Guidelines Remote Access Services User Guide · 2019-12-20 · Guidelines Remote Access Services User Guide VIRTUAL PRIVATE NETWORK (VPN) OVERVIEW Remote Access Services provide secure,

Remote Access Services User Guide

VIRTUAL PRIVATE NETWORK (VPN) OVERVIEW

Remote Access Services provide secure, cost-effective ways for mobile workers, telecommuters and non-government customers on external networks to access the Shared Provincial Access Network for British Columbia (SPAN/BC).

DEFINITIONS:

Virtual Private Network (VPN) allows your remote computer to connect

securely to SPAN/BC network over a wireless public or home network

and access Government network resources that include your Exchange

e-mail, applications and shared data.

Remote Desktop Connection (RDC) is an application that allows you to

use your secondary government provisioned workstation to access your

primary government provisioned workstation over the Internet via a

VPN enabled connection.

Start Before Login (SBL) is for government provisioned mobile

workstations to activate the VPN session as part of the login sequence

connecting to Exchange e-mail, applications, shared data, printers and

drives at initial login.

Section Guide:

Hyperlink enabled:

1. Remote Access VPN

Guidelines

2. Before you call for help

3. The Cisco AnyConnect VPN

Client on your Government

Provisioned Workstation

4. How to connect using the VPN

Client

5. Using Start Before Login “SBL”

for Government Provisioned

Mobile Workstations

6. Using Remote Desktop

Connection for a Secondary

Government Provisioned

Workstation

7. Using the WTS Wake-up site

for your Government

Provisioned Workstation

8. Using the Disconnect/Quit

from VPN

9. Helpful Links

10. Frequently Asked Questions

11. Version History

https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-

policies-for-government/remote-access/remote_access_services_user_guide_2020.pdf Page 2

1 REMOTE ACCESS VPN GUIDELINES

SECURITY AWARENESS!

To ensure that Government security policies are not violated by any personal Internet activity, it is very important that you disconnect your VPN session as described in section 8 after you’ve completed your Government business. If you do not disconnect your VPN session and proceed to do personal Internet activities, then be aware that your personal Internet data traffic will be traversing the Government data network, which may result in a Government policy violation, a security investigation and possible legal repercussions.

The Information Security Branch of the Office of the Chief Information Officer has developed resources to help explain information security best practices. To ensure you are in compliance with policy and are aware of best practices, refer to the Information Management/Information Technology (IM/IT) Strategic Policy web site. An additional OCIO Best Practice Guide for working with personal and/or confidential information outside the workplace is the Working Outside the Workplace resource document.

https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/information-security-policy-and-guidelines

http://www.cio.gov.bc.ca/cio/working_outside_workplace/index.page?



2 BEFORE YOU CALL FOR HELP

1. Review the contents of this guide; it has a lot of detailed information that should help guide you through most Remote Access scenarios.

2. If you require assistance call the contact the “7-7000 Service Desk” at 250-387-7000 or toll free 1-866-

660-0811 option 1 or email [email protected]. Make sure you have the following information ready it

will help us resolve your problem quickly.

• What is your IDIR ID?

• If you are using Remote Desktop Connection, do you have Remote Access permissions to connect to

your primary government provisioned workstation?

• What operating system are you using (e.g.: Windows 7 or 10, MAC/OS)?

• What version of the Cisco AnyConnect Client are you using?

• What type of internet connection are you using (wired, wireless hot spot, public Wi-Fi)?

• What is your workstation number?

• What exactly is the error or problem you are having? Write down the error, screen shots are very

helpful.

• Contact information, phone number (an alternate contact will not be accepted).

• When did it last work?

• Have you made any recent changes to your device configuration, software or hardware updates?

mailto:[email protected]



3 THE CISCO ANYCONNECT VPN CLIENT ON YOUR PRIMARY GOVERNMENT PROVISIONED WORKSTATION

If you are using a WINDOWS 10 government provisioned mobile workstation and the Cisco AnyConnect

Mobility client is not installed follow these instructions:

1. Launch your Start button and open up Microsoft System Center.

2. Then click on Software Center.

3. Change the View to List.



4. Type in the search bar, AnyConnect (no spaces), press enter. Then click on the Application to initiate

a download.

