Research Infrastructure

Working From Home


Connecting to computational systems and research data storage from off-campus

The CSF, iCSF, HTCondor, and Research Data Storage (Isilon) can all be accessed from off-campus, but, for security, some extra steps are needed.

Since November 2019 the University has been protecting remote access services with Global Protect and Duo 2FA. This has now been extended to include the ‘nyx’ X2GO gateways and the rds-ssh file-transfer gateways. Therefore from October 2020 you must now be logged in to the University VPN (GlobalProtect) with Duo 2-Factor Authentication in order to access these services from off-campus.

If you need any help with the information on this page, please email the Research Infrastructure team using its-ri-team@manchester.ac.uk

Tasks you can do from home

This page addresses the following tasks while working from home (or elsewhere off-campus), providing you with links to the relevant documentation. Jump to the sections you are interested in doing:

  • Logging in to the CSF, iCSF or HTCondor submitter node, or the Research Infrastructure X2GO / SSH gateways, from off-campus once you have signed in to the GlobalProtect VPN. See below.
  • Accessing Research Data Storage that you would usually map as a drive on a campus PC. See below.
  • Copying files to/from Research Data Storage that you use on the CSF, iCSF or HTCondor submitter node. See below.
  • Copying files to/from CSF scratch storage. See below.

The University VPN and GlobalProtect.

When accessing on-campus resources such as the CSF/iCSF from off-campus you are required to first sign in to the University VPN using the GlobalProtect software or OpenVPN software. GlobalProtect is recommended and it is available for Windows, Mac and Linux.

University managed laptops already have the GlobalProtect software installed. You can also download it and run it on your home PC/laptop. If not already installed, please install the IT Services VPN Software (GlobalProtect) on your home PC/laptop.

Problems with GlobalProtect?

If you are attempting the above tasks from home and are having problems when GlobalProtect is running, please see the GlobalProtect Problems and Solutions section below.

Open each section below for the task you wish to perform.

1) How do I login to the CSF / iCSF / HTCondor from off campus?

[Show / Hide]

There are three different methods available, described below. In all cases you must first be signed in to the University VPN using GlobalProtect – you may well be using it already to access other University systems. For iCSF users we recommend then using the X2GO method so that you can leave applications running on the iCSF via a virtual desktop without needing to remain logged in from home.

a) Sign in to GlobalProtect then use direct ssh

[Show / Hide]

University managed laptops already have the GlobalProtect software installed. You can also download it and run it on your home PC/laptop.

  1. If not already installed, please install the IT Services VPN Software (GlobalProtect) on your home PC/laptop.
  2. Run the GlobalProtect software (see previous link). In short, this will make your PC/laptop appear to be on-campus.
  3. Now log in to the CSF or log in to the iCSF or condor submitter as usual using your preferred SSH application.
  • If this method does not work for you, your ISP may not fully support the use of GlobalProtect. Please try using the IP number of the login node instead of the name:
    ssh username@10.99.203.52       # CSF3
    ssh username@10.99.203.43       # iCSF
    ssh username@10.99.203.70       # incline256
    ssh username@10.99.203.69       # incline2000
    ssh username@130.88.203.22      # submitter 
    

    Or alternatively use the Research IT SSH Gateway (method C below). More details are available in the GlobalProtect problems and solutions section.

b) Sign in to GlobalProtect then use the Research IT Linux Virtual Desktop (X2GO)

[Show / Hide]

Assuming you have first signed in to GlobalProtect (see above) this method requires you to first log in to a virtual desktop and then from there log in to the CSF or iCSF. This has the added advantage that you can disconnect and reconnect to the virtual desktop at any time and your logins to the CSF or iCSF from the virtual desktop will all still be there as though you had never been away (this is very useful if your home internet is unreliable).

PLEASE NOTE: As of October 2020, before logging in to the Research IT Linux Virtual Desktop from off-campus, you must first log in to the University VPN (GlobalProtect). Full instructions are given in the pages linked below.

