Approved Campus Remote Access Services

Summary

Per the MSSND 8: Remote Access Services requirement, anything that provides or allows access to campus systems or networks from all (or significant portions) of the public Internet must be approved by the CISO.

Units may also approve their own remote access services provided the services:

  1. Meet the implementation requirements outlined in MSSND 8: Remote Access Services Guideline, and

  2. Are in documented Unit policy. 

Approved Campuswide Remote Access Services

The following services have been reviewed and approved by the CISO for campuswide use.

Service

Notes

bSecure Remote Access VPN (Campus VPN)

  • Preferred method for remotely connecting to the Campus network

IST Remote Desktop Gateway

(Not approved for P4 data. Email win-ticket@berkeley.edu for options for P4 data.)

  • Windows systems wishing to use RDP (Remote Desktop Protocol) may enroll in this service

  • CalNet and Duo Multi-Factor Authentication is required for all IST RD Gateway connections

  • The IST RD Gateway is open to the Internet and relays authenticated connections to systems running RDP:

    • Individual RDP services must use a host-based or network-based firewall so that only inbound connections from the IST RD Gateway, VPN network ranges, and campus network ranges are permitted

    • All other inbound connections to individual RDP services (port 3389/TCP by default) should be denied by default

IST Citrix

  • Enterprise applications hosted through the IST-managed Citrix gateway may be accessed remotely

Library Proxy Service (EZproxy)

  • The Library’s EZproxy service is an alternative to using the Campus VPN to access Library resources from off campus

 

Prohibited Remote Access Services

The following services are not permitted on the campus network.

Service

Notes

Tor Project

General use of the Tor project is permitted; however, operating a Tor project “exit node” on the campus network is prohibited. 

 

Requesting CISO Approval for a Campuswide Remote Access Service

Instructions:

  • Email security@berkeley.edu and include:

    • The purpose and business need

    • The configuration

    • The constituency of the remote access service.

  • General requirements for all remote access gateway services are listed below. Exceptions may be granted at the CISO’s discretion.

Requirements: