In short, the NCSA VPN account is currently the only way to gain non-privileged end-user-type access to PDAC services. The cluster deployments within NCSA's National Petascale Compute Facility contain a 'walled garden' (ie firewalled, not related to the VPN) for staging of pre production services. Currently, access to services within the walled garden is restricted to the VPN service IP space.
So make use of the VPN when you need to access PDAC services as an end user.
Any user with a valid NCSA Kerberos account, which includes all LSST members with current NCSA accounts, have a VPN access. In the future, this may be further restricted to a subset of project-approved members in order to limit access to services in the walled garden or to prevent exhausting the license limit on the VPN service. All member not directly and officially associated with the PDAC should not use the VPN service.
If you have the Cisco AnyConnect client installed, or have a machine capable of running the AnyConnect client, the simplest method to access the VPN environment is to point a web browser to https://sslvpn.ncsa.illinois.edu/, select the 'ncsa-vpn-default' option, and enter 'PUSH' for the 2nd Password (to trigger a NCSA Duo push). On future connects, you can just add 'sslvpn.ncsa.illinois.edu' to the AnyConnect connection window.
Failing that method, full instructions detailing alternate connection methods are listed on the NCSA wiki.
Once connected to NCSA's VPN service, you will be prompted for your NCSA username, Kerberos password, and DUO token.
If you need to reset your password, see instructions here.
A tip from Chris Walter: Here is a tidbit if (like me) you need to use anyconnect to NCSA but also need to use if for somewhere else (Duke in my case).
in the directory then when you start up the program next time you will see both entries in the drop down list. |
Once connected to NCSA's VPN, the following address pairs become externally accessible:
LSST project members associated with the initial deployment of PDAC services require administrative access to service nodes in order to perform the installation and complete the configuration. Administrative access with NCSA's NPCF requires two-factor access per security policy. VPN access is not sufficient because it neither requires two-factor authentication nor does it, in anyway, identify you to the PDAC service(s).
You must obtain a two-factor account by emailing lsst-account@ncsa.illinois.edu. Only approved project members will be granted two-factor accounts.