UW departments and units may have restricted network-connected resources that only certain individuals can access. General access to the UW network via Husky OnNet is insufficient to access these restricted department/unit network segments. Husky OnNet – Department (HON-D) is a VPN service for departmental users to securely connect to departmentally restricted network resources that are otherwise not available to users on the UW network.
If your department has Husky OnNet – Department (HON-D) service and that you have been given access, you can use HON-D to connect to restricted network resources in your department. HON-D will work just like the regular Husky OnNet service except that you will also have access to the department’s server(s).
Please note that HON-D may not be used for accessing UW-restricted library resources. If you need access to UW-restricted library resources, see University Libraries Off-Campus Access. If you are a current UW student, faculty, or staff, or if you use a sponsored UW NetID that has been provided access to Husky OnNet, you can use the default Husky OnNet service with the All Internet Traffic server instead to access library resources. For more information, visit Selecting a Husky OnNet Server.
Connecting to Your Departmental Husky OnNet
To use HON-D provided by your department:
- Contact your departmental IT for HON-D server addresses. You will receive two server addresses in the format of:
- https://dept-huskyonnet.uw.edu/[dept acronym] (UW Campus Network Traffic Only)
- https://dept-huskyonnet-ns.uw.edu/[dept acronym] (All Internet Traffic)
- To install the Husky OnNet client on your device, follow the instructions in Installing, Configuring, and Using Husky OnNet.
- To add and connect to your departmental Husky OnNet servers, follow the instructions in Selecting a Husky OnNet Server.
If you have issues with installing or configuring Husky OnNet on your device, refer to instructions in Installing, Configuring, and Using Husky OnNet.
If you run into access or connectivity issues while using your departmental Husky OnNet service, consult with your departmental IT.
If your department or unit is directly connected to the UW network and has a UW budget number, Husky OnNet – Department (HON-D) is available free of cost.
If your department or unit is directly connected to the UW Medicine network, please contact the UW Medicine helpdesk for information about tools and resources to meet your needs.
If you do not know which network you are connected to, please contact firstname.lastname@example.org and indicate which of your network subnets you are interested in serving through this service.
- Departments will need to have and manage their own network subnet.
- Departments will need their own technical support to provide end user support. UW-IT will provide HON-D support for the department’s technical staff.
- Departments will need to create, manage, and maintain their own UW Group containing UW NetIDs associated with authorized users.
- The department’s UW Group administrators are responsible for managing user access and assuring all users read and accept the UW Access and Use Agreement.
To order and use HON-D, the department/unit has the following responsibilities:
- Own and proactively manage a UW Group access list containing the UW NetIDs of the persons authorized to use the HON-D service.
- Authorize members of the department or unit’s UW Group access list with the understanding that these person(s) will be able to access the department’s/unit’s network resources as well as general UW Network resources.
- Understand and apply as needed policies and requirements associated with use of UW IT infrastructure and data. These include, but are not limited to:
- Provide department/unit based technical support staff who are responsible for:
- Assisting the department’s/unit’s authorized HON-D end-users.
- Interacting with UW-IT HON-D support staff for issues with the configured service.
To order Husky OnNet – Department (HON-D) service:
- Understand how the service works and the department’s responsibilities. Review the related Husky OnNet and HON-D IT Connect pages for more information or contact email@example.com if you are not finding the information you need.
- Prepare these information for the order form:
- Department/unit name
- Technical contact(s) email
- Preferred department identifier for naming your HON-D virtual servers
- Split tunnel service: https://dept-huskyonnet.uw.edu/[dept acronym]
- No-split tunnel service: https://dept-huskyonnet-ns.uw.edu/[dept acronym]
- If you need to use departmental DNS servers: IP addresses of primary and secondary DNS servers
- UW Group for authorized access list
- Whether you require 2FA for logins
- Note: restrictions apply; not all persons with UW NetIDs are eligible or enrolled in the 2FA service.
- Does your Department use the UW-IT Managed Firewall service and would you like UW-IT to permit the associated HON-D lease pool?
- When you have your information collected, complete the Husky OnNet – Department Service Request form.
Once the department places an order for the service, UW-IT may take up to 10 business days to set up the service. UW-IT will contact the person who placed the order to confirm UW-IT has received the order and to ask for any clarifying information that may be needed to get the provisioning started.
