Specific Python Version

If you require a specific version of Python, you can create a new conda environment with:

conda create -n my_env python=2.7

Installing Packages

After creating your conda environment, you can install additional libraries with pip and conda.

Installing Packages with pip

  • Use pip from the command line to install individual packages:

    pip install numpy

  • You can search for a package:

    pip search panda

  • To see which packages you have installed already:

    pip list

  • You can install packages listed in a requirements.txt file (one package per line):

    pip -r requirements.txt

  • To save a list of your currently installed packages in a requirements.txt file:

    pip freeze > requirements.txt

Installing packages with conda

conda works similarly to pip.

  • To install a package:

    conda install scipy

  • To search for a package:

    conda search scipy

  • And to list all packages in your environment:

    conda list

Once installed on your VM, packages will persist and you will not need to install them again. You will only need to import them again in your code.

Storage

Ivy VM has a pool of over 2 petabytes of Network Attached Storage shared amongst users. A PI specifies the storage space s/he would like to have when requesting access to Ivy. Virtual machines do not come with any significant disk storage of their own.

As of August 31, 2019 Domino Data Lab will no longer be available within Ivy. Existing projects should be migrated to a virtual machine. Interactive data sessions will be available using Jupyter Notebooks (coming soon!)

JupyterLab is a web-based interactive development environment for Jupyter notebooks, code, and data. JupyterLab is flexible: configure and arrange the user interface to support a wide range of workflows in data science, scientific computing, and machine learning. JupyterLab is extensible and modular: write plugins that add new components and integrate with existing ones.

Moving sensitive data into the Ivy VMware platform is possible through a secure Globus DTN (data transfer node). The Ivy DTN is connected to a pool of secure storage called “Ivy Central Storage” (ICS), which in turn is connected to Ivy VMs. Only active research projects using Ivy virtual machines can use this service.

Anyconnect

How to Connect to the DTN and Transfer Files

Before transferring files to Ivy, you will need Globus installed on the computer you are transferring data from. Globus can be downloaded from https://www.globus.org/globus-connect-personal.

  1. Ensure that you are NOT connected to the HSVPN. Data transfer will not work if you are connected to the HSVPN.

  2. Open Globus in your web browser: https://app.globus.org/file-manager. When logging in, select University of Virginia and log in with Netbadge.

  3. Once you are in the Globus File Manager, select the two-panel view by clicking the two-panel button beside the Panels button in the top-right corner of the page. This should open a second panel on the page, so that you have two side by side.

  4. In one panel, click on the Collections field and select your computer. You can then click to the directory that contains the data you want to move, or type the path to the directory in the Path field. Click the files or folders you want to transfer to select them.

  5. In the remaining panel, click on the Collections field and search for and select the Ivy Secure DTN. Select the storage share to which you want to transfer data. (Unless you are part of multiple Ivy projects, you should only see one storage folder.)

  6. Click the Start button beneath the first panel (should be highlighted) to begin the data transfer.

  7. Once the data transfer is complete, you will be able to access the data in your VM by clicking the ICS shortcut on your VM’s desktop.

The Ivy platform is HIPAA compliant by design. From the UVA Institutional Review Board for Health Sciences Research (IRB-HSR):

HIPAA affects only that research which uses, creates, or discloses PHI. Researchers have legitimate needs to use, access, and disclose PHI to carry out a wide range of health research studies.

The Privacy Rule protects PHI while providing ways for researchers to access and use PHI when necessary to conduct research.

In general, there are two types of human research that would involve PHI:

  • Studies involving review of existing medical records as a source of research information. Retrospective studies, such as chart reviews, often do this. Sometimes prospective studies do it also, for example, when they contact a participant's physician to obtain or verify some aspect of the participant's health history.
  • Studies that create new medical information because a health care service is being performed as part of the research, such as testing of a new way of diagnosing a health condition or a new drug or device for treating a health condition. Virtually all sponsored clinical trials that submit data to the U.S. Food and Drug Administration (FDA) will involve PHI.

Researchers must understand that, in general, the more difficult parts of HIPAA compliance are less technical (networks, computers, and data) than they are human and how users interact with these systems and data. The mishandling of data – such as storing them on insecure devices or in insecure places – jeopardizes confidential patient data and UVA’s ability to remain a trusted keeper of those data.

All data imported into Ivy must be treated as highly sensitive data. Data and results exported from Ivy must be protected and managed appropriately according to UVA’s data classification guidelines. Guidance regarding these guidelines and data types is available from UVA Information Security, Policy, and Records Office (ISPRO) by emailing it-security@virginia.edu.