VPN Access to the PSI Intranet
By connecting through the VPN a host becomes effectively part of the PSI intranet, regardless of its original location. The system will appear on the Internet with a PSI address, and traffic will pass through the PSI Firewall.
Thus the following rules apply to all users of the VPN Software.
Rules
- Users of the VPN Client must adhere to the Usage and Monitoring of IT Resources at PSI / Nutzung und Überwachung der EDV-Ressourcen am PSI
- An up-to-date Virus scanning tool 1 must be installed and running on the client.
- The client os must be fully patched, especially through os and application security fixes.
- AIT may monitor the VPN Traffic to prevent misuse 2.
- No Network services (webserver, P2P etc.) may be offered on VPN Clients.
- AIT supports users by providing installation help (this page) and the VPN client software. Additional support can only be provided for PSI standard installations.
- A good, for home use free virus scanner is available from Avira Free Antivirus.
- AIT will not access your home system. Only traffic flowing through the PSI Network will be monitored.
FAQ
Wich Password must I use (with SecurID)
The password is a 12-digit number comprised of your PIN, followed by the current number shown by your Token: 
After installing I can't access my PC anymore from other systems.
If you are connected through the VPN, access to the PC is not possible, except through your secure channel. Otherwise your system would open up a tunnel from the Internet to the PSI net, bypassing the Firewall.
How will the VPN software affect throughput?
When you're at home, measurements indicate that the throughput between your PC and the network at work may reduced by somewhat less than 10 percent, depending upon the type of traffic being generated. Whilst any amount of performance degradation is undesirable, it is the cost of doing business securely and offering an improved access possibility.
Will AIT have access to my PC, when I'm connected through VPN.
No, your PC will become part of the PSI network, but that is not enough for anyone to get access to your system. When you connect to the PSICH Domain, AIT could, in principle, run the same scripts on your home system as it does on your office machine. However AIT will not execute any of these scripts on a system connected through VPN.
However AIT may monitor the network traffic you create. This is done automatically and AIT staff will only look at this if our monitoring software reports a problem. This software watches for hacker attacks (in and out :-)), network problems, viruses etc.
Is it possible to connect to PSI with a Windows XP system?
After April 8 2014, VPN is forbidden with XP clients. The firewall will block such clients. The reason for this is that Microsoft no longer provides security updates for Windows XP.
I have installed a firewall and now VPN doesn't work anymore.
VPN needs certain ports and protocols open. These are:
| TCP Port: | 443 |
| UDP Port: | 443 |
| UDP Port: | 500 |
| UDP Port: | 4'500 |
Problems with AFS via VPN (Windows)
- RDP session via VPN to PSI terminal server winterm3.psi.ch (requires SecurID token) or
- RDP, vnc, smb etc. via SSH tunnelling to hop.psi.ch (does not require a SecurID token)
PSI employees can tunnel the following TCP connection into the PSI LAN via hop.psi.ch
TCP port number is used by
22 SSH
80/443 HTTP(S)
445 Windows file server (e.g. fs00, fs01 or fs02)
>1023 e.g. for RDP, VNC etc.
External employees can tunnel the following TCP connection into the PSI LAN via hop.psi.ch
TCP port number is used by
22 SSH
3389 RDP
5900 VNC
If necessary, further connections can be released on request.
documentation:
https://www.psi.ch/en/computing/ssh-hop
https://www.psi.ch/de/computing/ssh-hop