If you are using a MAC/OS government provisioned mobile workstation and the Cisco AnyConnect

Mobility client is not installed follow these instructions:

1. Download the AnyConnect application from the following link: https://ssbc-

client.gov.bc.ca/services/remoteaccess/documents.htm

2. Select the MAC – AnyConnect link to initiate download.

https://ssbc-client.gov.bc.ca/services/remoteaccess/documents.htm




3. Download the MAC AnyConnect package, and run the AnyConnect.pkg

If you have problems installing your software on your workstation contact the “7-7000 Service Desk” at 250-

387-7000 or toll free 1-86-660-0811 option 1

• NOTE: Periodically OCIO upgrades the Cisco AnyConnect secure mobility client through workstation services expanded patch management program (EPM). The upgrades are a result of necessary security and or maintenance requirements and are communicated through Service Bulletins. Upgrades are applied automatically for mobile workstations that have a full version of the software installed. All government provisioned workstation that do not have a full version installed must install through the Software Centre as noted above.

4 HOW TO CONNECT TO SPAN/BC USING CISCO ANYCONNECT VPN CLIENT

1) Search Cisco AnyConnect

2) Enter your IDIR ID and password.

3) Click OK, The Cisco AnyConnect alert/dialogue box will open.

4) Sign in with your IDIR username and password. Click OK

5) Read the message and click Connect. Messages often contain important information about

upgrades, security information or relevant Service Bulletin information.

6) You are now connected to VPN.

https://ssbc-client.gov.bc.ca/servicenews/





5 USING THE START BEFORE LOGIN FEATURE FOR A GOVERNMENT PROVISIONED WORKSTATION “FULL”

FUNCTIONALITY TO INCLUDE MAPPED NETWORK DRIVES AND ACCESS TO LOB APPLICATIONS

• NOTE: The following process only works if you are connected to a network that you have previously

accessed using this workstation.

1. Click the Network sign-in button at the bottom right of the screen.

2. Refer to section 4 for detailed AnyConnect login instructions.



6 USING REMOTE DESKTOP CONNECTION FOR A SECONDARY GOVERNMENT PROVISIONED WORKSTATION

• NOTE: If you are unable to connect to your primary government provisioned workstation you may need to wake it up, refer to Section 7.

For WINDOWS

1) Refer to Section 4 for detailed AnyConnect login instructions. You must be connected to VPN before using Remote Desktop Connection (RDC).

2) In your toolbar, search Remote Desktop Connection. 3) In the Computer field, type in workstation#.idir.bcgov

(ie. DB434443.idir.bcgov).

4) Click Connect.

5) Enter your IDIR ID and password in the dialogue box that appears, click OK (this logs you on to your

workstation). 6) Click OK at the security warning screen. 7) You are now connected to your workstation.

Your primary workstation desktop appears on the screen. You can now access your e-mail,

applications, and data as though you were at the office. If it doesn’t appear your desktop may have

gone into Hibernation/Shutdown and must be woken up using the OCIO Wakeup as in Section 7.



For MAC/OS:

1. Refer to Section 4 for detailed AnyConnect login instructions. You must be connected to VPN before using Remote Desktop Connection (RDC).

2. Click on Go in the toolbar to access the Applications tab. Select Remote Desktop Connection

application.

3. You will need to create a New “My Desktop”. You will only need to do this once. Subsequent

connections will only require you to double click on the desktop you wish to connect to.

4. Fill out the required information for the desktop profile using below as a guide.

5. Your desktop profile has now been created. You can now connect to your desktop as if you

were at work (established internet and VPN session is needed prior to activating RDC).



7 USING THE WAKE-UP SITE SURVEYOR TO WAKE UP YOUR PRIMARY GOVERNMENT PROVISIONED WORKSTATION

REMOTELY

1. Connect to the Surveyor WakeUp site using your Web Browser at: http://wswakeup.bcgov/ 2. Type in your workstation number (ex. DB000000) in the Computer Name box, click Search.