  1. Register to use the Research IT Linux Virtual Desktop by emailing its-ri-team@manchester.ac.uk.
  2. Download, install and setup on your home PC/laptop the small, free X2GO client. We have complete instructions for Windows, Mac and Linux home PCs/laptops.
  3. Now, from your home PC/laptop, use the X2GO client you’ve just installed to log in to the X2GO Linux Virtual Desktop.
  4. Finally, from a terminal on the Linux Virtual Desktop (nyx5,6,7) log in to the CSF, iCSF or Condor submitter using one of:
    ssh csf3
    ssh icsf       # or incline256  or  incline2000
    ssh submitter
    

    See here for screenshots and a complete example.

c) Sign in to GlobalProtect then use the Research IT SSH Gateway

[Show / Hide]

If you don’t want to use the X2GO Virtual Linux Desktop, you can use instead a traditional command-line approach to logging in, assuming you have first signed in to GlobalProtect (see above). This actually uses the same server as the X2GO method (above).

PLEASE NOTE: As of October 2020, before logging in to the Research SSH Gateway from off-campus, you must first log in to the University VPN (GlobalProtect). Full instructions are given in the pages linked below.

  1. Register to use the Research IT SSH Gateway by emailing its-ri-team@manchester.ac.uk (if you have registered to use the X2GO service you don’t need to register again).
  2. Now install any free SSH application on your home PC/laptop. On Windows, a popular free app is MobaxTerm. On Mac and Linux, you can use the already-installed Terminal app to run SSH. You can even log in from Android, using JuiceSSH.
  3. Next, log in to the SSH gateway using the SSH app from your home PC/laptop. Use any one of the following addresses:
    nyx5.itservices.manchester.ac.uk
    nyx6.itservices.manchester.ac.uk
    nyx7.itservices.manchester.ac.uk
  4. Finally, from the SSH gateway (nyx5,6,7) log in to CSF, iCSF or Condor submitter using one of:
    ssh csf3
    ssh icsf       # or incline256  or  incline2000
    ssh submitter
    

    Even if you had DNS-lookup problems in method a) above, the nyx addresses will always work.

2) How do I access Desktop-visible Research Data Storage (Isilon) from off campus?

[Show / Hide]

The Research Data Storage platform (Isilon) provides two different types of storage areas:

  • Desktop/PC visible storage, similar to your P-Drive. You map this as another drive on your PC (e.g., the R: drive).
  • Storage visible on the central compute platforms such as the CSF, iCSF or HTCondor submitter. The Research IT team ensure this is visible on those platforms.

Here we cover how to access the first type – the Desktop/PC visible storage – while working at home.

Please note: If your data has been supplied by an external provider (e.g., NHS Digital) you must check any data sharing agreement you have with the provider that you are permitted to access that data from off-campus.

a) Via GlobalProtect

[Show / Hide]

University managed laptops already have the GlobalProtect software installed. You can also download it and run it on your home PC/laptop.

  1. You will need the path supplied to you when the storage was allocated. This will be something like:
    \\nasr.man.ac.uk\bmhrss$\snapped\replicated\FolderName
                      #                            #
                      #                            # Specific to your project or research group
                      #
                      # Your faculty code eps, bmh, hum (or older codes fls and mhs)
    
  2. If not already installed, please install the IT Services VPN Software (GlobalProtect) on your home PC/laptop.
  3. Run the GlobalProtect software (see previous link). In short, this will make your PC/laptop appear to be on-campus.
  4. Now map the storage as a drive. We have documentation for Windows, Mac and Linux home PCs/laptops.
  • If this method does not work for you, your ISP may not fully support the use of GlobalProtect. Please try using the IP number of the RDS storage system instead of the name:
    \\10.2.82.4\bmhrss$\snapped\replicated\ProjectFolder
    More details are available in the GlobalProtect problems and solutions section.

b) Via the Research IT RDS-SSH Gateway

[Show / Hide]

The Research IT Team provide an alternative RDS-SSH gateway which you may be able use to access your storage depending on what you need to do. It is not a general purpose method of accessing the CIFS/desktop flavour of RD and it is more complex to set up and use. We strongly recommend trying the GlobalProtect method above first.

PLEASE NOTE: As of October 2020, before logging in to the Research RDS-SSH Gateway from off-campus, you must first log in to the University VPN (GlobalProtect). Full instructions are given in the pages linked below.

  1. Register to use the Research IT RDS-SSH Gateway by emailing its-ri-team@manchester.ac.uk telling us the above storage path.
  2. Use a file-transfer app on your home PC/laptop (such as WinSCP or MobaXterm) to log in to the RDS-SSH gateway. The address of the gateway is
    rds-ssh.itservices.manchester.ac.uk
    

    You will then be able to navigate to your storage area. The Research IT team will tell you where your storage area is on the RDS-SSH server.

