IT Connect
Information technology tools and resources at the UW

Husky OnNet – Department (HON-D) Service

General access to the UW network via Husky OnNet is insufficient to access restricted department/unit network segments. The Husky OnNet – Department (HON-D) service  provides UW departments and units the ability to grant individuals access to restricted network-connected resources.

The Husky OnNet -Department (HON-D) for-fee service supports secure connections from both on- and off-campus locations to departmentally-restricted subnets using a departmentally-controlled authorized users access list. The default configuration supports up to 62 simultaneous connections for each of two departmental connection servers (department & UW traffic only or all Internet traffic) included in the service.

NOTE:  Please refer to the UW’s Access and Use Agreement as well as the Office of the CISO pages on Due Care and Policies Standards and Guidelines to assure appropriate use of this service.

Getting the Husky OnNet – Department (HON-D) service

Who is eligible to purchase this service?

Departments/units with a UW budget number that are directly connected to the UW network are eligible for the Husky OnNet – Department (HON-D) service. If your unit is connected directly to the UW Medicine network, please contact the UW Medicine helpdesk for information about tools and resources to meet your needs. If you do not know which network you are connected to, please contact and indicate which of your network subnets you are interested in serving through this service.

How much does the service cost?

  • One-time Installation cost: $560.00
  • Monthly recurring fee:  $51.63

How does the service work?

From the end user perspective, your service will work just like the regular Husky OnNet service except that for departments who allow HON-D access through their department firewall, authorized users will also have access to the department’s server(s). For more information, read about Husky OnNet service.

What are the prerequisites to purchase and use this service?

  • UW Group: Interested departments will need to create, manage, and maintain their own UW Group containing UW NetIDs associated with authorized users. The HON-D service will reference this UW Group to determine if a user is allowed access. The department’s UW Group administrator(s) is(are) responsible for the following: knowing whether a given user should have access or not; sponsoring them with a Sponsored UW NetID as appropriate; assuring that all members of the UW Group read and accept the UW Access and Use Agreement; and routinely review the access list to be sure it is current.
  • Network subnet: Departments will need to have and manage their own network subnet.
  • Departmental support: Departments will need their own technical support as end user support will be provided at the departmental level. UW-IT will provide HON-D support for the department’s technical staff.
  • Budget number: A valid UW budget number is necessary to purchase.

What are my department’s/unit’s responsibilities?

  • Your department must “own” and proactively manage a UW Group containing the UW NetIDs of the persons authorized to use the service. Understand that these person(s) will be able to access the department/unit’s network resources as well as general UW network resources.
  • Understand and apply policies and requirements associated with use of UW IT infrastructure and data. These include, but are not limited to:
  • Your department must provide department/unit based technical support staff who are responsible for:
    1. Assisting the department’s/unit’s authorized HON-D end-users and
    2. Interacting with UW-IT HON-D support staff for issues with the configured service.

How do we order HON-D service?

1) Understand how the service works and your department’s responsibilities. Review the related Husky OnNet and HON-D IT Connect pages for more information or contact if you are not finding the information you need.

2) Prepare the following information for when you place your order online:

  • Department/Unit Name
  • Technical Contact(s) Email
  • Preferred department identifier or acronym for naming your HON-D virtual servers, i.e.:
    • split tunnel service:[dept acronym]
    • not split tunnel service:[dept acronym]
  • Do you need to use your own DNS servers? If yes, please provide the IP address of each of the primary and secondary DSN servers.
  • UW Group for Authorized Access list
  • Whether you require 2FA for logins (Note restrictions apply; not all persons with UW NetIDs are eligible or enrolled in the 2FA service.)
  • Does your Department use the UW-IT Managed Firewall service and would you like UW-IT to permit the associated HON-D lease pool?
  • Comments Section – if you need to support more than the default 62 simultaneous users per server, please note your needs here; include any other relevant information for your service.
  • Budget Coordinator Full Name
  • Budget Coordinator NetID
  • Budget Coordinator UW Mailbox Number
  • Budget Number (including PCA Task/PCA Option/PCA Project numbers as required)

3) When you have your information collected, complete and submit this Husky OnNet- Department Service form.

Once we’ve placed the order, how do we get started with the service?

Once an order for the service has been placed, it may take up to 10 business days to stand up the service. The person who placed the order will be contacted to confirm UW-IT has received the order and to ask for any clarifying information that may be needed to get the provisioning started.

There are three configuration activities needed:

1) With information provided by the department, UW-IT will configure your HON-D service on a central network access device (powered by an F5 BigIP Access Policy Manager). This configuration will…

  • Provision departmental access servers:[dept acronym] for split tunnel,[dept acronym] for no-split tunnel
  • If your department uses the managed firewall service, the installation engineer will coordinate firewall policy updates with your department’s firewall technical contact to confirm permission of your new HON-D lease pool
  • Create an association with your departmentally managed UW Group access list

2) Members of the departmental UW Group will use their UW NetID to download the MacOS or WIN client edge application from UWare and install it on their device(s).

3) With these two steps completed, the department will be given the opportunity to test and confirm the service is working: they will test each of the provisioned servers –[dept acronym] and[dept acronym] – in two separate test runs.

Assuming the customer does not report problems with the service at the time of testing (or within two business days of notification if the customer does not respond), billing for the service will begin.