3. Press wake.

4. You may close your web browser.

5. After a few moments your primary workstation is ready for connection from your remote computer

using the same instructions from Section 6 “Using Remote Desktop Connection”

http://wswakeup.bcgov/



See below for what to expect when using the updated application (instructions and screen shots here are from a standard Windows 7 workstation with Internet Explorer 11, other operating systems or browsers may have a slightly different experience). Clicking the “Remote Desktop Connection” button launches the RDC protocol based on the IP address of the machine. Due to security warnings in IE, you may see the following dialogue:

1) Click Yes. 2) You may see a prompt asking if you want to open the DC######.rdp from

http://wswakeup.bcgov. 3) Click Open. 4) Since you connect via IP rather than Computer name, a security prompt displays (see image

below). Click Connect.

5) Click Connect to launch the RDP screen to remotely logon to your workstation.



8 DISCONNECT/QUIT FROM CISCO VPN CLIENT

NOTE: It is important that you disconnect after you’ve completed your session. Be aware that if you do not disconnect your VPN session and proceed to do personal Internet activities, your personal Internet data traffic will be traversing the Government data network. This may result in a Government policy violation, a security investigation and possible legal repercussions. To ensure you are in compliance with policy and are aware of best practices, refer to the Information Management/Information Technology (IM/IT) Strategic Policy website.

NOTE: Your VPN session will automatically shut down after being connected for 12 hours. If you are still working, you will need to re-log on to VPN).

DISCONNECT/QUIT FROM VPN

1) Right click the Cisco AnyConnect VPN Client icon in the taskbar 2) Choose Disconnect.

DISCONNECT FROM REMOTE DESKTOP CONNECTION “RDC”

1) Log off from your computer as usual, this will only terminate your RDC Connection, you will still need

to disconnect from VPN to terminate your SPAN/BC Session as noted above “Disconnect from VPN”

9 HELPFUL LINKS

Remote Access Services - Related Documents, Service Requirements, User Guides, Forms and Download Links.

http://www.cio.gov.bc.ca/cio/kis/infomgmt/index.page?





Information Management/Information Technology Policies can be found on the Office of the Chief Information

Officer web site. The OCIO has developed a Working Outside the Workplace Policy, a set of guidelines and a

checklist to handle information incidents.

Mobile Device Guidelines for Government Employees provides employees with guidance on their use of mobile devices given current legal requirements, government policy, and best practices. It addresses the most commonly asked questions employees have about their mobile device use and management.

Standards of Conduct for Public Service Employees - The Government of British Columbia believes that the highest standards of conduct among public service employees are essential to maintain and enhance the public’s trust and

confidence in the public service.

Chapter 12, Core Policy and Procedures Manual - Understand your responsibilities regarding the appropriate use

of government information and communications technology.


http://www.cio.gov.bc.ca/cio/working_outside_workplace/index.page?

https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/policies-procedures/it-policies/mobile_device_guidelines.pdf

http://www2.gov.bc.ca/myhr/article.page?ContentID=45bf7662-adf9-8a5f-74f1-657fedd69edf

http://www.fin.gov.bc.ca/ocg/fmb/manuals/CPM/12_Info_Mgmt_and_Info_Tech.htm



10 FREQUENTLY ASKED QUESTIONS

1. What is a DOMAIN account?

o Ministry users are setup with a DOMAIN user account (IDIR ID) to authenticate to resources

within SPAN/BC; such as file shares, email and applications. (e.g. ag.gov.bc.ca, hlth.gov.bc.ca)

o ARemote Access Services (VPN) subscription is included for every IDIR account

2. I changed my IDIR password from another computer, now I cannot logon to my primary government

provisioned mobile workstation. What can I do? o If the workstation has not been connected to SPAN/BC to learn your new password, the old

password will work to connect to the desktop. You will require the new password to logon to the VPN connection.

o OCIO recommends that when your IDIR password is changed, you also logon to the government provisioned mobile workstation with the new IDIR password while connected to SPAN/BC, before working remotely.

3. To automatically detect the network connection, ensure the Network Setting is set to “Connect

automatically when this network is in range”. To set this on a Windows 10 mobile workstation verify

the following settings:

o Open “Network and Internet Settings”

o Select Wi-Fi on the left menu, then click on Manage Known Networks.

o Select the network for your laptop to remember, then click Properties.

o Turn the button to the on position for the setting Connect automatically when in range.

