Insecure Remote Access Protocols (IRAP)

Certain “insecure remote access protocols” (IRAP) are blocked at the U-M network border. This means if you run a service whose port is blocked at the U-M network border, its expected that you will need to first authenticate to the Campus VPN. Once this is done, blocked protocols can be accessed. This assures that the user establishing the Campus VPN connection is a valid member of the U-M community by Single Sign-on (SSO). If you believe you require an exception to a blocked port (e.g., a research need for a device that requires access from outside the U-M network) then you can request an exception for a campus blocked protocol from Information Assurance (IA) and ITS.

Running Non-approved VPNs and network hardware and services that extend the network, or, allow non-SSO access or run on different ports to bypass blocked ports, are all considered “network extensions”. Unauthorized use of network extensions specifically to bypass SSO or IRAP are considered a risk by IA to the security of U-M’s digital assets and runs counter to the standard. Extensions to the network include, but are not limited to:

  • Routers, switches, and hubs.
  • Wireless access points.
  • Firewall appliances.
  • VPN servers or VPN-like devices and programs (e.g. [TailScale] Wireguard, TeamViewer, or similar).

Extensions to the U-M network must be documented by the requesting unit, then reviewed and approved by appropriate campus network administrators, ITS Networking, and ITS Information Assurance. When unapproved network extensions are identified, they will be blocked by ITS & IA without notice. If you believe you have a need to create an extension of the U-M network with a private VPN, you can request an exception for a network extension from IA and ITS, who will subsequently vet and then approve or deny the request.

In the case of a VPN, is expected that the University community will use the Campus VPN, which has strong encryption, and uses SSO and two-factor authentication.  As an additional option, you can request a campus-run VPN with a private dedicated IP range.  It uses the Campus VPN service but can only be accessed with a user managed list of uniqnames (an MCommunity group), and will allocate an IP address to the client in a specified IP range.  You basically use this in conjunction with the Campus Firewall (NGFW) to protect access to specific devices which cannot be exposed to the Internet.