Common questions about the service

How many simultaneous users can my HON-D service support?

For a given HON-D service, the default configuration can support up to 62 simultaneous connections on each of the service servers – split tunnel and no-split tunnel. If you need a configuration other than the default, please contact and put “Husky On-Net – Department Service” in the subject line. The Husky OnNet service team will work with you to right-size your service deployment.

Will HON-D service support both split & no-split service tunnel options?

Yes. The HON-D service will be configured for use with two servers as follows:[dept acronym]    Recommended server. The user’s client application connects to the UW network. However, if the user chooses to simultaneously connect to a site outside the UW network, that connection will be made via their normal ISP service, rather than through their HON-D connection. This connection configuration is called ‘split’  because traffic to/from the user’s device is going over two different connections: the UW network and their ISP service.[dept acronym]  Special requirements uses only. Some services outside the UW network may require that the person connecting appear as if they are coming from a UW Network location.  In this instance all of the user’s traffic will use the HON-D connection and will not use the ISP service to send traffic to/from the Internet. This connection configuration is called a ‘no-split’ connection.

May HON-D be used to access UW-restricted library resources?

No. HON-D should never be used for accessing UW-restricted library resources.  For those needing access to UW-restricted library resources, see University Libraries Off-Campus Access.  Husky OnNet (HON) service using the “All Internet Traffic” server is an allowable means of connecting to these resources.

How is authorization to the service handled and who is eligible to use it?

Any UW NetID authorized by the department may be included in the department’s authorization list. Each department/unit with a HON-D service will deploy and manage their own UW Group access list. The departmental UW Group manager(s) determine(s) which UW NetIDs should have access to their controlled network resources. The department may either provide the authority to the UW Group manager or may want to establish an internal review and vetting process to be followed by their UW Group manager(s).

Authorization FAQ

We do not yet have a UW Group access list. How do we get a UW Group?

Please see information about the UW Groups service here. The UW Groups service is covered under the Technology Recharge Fee and there are no extra costs to use this service. Before you get started with HON-D, you will be required to have an active UW Group set-up including at least one UW Group administrator.

We already have a UW Group set-up for access into our subnet from on-campus. May we use the same UW Group?

Yes, you may use an existing, managed UW Group but it’s recommended that you fully vet the current UW NetIDs in the group and determine how you will make additions and updates in the future.

If we want to include a Sponsored UW NetID, is it first required to purchase the All Compute Services package at $20/mo as is required for general Husky OnNet access to the UW network?

No. For the HON-D service, the department/unit may include Sponsored UW NetIDs in their UW Group access list and those Sponsored UW NetIDs will be authorized to access the HON-D service as part of the HON-D service fee.

What if we need to allow access to a non-UW person, e.g., someone who does not have a UW NetID, a collaborator from another university, or a vendor who remotely provides updates to our on-prem application?

You need to first provide them with a  Sponsored UW NetID, have them accept the UW’s Access and Use Agreement, and then include that Sponsored UW NetID in your access list.

Can we use a shared UW NetID in the UW Group for authorized access?

Yes, however, if it is truly used by multiple people this is not recommended. For security purposes, using individually assigned UW NetIDs is preferred. In addition, the WIN and MacOS user apps can NOT be downloaded from UWare using a shared UW NetID. The download of the client app must be made using an individually assigned UW NetID.

We have retired faculty and former graduate students who are still active on a research project and need access to restricted departmental information. Can they be included in the UW Group access list for the HON-D service?

Yes, using their UW NetIDs.

Is two-factor authentication available for persons accessing our subnet?

This feature is available but there are important restrictions that you should understand before deciding if you 2FA functionality will work for your HON-D service.

Two-factor authentication FAQ

Who is eligible for 2FA?

Refer to the 2FA FAQ for details. As of Oct. 2017, only employees and students in approved programs are eligible to enroll in 2FA. 

What happens when someone in the UW Group of authorized users for a HON-D service with 2FA tries to access the HON-D service but they are not enrolled in the 2FA service or they are not eligible?

They will be denied access. Eligible users will need to enroll in 2FA first. Refer to the 2FA FAQ for details.

What happens when an authorized 2FA HON-D user tries to enroll in 2FA when they are not eligible for 2FA?

When a user who is not eligible for 2FA tries to enroll in 2FA, they will get an error message saying they’re not eligible.

When will 2FA be available to my other 2FA HON-D users?

UW-IT is working to expand 2FA eligibility during Autumn quarter 2017.

Is it possible to split a single HON-D service so that 2FA enable users are required to authenticate with 2FA before connecting, but all others may get in without 2FA?

No. All authorized users of a single HON-D service must use the same authentication and authorization method.

Getting the Husky OnNet Client Apps for HON-D Services

Windows and MacOS client app software is available from UWare, along with Chrome and Firefox browser helper applications for Linux. UW NetIDs (excepting shared UW NetIDs) that are included on the departmentally-managed UW Group access list will be able to download the client app software from UWare.

Client Apps FAQ

What about other types of client apps? Are they available?

Other f5 BigIP Edge client apps (e.g., Chrome, iOS, Android) are available through third party App download sites. Users are welcome to use these on a self-supported basis.

In addition to authorizing access by an individual, can HON-D also authenticate access into our subnet by using a list of approved device MAC addresses?

No, this functionality is not currently available.