4. How do I request an exemption for the 12 hour session time-out for a specific VPN account ?

o Submit an iStore Order for PI-Change Remote Access, providing the VPN ID and explaining what

is required. (i.e. turn off 12 hour session time-out for two weeks? until further notice?

permanently? for the VPN id: xxxxxxx).

o This will ensure we have the appropriate approval for the change and an audit trail of that

approval process in the event there’s a security audit or billing dispute resulting from the

removal of the 12 hour session timeout.

5. Why can’t I access my Line of Business Applications?

o If an IDIR authenticated user’s password expires or is locked, the system won’t allow you to use

your account profile, preventing you from gaining access through a Ministry defined firewall.

▪ You must call the “7-7000 Service Desk” at 250-387-7000 or toll free 1-866-660-0811

option 1 if your VPN account is IDIR Authenticated (or if you don’t know) to have your

IDIR id unlocked or password reset.



▪ You may not have been added to the correct group template when your account was

created, or you have transferred to another Branch and not been assigned to the correct

group. Call or email the [email protected]. (toll-free 1 866 660-0811), option 3.

▪ You may have neglected to quit a previous session. If your account was created with a

Static IP you will only be granted access with your specific privileges once, you must

ensure you have logged off any previous connections before you can successfully gain

access to your LOB application/data.

6. How do I get the Cisco VPN AnyConnect client?

o Refer to Section 3 for the Cisco AnyConnect on government provisioned mobile workstations.

7. How do I get my SPAN/BC network drives or printers?

o If you require the Domain Logon script to run, which will map your corporate shared drives and

printers, you will need to use the “Start Before Login” feature as in Section 5.

8. I have a laptop that supports both wireless and wired connections and having problems connecting using the wireless connection.

o Full details on how to use the wireless feature on a government provisioned mobile workstation can be found in the “Mobile Workstation Guide” posted in the Remote Access Service Catalogue:

https://citz.sp.gov.bc.ca/sites/ES/DS/WS/SitePages/Home.aspx

9. I am using my @home Internet Service Provider (ISP) and having connection issues: o Ensure your workstation has Internet connectivity by bringing up the browser and opening up a

site. If there is no connectivity, call your provider for assistance. o Your ISP may have some settings that block certain traffic. If you have connectivity to the

network but cannot connect through VPN, call your provider for assistance on enabling specific traffic to allow the connection.

10. Administrator AnyConnect package message “The AnyConnect package on the secure gateway could not be located”

o This error is a result of not having the up-to-date revision of the AnyConnect client installed on your workstation.

11. Administrator Reboot message “The secure gateway has terminated the VPN connection”.

o This error is a result of an emergency reboot to the Remote Access VPN Service. The following

are instructions to reconnect your session:

▪ If you’ve connected using the Start Before Login; save any open documents to your

desktop and log off your workstation and log in again using the “Start Before Login”

instructions.

▪ If you’ve connected to your @work workstation using the Remote Desktop Connection;

reconnect your Cisco AnyConnect Secure Mobility Client and establish your RDC session

again and all connections to resources, documents and services should be resumed.

mailto:[email protected]

https://citz.sp.gov.bc.ca/sites/ES/DS/WS/SitePages/Home.aspx



▪ If you’ve connected to your @work workstation using the Cisco AnyConnect Secure

Mobility Client connection, do not restart your workstation, you only need to reconnect

and all connections to resources and services should be resumed.

12. Secure Access Gateway error message “The secure gateway has rejected the connection attempt, no

address available for SVC Connection”

o This error occurs when the VPN template/group policy that you have been assigned to has

reached maximum logins (no IP’s available). It is recommended you wait for 5-10 minutes and

try again. You may need to contact your Line of Business System Administrator or Services Desk

if this is a reoccurring problem.



11 VERSION HISTORY

Document Control/Major Revisions

Date Change Reference

November 2010 Removed Legacy Client Information

August 2011 Updated the VPN client download links

Minor revisions to change WTS references to SSBC

Updated Security Awareness Information, installation instructions. MAC and/or iOS Helpful

Links.

Updated Security Awareness Information as per OCIO recommendations.

November 2011 Updated the VPN client download links to Version 2.5.3055 per service bulletin #292

August 2012 Updated with new RAS Assessment tool, modified for internal publication, minor edits and updated

client software hyperlinks.

October 2018 Updated for Version 4.6.02074

November 2019 Total revision