The University is making important security enhancements to protect the UW network against an increasing number of malicious attacks that put personal and University data, devices and systems at risk. The following information was shared with the University of Washington and UW Medicine community about changes will affect people and groups that connect to UW resources from off-campus using a remote desktop or file-sharing application.
Starting on April 24, 2018, if you access UW resources from off-campus through a remote desktop or network file-sharing application, you will be required to first use the Husky OnNet VPN, a department/unit VPN, or UW Medicine secure virtual private network (VPN) service. A VPN is an application on your computer that establishes a secure connection to a network.
If you are not currently using Husky OnNet, a department/unit VPN, or UW Medicine VPN, please see below for options.
If you are connecting from on-campus (the Seattle campus and related facilities, UW Bothell, UW Tacoma and at UW Medicine facilities), you should not be impacted by this change.
Learn what a VPN is, your options, and how to use a VPN in this brief video. Visit UW-IT's YouTube channel for the audio described version of the video.
Use the Networks Portal tool from any computer you use to connect to UW resources to see if you are on a UW network, or see the Frequently Asked Questions section below for more information.
These changes will not affect web-based UW resources and services, such as uw.edu web pages, Canvas, Google Drive or Office 365. It will also not affect access to Dropbox, peer-to-peer (P2P) or secure file transfer (FTP) programs. Access to UW Medicine resources via Citrix also will not be affected.
In recent years, the number of malicious attacks on the UW network have increased substantially, presenting a serious security risk to the University. A large volume of this hostile traffic comes through specific network "channels" or "ports." The most frequently attacked network ports are those related to file-sharing and remote desktop applications, and therefore, those will be blocked first. Other ports may be blocked in the future; you will be notified before any additional ports are blocked. Blocking ports will reduce the security risks associated with the growing number of network-based vulnerabilities and the increased sophistication of network-based attacks against on-campus computers. Additionally, this action aligns UW with network security guidance and best practices and encourages everyone who uses the UW network to follow best practices for network and computer security. These security enhancements are a common practice used by many large organizations, including numerous higher education institutions. They will apply to the entire UW network, including in Seattle and at UW Tacoma, UW Bothell and UW Medicine facilities. See a list of network ports to be blocked on April 24, 2018.
In advance of April 24, 2018, please take the following steps:
If alternative solutions are not available or will take more time to develop, a request for an exemption may be made. For more information on exemptions, including recommendations for other important security measures, please contact UW-IT's Service Center at help@uw.edu with the subject line: "Network Port Blocking." UW unit exemptions will require the approval of your unit's dean, director, or chair. All requests for exemptions within UW Medicine will be forwarded to UW Medicine ITS for approval.
A VPN is an application on your computer that establishes a secure connection to a network. You must first connect to a UW department/unit VPN before accessing UW resources from off-campus with a remote desktop or file-sharing application. The UW offers a free VPN service for all current students, faculty and staff, called Husky OnNet. UW Medicine employees with AMC credentials should use the UW Medicine SSL VPN called Pulse Secure. Individual UW departments may offer additional VPN services.
A network file-sharing application allows you to access and transfer files to and from a remote location, such as files on a departmental or unit server. For example, you may be accessing an I: or H: drive where your department stores shared files. The drive letter may change, depending on configuration. Accessing that shared drive from an off-campus location will require the use of a UW VPN.
A remote desktop application on your computer allows you to connect from one computer to another. For example, you may use a remote desktop application to connect from your laptop at home to your workstation on the UW network, and it will appear as if you are logged directly into your UW workstation. Windows computers call this a Remote Desktop Connection and Apple calls this Apple Remote Desktop or Virtual Network Computing (VNC).
Some UW departments offer a Remote Desktop Gateway. Users connect to it the same way they would via standard Remote Desktop Connection but there is an additional setting in the application that is configured to specify the Gateway server. If a Remote Desktop Gateway server is used, the use of a VPN may not be required. Check with your department to see if they offer a Remote Desktop Gateway and how to configure your computer for its use.
No. Those connecting via a standard MSRDP Gateway server will not be affected and no exemption will be required.
Unlikely: In the standard installation and configuration, the MSRDP Gateway servers will not be impacted by the blocking of port 3389/tcp (native RDP) as it uses ports 443/tcp and 3391/udp. Standard MSRDP Gateway server installation:
The RDP port block will be implemented at the point where the MSRDP Gateway traffic is 443/tcp. Once the session has reached the gateway server and been converted to 3389/tcp, it's already past the block. The gateway effectively tunnels the traffic through the block. If you operate an MSRDP Gateway server, confirm that you're using the default ports for your installation, and if so, you will not need an exemption.
The Network Portal (networks.uw.edu) tool will report if you are connected to a UW-managed network on-campus or not. To find out if you are on the UW network, follow these instructions:
You are physically using a computer at one of these locations:
No. Whatever method you currently use to access your UW email should continue to work.
No. Whatever method you currently use to access UW Library resources (including restricted access resources for those who are eligible) should continue to work. For more information see UW Libraries Off-Campus Access information.
No. Your access to UW Medicine resources via Citrix should not be affected.
Only people in UW Medicine with AMC credentials can use the SSL VPN Pulse Secure. Everyone else, including members of School of Medicine, should use Husky OnNet or a UW departmental VPN.
As of April 24, 2018, the following inbound ports are being blocked:
| Port | Protocol | Reason for Block |
|---|---|---|
| 135 137 138 139 445 | NetBIOS RPCMS-DS SMB | Network Basic Input/Output System (NetBIOS) and Server Message Block (SMB) services provide file sharing and related services over the network. These services are constantly under attack from off-campus, are frequently vulnerable to attacks, exploits and malware, and can expose confidential or restricted data when improperly configured. |
| 3389 | RDP | This is used for remote desktop connections to Windows computers. It is one of the most common ports used for "brute-force" or "dictionary" attacks (password guessing). |
| 5900 | VNC | This is used by the Virtual Network Computing (VNC) protocol, which is used for remote desktop connections to computers running a VNC client. |
If you need help or have any questions or concerns, please contact help@uw.edu with the subject line: "Network port blocking."