IT Connect
Information technology tools and resources at the UW

Husky OnNet – Department (HON-D) Service

What is the Husky OnNet – Department (HON-D) service?

UW departments/units requiring access to their restricted network-connected resources may want to allow access to certain individuals from on- or off-campus locations. General access to the UW network via Husky OnNet is insufficient to access these restricted department/unit network segments. The Husky OnNet – Department (HON-D) service supports secure connections from both on- and off-campus locations to departmentally-restricted subnets using a departmentally-controlled authorized users access list. The standard service supports up to 62 simultaneous connections for each of two departmental connection servers (department & UW traffic only or all Internet traffic) included in the service.

NOTE:  Please refer to the UW’s Access and Use Agreement as well as the Office of the CISO pages on Due Care and Policies Standards and Guidelines to assure appropriate use of this service.

 

May HON-D be used to access UW-restricted library resources?

No. HON-D may not be used for accessing UW-restricted library resources.  For those needing access to UW-restricted library resources, see University Libraries Off-Campus Access.  For current UW faculty, students, and staff, using the general Husky OnNet (HON) service with the “All Internet Traffic” server is an allowable means of connecting to these resources.

 

Who is eligible to purchase this service?

Departments/units with a UW budget number and that are directly connected to the UW Network are eligible for the Husky OnNet –  Department service. If your unit is connected directly to the UW Medicine network, please contact the UW Medicine helpdesk for information about tools and resources to meet your needs. If you do not know which network you are connected to, please contact help@uw.edu and indicate which of your network subnets you are interested in serving through this service.

How much does the Husky OnNet – Department service cost?

As of October 1, 2018, there are no fees for this service.

What prerequisites are there to request and use this service?

  • Interested departments will need to create, manage, and maintain their own UW Group containing UW NetIDs associated with authorized users. The HON-D service will reference this UW Group to determine if a user is allowed access. The department’s UW Group administrator(s) is(are) responsible for the following: knowing whether a given user should have access or not; sponsoring them with a Sponsored UW NetID as appropriate; assuring that all members of the UW Group read and accept the UW Access and Use Agreement; and routinely review the access list to be sure it is current.
  • Departments will need to have and manage their own network subnet.
  • Departments will need their own technical support as end user support will be provided at the departmental level. UW-IT will provide HON-D support for the department’s technical staff.

Will HON-D service support both split & no-split service tunnel options?

Yes. The HON-D service will be configured for use with two servers as follows:

https://dept-huskyonnet.uw.edu/[dept acronym]    Recommended server. The user’s client application connects to the UW network. However, if the user chooses to simultaneously connect to a site outside the UW network, that connection will be made via their normal ISP service, rather than through their HON-D connection. This connection configuration is called ‘split’  because traffic to/from the user’s device is going over two different connections: the UW network and their ISP service.

https://dept-huskyonnet-ns.uw.edu/[dept acronym]  Special requirements uses only. Some services outside the UW network may require that the person connecting appear as if they are coming from a UW Network location.  In this instance all of the user’s traffic will use the HON-D connection and will not use the ISP service to send traffic to/from the Internet. This connection configuration is called a ‘no-split’ connection.

How does the service work?

From the end user perspective, your service will work just like the regular Husky OnNet service except that authorized users will also have access to the department’s server(s) but they will not have access to restricted UW Libraries resources. For more information, read about Husky OnNet service.

How many simultaneous users can my HON-D service support?

For a given HON-D service, the standard service can support up to 62 simultaneous connections on each of the service servers – split tunnel and no-split tunnel.

How is authorization to the department service handled and who is eligible to use it?

Any UW NetID authorized by the department may be included in the department’s authorization list. Each department/unit with a HON-D service will deploy and manage their own UW Group access list. The departmental UW Group manager(s) determine(s) which UW NetIDs should have access to their controlled network resources. The department may either provide the authority to the UW Group manager or may want to establish an internal review and vetting process to be followed by their UW Group manager(s).

Q: We do not yet have a UW Group access list. How do we get a UW Group?

A: Please see information about the UW Groups service here. The UW Groups service is covered under the Technology Recharge Fee and there are no extra costs to use this service. Before you get started with HON-D, you will be required to have an active UW Group set-up including at least one UW Group administrator.

Q: We already have a UW Group set-up for access into our subnet from on-campus. May we use the same UW Group?

A: Yes, you may use an existing, managed UW Group but it’s recommended that you fully vet the current UW NetIDs in the group and determine how you will make additions and updates in the future.

Q: If we want to include a Sponsored UW NetID in our departmental access list, must we first authorize the user through the Assign Computing Services provisioning page?

A: No. For the HON-D service, the department/unit may include Sponsored UW NetIDs in their UW Group access list and those Sponsored UW NetIDs will be authorized to access the HON-D service as part of the HON-D service.

Q: What if we need to allow access to a non-UW person, e.g., someone who does not have a UW NetID, a collaborator from another university, or a vendor who remotely provides updates to our on-prem application?

A: You need to first provide them with a  Sponsored UW NetID, have them accept the UW’s Access and Use Agreement, and then include that sponsored UW NetID in your access list.

Q: Can we use a shared UW NetID in the UW Group for authorized access?