There are three steps to deploying HON-D:
- With information provided by the department, UW-IT will configure your HON-D service on a central network access device (powered by an F5 BIG-IP Access Policy Manager). This configuration will:
- Provision departmental access servers: split tunnel (UW Campus Network Traffic Only) and no-split tunnel (All Internet Traffic)
- Update firewall policy to permit your new HON-D lease pool, if your department uses the managed firewall service
- Associate your HON-D service with your departmentally managed UW Group access list
- Members of the departmental UW Group will use their UW NetID to download and install Husky OnNet client applications on their devices.
- With these two steps completed, the department will have the opportunity to test and confirm the service is working: testing the split tunnel and no-split tunnel servers separately.
If the department does not report problems with the service at the time of testing (or within two business days of notification if the department does not respond), the service will be deemed accepted and operational.
UW-IT can provide support for setting up and configuring HON-D. Below is a list of frequently asked questions for departmental IT administrators.
Will HON-D support both split & no-split service tunnel options?
Yes. The HON-D service will be configured for use with two servers as follows:
- UW Campus Network Traffic Only: https://dept-huskyonnet.uw.edu/[dept acronym]
Recommended server. The user’s client application connects to the UW network. However, if the user chooses to simultaneously connect to a site outside the UW network, that connection will be made via their normal ISP service, rather than through their HON-D connection. This connection configuration is called “split” because traffic to/from the user’s device is going over two different connections: the UW network and their ISP service.
- All Internet Traffic: https://dept-huskyonnet-ns.uw.edu/[dept acronym]
For special uses only. Some services outside the UW network may require that the person connecting appear as if they are coming from a UW Network location. In this instance all of the user’s traffic will use the HON-D connection and will not use the ISP service to send traffic to/from the Internet. This connection configuration is called a “no-split” connection.
How many simultaneous users can the HON-D service support?
For a given HON-D service, the standard service can support up to 62 simultaneous connections on each of the service servers – split tunnel and no-split tunnel. UW-IT can accommodate larger lease pools upon request.
How does HON-D authorize users and who is eligible to use it?
If your department/unit has a HON-D service, your department will deploy and manage a UW Group access list. Any UW NetID authorized by the department to use HON-D can be included in the access list. It is up to the departmental UW Group managers to determine which UW NetIDs should have access to their controlled network resources. Your department may either provide the authority to the UW Group managers or may want to establish an internal review and vetting process to be followed by the UW Group managers.
Getting a UW Group: If your department does not yet have a UW Group access list, your department will need to set one up as the HON-D access list. To learn about the UW Groups service, visit the UW Groups IT Connect page. The UW Groups service is covered under the Technology Recharge Fee and there are no extra costs to use this service.
Using an existing UW Group: If your department already has a UW Group for access into your departmental subnet from on-campus, you can use the same UW Group for HON-D. Though it is recommended that you fully vet the current UW NetIDs in the group and determine how you will make additions and updates in the future.
Authorizing a sponsored UW NetID: If you want to authorize sponsored UW NetIDs for your HON-D service, you can simply include sponsored UW NetIDs in the UW Group access list and they will be authorized to access your HON-D service. You do not need to use the Provisioning Request Tool (PRT).
Authorizing a person without a UW NetID: If you want to authorize a person without a UW NetID, e.g. a collaborator from another university or a vendor who remotely provides updates to your on-premise application, you need to first provide them with a sponsored UW NetID. Once they have accepted the UW’s Access and Use Agreement and have their sponsored UW NetID, include it in your UW Group access list.
Authorizing a shared UW NetID: You can use shared UW NetIDs in the UW Group access list for HON-D. However, it is not recommended. For security purposes, it is preferable to use individually assigned UW NetIDs. In addition, UWare does not offer Husky OnNet client application downloads for Windows, macOS, or Linux to shared UW NetIDs.
Authorizing former students and retired faculties: If you need to grant access to graduated or retired former UW student, faculty, or staff to HON-D, simply include their UW NetIDs in your UW Group access list.
Authentication by 2FA: 2FA is available for HON-D but with important restrictions. Refer to the 2FA FAQ for 2FA eligibility. If an authorized user who is not eligible for 2FA or otherwise does not have 2FA enabled tries to access your 2FA-enabled HON-D service, they will be denied access. Please note that it is not possible to split a single HON-D service so that 2FA is enforced for 2FA-enabled users only.
Authentication by device MAC addresses: This functionality is not currently available.