3) How do I copy files to/from CSF/iCSF/submitter-visible Research Data Storage (Isilon) from off campus?

[Show / Hide]

The Research Data Storage platform (Isilon) provides two different types of storage areas:

  • Desktop/PC visible storage, similar to your P-Drive. You map this as another drive on your PC (e.g., the R: drive).
  • Storage visible on the central compute platforms such as the CSF or iCSF. The Research IT team ensure this is visible on those platforms.

Here we cover how to copy files to/from the second type – the CSF/iCSF/submitter visible storage – while working at home.

Please note: If your data has been supplied by an external provider (e.g., NHS Digital) you must check any data sharing agreement you have with the provider that you are permitted to access that data from off-campus.

a) Via GlobalProtect

[Show / Hide]

This method will allow you to copy files to/from the CSF/iCSF/submitter home, RDS, and scratch storage, via the login node of those platforms. Note that very large file-transfers may be slow using this method (see the RDS-SSH method for an alternative).

University managed laptops already have the GlobalProtect software installed. You can also download it and run it on your home PC/laptop.

  1. If not already installed, please install the IT Services VPN Software (GlobalProtect) on your home PC/laptop.
  2. Run the GlobalProtect software (see previous link). In short, this will make your PC/laptop appear to be on-campus.
  3. Now use your preferred file-transfer app to access the CSF or the iCSF or condor submitter. All of your CSF/iCSF/submitter storage areas will be visible in the usual locations.
  • If this method does not work for you, your ISP may not fully support the use of GlobalProtect. Please try using the IP number of the login node instead of the name in your file-transfer app:
    10.99.203.52       # CSF3
    10.99.203.43       # iCSF
    130.88.203.22      # submitter 
    

    More details are available in the GlobalProtect problems and solutions section.

b) Via the Research IT RDS-SSH Gateway

[Show / Hide]

The Research IT Team provide an RDS-SSH gateway which you can use to access your CSF/iCSF/HTCondor storage. Please note: it is not possible to access your scratch storage area using this method (see below for scratch storage).

PLEASE NOTE: As of October 2020, before logging in to the Research IT RDS-SSH Gateway from off-campus, you must first log in to the University VPN (GlobalProtect). Full instructions are given in the pages linked below.

  1. Register to use the Research IT RDS-SSH Gateway by emailing its-ri-team@manchester.ac.uk
  2. Use a file-transfer app on your home PC/laptop (such as WinSCP or MobaXterm) to log in to the RDS-SSH gateway. The address of the gateway is
    rds-ssh.itservices.manchester.ac.uk
    

    You will then be able to navigate to your storage area. By default you will be in your CSF/iCSF/HTCondor home directory. Other RDS areas are in the same place as on the CSF. Some storage will not be visible and for sensitivity/security can’t be mounted there – if you can’t find your storage email us with the path to discuss.

4) How do I copy files to/from CSF scratch storage from off campus?

[Show / Hide]

Your CSF scratch area is only accessible on the CSF. So you must transfer files to/from the CSF directly. Hence you will need to be running GlobalProtect.

a) Via GlobalProtect

[Show / Hide]

University managed laptops already have the GlobalProtect software installed. You can also download it and run it on your home PC/laptop.

  1. If not already installed, please install the IT Services VPN Software (GlobalProtect) on your home PC/laptop.
  2. Run the GlobalProtect software (see previous link). In short, this will make your PC/laptop appear to be on-campus.
  3. Use a file-transfer app on your home PC/laptop (such as WinSCP or MobaXterm) to log in to the CSF. The address of the CSF is
    csf3.itservices.manchester.ac.uk

    You will then be able to navigate to your scratch storage area.

  • If this method does not work for you, your ISP may not fully support the use of GlobalProtect. Please try using the IP number of the CSF login node instead of the name:
    10.99.203.51
    More details are available in the GlobalProtect problems and solutions section.

5) How do I access the web and other external data from the CSF?

[Show / Hide]

For security, the CSF, iCSF and condor submitter nodes cannot access the web (e.g., github, dataset providers) and cannot access external databses. Access should be made through the University web-proxy.