A: Yes, however, if it is truly used by multiple people this is not recommended. For security purposes, using individually assigned UW NetIDs is preferred. In addition, the WIN, MacOS, and Linux user apps can NOT be downloaded from UWare using a shared UW NetID. The download of the client app must be made using an individually assigned UW NetID.

Q: We have retired faculty and former graduate students who are still active on a research project and need access to restricted departmental information. Can they be included in the UW Group access list for the HON-D service?

A: Yes, using their UW NetIDs.

 

Is two-factor authentication available for persons accessing our subnet?

This feature is available but there are important restrictions that you should understand before deciding if you 2FA functionality will work for your HON-D service.

Q: Who’s eligible for 2FA?

A: Refer to the 2FA FAQ for details. As of Oct. 2017, only employees and students in approved programs are eligible to enroll in 2FA.

Q. What happens when someone in the UW Group of authorized users for a HON-D service with 2FA tries to access the HON-D service but they are not enrolled in the 2FA service or they are not eligible?

A. They will be denied access. Eligible users will need to enroll in 2FA first. Refer to the 2FA FAQ for details.

Q: What happens when an authorized 2FA HON-D user tries to enroll in 2FA when they aren’t eligible for 2FA?

A: When a user who isn’t eligible for 2FA tries to enroll in 2FA, they will get an error message saying they’re not eligible.

Q: When will 2FA be available to my other 2FA HON-D users?

A: UW-IT is working to expand 2FA eligibility during Autumn quarter 2017.

Q: Is it possible to split a single HON-D service so that 2FA enable users are required to authenticate with 2FA before connecting, but all others may get in without 2FA?

A: No. All authorized users of a single HON-D service must use the same authentication and authorization method.

 

In addition to authorizing access by an individual, can HON-D also authenticate access into our subnet by using a list of approved device MAC addresses?

No, this functionality is not currently available.

 

Customer (Department/Unit) Responsibilities

  • “Own” and proactively manage a UW Group containing the UW NetIDs of the persons authorized to use the service
  • Authorize members of the department’s/unit’s UW Group with the understanding that these person(s) will be able to access the department’s/unit’s network resources as well as general UW Network resources.
  • Understand and apply as needed policies and requirements associated with use of UW IT infrastructure and data. These include, but are not limited to:
  • Provide department/unit based technical support staff who are responsible for 1) assisting the department’s/unit’s authorized HON-D end-users and 2) interacting with UW-IT HON-D support staff for issues with the configured service.

 

How do we order HON-D service?

There are three steps:

1) Understand how the service works and the department’s responsibilities. Review the related Husky OnNet and HON-D IT Connect pages for more information or contact help@uw.edu if you are not finding the information you need.

2) You will need to have this information ready enter into the order form:

  • Department/Unit Name
  • Technical Contact(s) Email
  • Preferred dept. identifier for naming your HON-D virtual servers
  •         split tunnel service: https://dept-huskyonnet.uw.edu/[dept acronym]
  •         not split tunnel service: https://dept-huskyonnet-ns.uw.edu/[dept acronym]
  • Do you need to use your own DNS servers? If yes, please provide the IP address of each of the primary and secondary DSN servers.
  • UW Group for Authorized Access list
  • Whether you require 2FA for logins (Note restrictions apply; not all persons with UW NetIDs are eligible or enrolled in the 2FA service.)
  • Does your Department use the UW-IT Managed Firewall service and would you like UW-IT to permit the associated HON-D lease pool?

3) When you have your information collected, complete the Husky OnNet – Department Service Request form.

Once we’ve placed the order, how do we get started with the Husky OnNet – Department (HON-D) service?

Once an order for the service has been placed, it may take up to 10 business days to stand up the service. The person who placed the order will be contacted to confirm UW-IT has received the order and to ask for any clarifying information that may be needed to get the provisioning started.

There are three configuration activities needed:

1) With information provided by the department, UW-IT will configure your HON-D service on a central network access device (powered by an F5 BigIP Access Policy Manager). This configuration will…

  • Provision departmental access servers: dept-huskyonnet.uw.edu/[dept acronym] for split tunnel, dept-huskyonnet-ns.uw.edu/[dept acronym] for no-split tunnel
  • If your department uses the managed firewall service, the installation engineer will coordinate firewall policy updates to permit your new HON-D lease pool
  • Create an association with your departmentally managed UW Group access list

2) Members of the departmental UW Group will use their UW NetID to download the MacOS, WIN, or Linux client edge application from UWare and install it on their device(s).

3) With these two steps completed, the department will be given the opportunity to test and confirm the service is working: they will test each of the provisioned servers – dept-huskyonnet.uw.edu/[dept acronym] and dept-huskyonnet-ns.uw.edu/[dept acronym] – in two separate test runs.

Assuming the customer does not report problems with the service at the time of testing (or within two business days of notification if the customer does not respond), the service will be deemed accepted and operational.

 

Getting the Husky OnNet Client Apps for HON-D Services

The WIN, MacOS, and Linux client app software is available from UWare. UW NetIDs (excepting shared UW NetIDs) that are included on the departmentally-managed UW Group access list will be able to download the client app software from UWare.

Q: What about other types of client apps? Are they available?

A: Other F5 BigIP Edge client apps (e.g., Chrome, iOS, Android) are available through third party App download sites. Users are welcome to use these on a self-supported basis.