Introduction to PPPL Offsite/Remote Computer Access

Updated February 25, 2008

These instructions are for use by PPPL personnel and others who have a legitimate reason for using computer resources at the Princeton Plasma Physics Laboratory (PPPL). Remote access to computer equipment located on PPPL networks requires pre-authorization. Only users with approved, enabled computer accounts and valid SecurID tokens can use the access methods described here.

*** Special Note: As of November 2007 the use of PPPL's Virtual Private Network (VPN) for remote access is strongly encouraged ***

Virtual Private Network (VPN) Access

VPN is the most secure and preferred PPPL remote access method. For detailed instructions on use of VPN, visit the VPN help page:

Instructions for using VPN

If use of VPN is not possible, use one of the firewall authentication methods below.

PPPL Firewall Authentication

There are three methods for performing firewall authentication. Method 1 is the most secure and should always be used if possible.

Method 1 (https) - Browser connection to http://auth.pppl.gov

With your favorite browser, establish a connection to http://auth.pppl.gov. This will redirect your browser to to the proper PPPL firewall authentication site.

To authenticate, use your PPPL-provided SecurID Token, and enter your PPPL username and SecurID PIN/passcode.

Authentication Failure

If you have not recently authenticated using your SecurID token, your token may be out of sync with the authentication server, then please visit http://password.pppl.gov/ to correct it using P-Synch. Instructions for using P-Synch are available at http://access.pppl.gov/p-synch/

If your authentication request is accepted, you will receive a screen which says:

Successful Authentication

Client Authentication Remote Service
Firewall message: User authenticated

Methods:

 o Standard Sign-on
 o Sign-off
 o Specific Sign-on

Users should choose Standard Sign-on and press Submit.

Method 2 (http) - Browser connection to http://gfw-esnet.pppl.gov:900

This less-secure method for authenticating is to be used only when the secure https browser method above cannot be used, and may be useful when an older, incompatible browser or command line browser (like lynx) is the only browser available. It can expose the username/password pair to network sniffing.

To authenticate, connect to http://gfw-esnet.pppl.gov:900

Then proceed as in method 1 above by authenticating with your PPPL username and SecurID PIN/passcode.

Method 3 - Telnet to gfw-esnet.pppl.gov, port 259

This is also a less-secure method for authenticating, and should be used only when a browser cannot be used. This method of authentication may expose the username/password pair to network sniffing.

To authenticate, enter the following command or its equivalent from a command line shell or DOS command prompt:
 
   telnet gfw-esnet.pppl.gov 259

Then proceed as in method 1 above by authenticating with your PPPL username and SecurID PIN/passcode.

Method 3

telnet gfw-esnet.pppl.gov 259
Trying 192.188.106.210...
Connected to gfw-esnet.pppl.gov.
Escape character is '^]'.
Check Point FireWall-1 Client Authentication Server running on gfw-esnet.pppl.gov
User: username
password: **********
User username authenticated by Radius authentication

Choose:

(1) Standard Sign-on
(2) Sign-off
(3) Specific Sign-on
Enter your choice: 1

User authorized for standard services

Connection, Session Timeouts

After successfully authenticating using one of the methods above, you are now able to make connections between the authenticating node and normal PPPL computer resources.

If your session is inactive for more than 120 minutes, the session will be timed out and you must re-authenticate.

If you are having problems authenticating, see the Frequently Asked Questions.

Back to Top
This page is maintained by the Webmaster.