Fermilab: remote working (VPN, MFA, videoconferencing, general)
This is not a conclusive list of things to know about remote work for cmslpc resources at Fermilab. Much more information can be found at the Fermilab ServiceDesk Knowledgebase.
Follow this link to learn how to connect to the cmslpc interactive nodes. - VPN NOT needed to connect to cmslpc nodes.
Fermilab guide to Computing information necessary to telework effectively
VPN for Fermilab Network
Why would I need VPN?
Note: This is not a complete list.- If you are trying to access a Fermilab website that says "Internal Content", you need VPN.
- Some of the cmslpc System Status pages require VPN to access from offsite
- Submitting a Fermilab Photo of the Day
- For Fermilab employees: payroll, timesheets
How do I setup and use VPN?
The most complete information is here in the Fermilab Service Desk article about getting VPN.Requirements for VPN:
- FNAL RSA soft token - may take up to 1 business day to obtain. Note you will also need to Setup your RSA PIN
- Fermilab certificates installed (not needed for Fermilab owned computers)
- Services password (DIFFERENT from Kerberos): obtain it from the Fermilab Service Desk: Password obtain/reset at Fermilab
- VPN software
- Use Self-Service for FNAL owned computers
- Download at https://vpn.fnal.gov after doing the VPN setup above and logging into 02_General-Users-RSA (NOT the default-employees will choose a different option) using the VPN instructions (also below) for passwords
Once VPN is setup, you choose 02_General-Users-RSA (employees will choose a different option) and enter:
- Password: Services password (DIFFERENT from Kerberos)
- UI Verify Method (or Second Password) (RSA knowledgebase):
- Non-Android: RSA PIN followed by RSA token
- Android (RSA pin used in app): RSA token
- NOTE, the above is a generalization for soft RSA keys, and may NOT work for every version of Android, please consult the Fermilab RSA knowledgebase for correct instructions and get help from the Fermilab Service Desk when needed.
MFA (Multi-Factor Authentication) for Fermilab Microsoft Exchange email
Note: If you have an email with forwards from @fnal.gov to another place, this is not an issue for you. This will be needed for Fermilab employees and some Fermilab users who have full Microsoft Exchange @fnal.gov email.Main page of information: mfa.fnal.gov - requires a VPN connection or being onsite at Fermilab to access. Alternately, see Offsite accessible mfa documentation
MFA requirements:
- Full Microsoft Exchange fnal.gov email
- FNAL RSA soft token - may take up to 1 business day to obtain. Be sure to advise the Service Desk if your MFA was turned on and you cannot check your @fnal.gov email as you must do that from your smartphone to obtain the token.
- Services password (DIFFERENT from Kerberos): obtain it from the Fermilab Service Desk: Password obtain/reset at Fermilab
- Non-Android: RSA PIN followed by RSA token
- Android (RSA pin used in app): RSA token
Zoom Videoconferencing at CERN
- All CERN account holders can create their own CERN Zoom account, following the instructions on the the CERN Zoom FAQs
- Main CERN Zoom page
Zoom Videoconferencing at Fermilab
- You do not need a Zoom account to join a Zoom meeting, you can download the client at https://zoom.us/download. Note that some FNAL meetings (not LPC) may be limited to attendees with valid FNAL Zoom accounts, be sure to be authenticated with your FNAL Zoom account.
- Fermilab Zoom should not be used for University purposes, please contact your institution for videoconferencing solutions
- Complete Fermilab guide to Zoom
- Zoom Video Conference Account Form is the name of the form to fill out at the Fermilab ServiceNow to obtain a Fermilab Zoom account
- FNAL Zoom instructions to keep your meeting secure
- Some of these options are required by Fermilab like disabling "Join Before Host", and not posting meeting links publicly. Note that meeting links that include
pwd=in the link have the password embedded in the link!
Zoom tips and more documentation
- Zoom official support documentation
- Zoom how to configure and share a PowerPoint presentation
- Zoom how to configure and share a Keynote presentation
- All of Zoom's screen sharing documentation
- Zoom: how to see the full view of a remote participant's screenshare (Video layout)
- Zoom blog work from home meeting tips
- Zoom blog videoconferencing etiquette
Fermilab office telephones
- How to setup Cisco Jabber to answer/make calls from your office telephone) (requires FNAL VPN)
- Voicemail instructions here, need FNAL VPN to access link of instructions from FNAL news article
- Once you've accessed your voicemail remotely, you can set it up to notify you that there is new voicemail on another phone with:
- 4 setup options
- 2 message settings
- 1 message notification
- Call forwarding is also possible, link can be found on this FNAL article
- Fermilab telecommunications site with more voicemail and phone instructions
SSH connection issues
In case your ssh connection keeps timing out, you may find this useful in your local computer's~/.ssh/config file (original settings guide here):
Host cmslpc*.fnal.gov
ServerAliveInterval 60
TCPKeepAlive yes
KeepAlive yes
General work from home advice
Here are some guides that CERN and others have shared. Not everything is applicable for working from home for Fermilab machines (for instance, we will not install nomachine)- Fermilab article about remote working
- CERN: https://computing-blog.web.cern.ch/2020/03/useful-tools-for-teleworking/
Fermilab Badge and remote computing accounts
- If you already have a valid FNAL computing account, there is a new form for onsite access (Feburary 2022)
- Be aware that you will still have to Renew your computing account as usual, often 4-6 weeks before expiration to not lose remote computing access. In some cases, onsite access requests may also have additional review time, please plan in advance.