  1. While on the CSF or iCSF, load the proxy modulefile to allow access to the outside world by many common applications.
  2. To download data from external databases while using the computational platforms, use the NATaaS service. This is needed where the software used to do the download does not work through the University proxy.

6) GlobalProtect Problems and Solutions

[Show / Hide]

We are aware that a number of users have had problems while try to access their storage or log in to the CSF from home when using GlobalProtect. The following section addresses those problems.

a) Description of the Problem

[Show / Hide]

Some, but not all, Internet Service Providers (ISPs) do not allow their DNS to convert host names (such as csf3.itservices.manchester.ac.uk or nasr.man.ac.uk) to internal IP numbers (10.99.x.y). Users on BT Internet have reported this problem. This is not a problem with GlobalProtect, or the CSF or Isilon.

This problem will affect the following tasks:

b) Logging in to the CSF – unknown hostname

[Show / Hide]

If you are running a command such as:

ssh username@csf3.itservices.manchester.ac.uk

and receive an error similar to

Cannot resolve hostname (or unknown hostname) csf3.itservices.manchester.ac.uk

then your ISP is showing the problem described above.

The solution is to continue to run GlobalProtect, then use the CSF login node IP numbers directly. In particular:

ssh username@10.99.203.52

Replace username with your own IT username.

c) Mapping \\nasr.man.ac.uk Storage – no username/password prompt

[Show / Hide]

If attempting to map as a drive your Research Data Storage area, who’s path is something like:

\\nasr.man.ac.uk\bmhrss$\snapped\replicated\ProjectFolder
                  #                           #
                  #                           # Specific to your project 
                  #
                  # Faculty code: eps, bmh, hum (or older codes fls, mhs)

you should normally be prompted for your IT username and password. However, if you are having the GlobalProtect problem with your ISP, this box may never be displayed and the storage will not be mapped as a drive.

The solution is to continue to run GlobalProtect, then use the IP number of the storage system. In particular:

\\10.2.82.9\bmhrss$\snapped\replicated\ProjectFolder

You should then be prompted for your username and password as normal.

7) Global Protect & Two Factor Authentication (2FA) on the X2GO/ssh gateway/nyx servers

[Show / Hide]

As of October 2020 before logging in from off-campus you must first log in to the University VPN (GlobalProtect). If you are on-campus and NOT connected to the University VPN (GlobalProtect) you will be asked to authenticate using your UoM 2-Factor Authentication (2FA) device e.g. Duo Mobile app or Duo fob.

For 2-Factor Authentication to work with X2GO you must make sure you are using at least version 4.1.1.1 of the X2GO client.

We have updated our documentation to reflect the changes to the log in process see:

X2GO
SSH Gateway

Please note that the Research Infrastructure Team are unable to provide general help and support for the VPN and 2FA (for example, installing Global Protect, registering a device, or how to authenticate if you are unable to get a data/wifi signal on your phone). IT Services have provided a very detailed FAQ which can be found on the 2FA Information Webpage in the ‘Help and Support’ section – it links to a PDF document (the FAQ).

The phonecall method of 2FA is not available on the nyx servers/X2GO . To set up and register for the mobile app method please follow Q5, Q6, and Q20 in the IT Services FAQ described above.

8) Connecting to an existing on-campus non-Research-IT desktop/laptop to access on campus resources such as the CSF/iCSF

[Show / Hide]

You may be off-campus and connect to an existing on-campus desktop/laptop in order to use it as a ‘gateway’ to other on-campus resources such as the CSF/iCSF. This could be a PC in your office or lab for example. As of October 2020 you will still be able to do this, but in order to connect to your on-campus machine you will first need to connect to the University VPN using GlobalProtect.

  1. If not already installed, please install the IT Services VPN Software (GlobalProtect) on your home PC/laptop.
  2. Run the GlobalProtect software (see previous link). In short, this will make your PC/laptop appear to be on-campus.

Please note that the Research Infrastructure Team are unable to provide general help and support for 2FA (for example, registering a device, or how to authenticate if you are unable to get a data/wifi signal on your phone). Nor can we help with ad-hoc PCs around campus that you may be trying to log in to. IT Services have provided a very detailed FAQ which can be found on the 2FA Information Webpage in the ‘Help and Support’ section – it links to a PDF document (the FAQ).

Last modified on October 12, 2020 at 9:09 am by George Leaver