Network Extension / VPN request process

If you are Michigan Engineering IT staff and your department or researchers need remote access to systems for which the umich VPN does not provide or facilitate after consultation with the Michigan Engineering Data Security Analysts authorized personnel should submit these requests, as they pertain to the security and configuration of the department’s network infrastructure.

A Private Dedicated VPN

In the case of a VPN, it is expected that the University community will use the Campus VPN, which has strong encryption and uses SSO and two-factor authentication.  

If the University provided services do not meet your business needs you can request a campus-run VPN with a private dedicated IP range.  It uses the Campus VPN service but can only be accessed with a user managed list of uniqnames (an MCommunity group), and will allocate an IP address to the client in a specified IP range.  This is used in conjunction with the Campus Firewall (NGFW) to protect access to specific devices that cannot be exposed to the Internet.

How to request:

  1. Email [email protected] to inform them of your request for an exception to a network extension.
  2. Create an MCommunity group whose members will receive access. Name the group in accordance with the following format:
    • VPN-remote-<OU>-<optional descriptor>-<optional descriptor 2>
    • The optional descriptors are used to help separate the different profiles.  Hope they are clear enough to be able to figure out the purpose for who to contact if something comes up.
      • Here is an example:
        • VPN-remote-ITS-ITCOM-IPTV
        • VPN-remote-ITS-VoIP
        • VPN-remote-ITS-DAS-eng
        • VPN-remote-ITS-DAS-vendor
  3. Open a ticket with 4HELP to request a Private Dedicated Campus VPN.
    • Include the name of the MCommunity group you created.
    • Mention the expected peak number of concurrent devices, factoring in future growth.
    • Request that 4HELP route the ticket to ITS Infrastructure Networks and refer Walter Reynolds (waltr) in the ticket for thoroughness [as of November 2023].

Upon approval, you will be provided with a custom VPN profile and a corresponding set of dedicated IP addresses. Be aware that the number of dedicated IP addresses may be fewer than the number of anticipated devices, as there may be a Network Address Translation (NAT) setup that allows multiple devices to share IPs.

An Exception for a Network Extension

Extensions to the U-M network must be documented by the requesting unit, then reviewed and approved by appropriate campus network administrators, ITS Networking, and ITS Information Assurance. When unapproved network extensions are identified, they will be blocked by ITS & IA without notice. If you believe you have a need to create an extension of the U-M network with a private VPN, you can request an exception for a network extension from IA and ITS, who will subsequently vet and then approve or deny the request.

How to request:

  1. Email [email protected] to inform them of your request for an exception to a network extension.
  2. Complete the necessary ITS TeamDynamix Network Extension Request Form.

An Exception to Campus-Blocked Protocols (IRAP)

While there may be few exceptions provided for off-campus access to these protocols, users can review the mitigation steps below when access is needed.

Mitigation:

Behavior changes needed to mitigate the risks of IRAP include the following:

  • Use of the VPN: Protocols blocked by the IRAP can be accessed using the U-M provided VPN service. This currently requires users to manually start the VPN connection before accessing blocked services. Refer to Getting Started with the VPN for more information. 
  • Use of DirectAccess: Currently, most users of Windows systems managed via ITS MiWorkspace and ITS Platform as a Service can automatically use DirectAccess, which provides VPN-like network access to campus networks, bypassing any of the blocking described in this proposal. Refer to DirectAccess as a Service for more information. 

How to request:

  1. Email [email protected] to inform them of your request for an exception to a network extension.
  2. Fill out the following TeamDynamix form ITS-Network Border Infrastructure | Blocked Port Exception to start the process with ITS and IA.

Additional Information