U.S. CMS
Search
uscms.org  www 

Fermilab: remote working (VPN, MFA, videoconferencing, general)

This is not a conclusive list of things to know about remote work for cmslpc resources at Fermilab. Much more information can be found at the Fermilab ServiceDesk Knowledgebase.

Follow this link to learn how to connect to the cmslpc interactive nodes. - VPN NOT needed to connect to cmslpc nodes.

Fermilab guide to Computing information necessary to telework effectively

VPN for Fermilab Network

Why would I need VPN?

Note: This is not a complete list.
  • If you are trying to access a Fermilab website that says "Internal Content", you need VPN.
  • Some of the cmslpc System Status pages require VPN to access from offsite
  • Submitting a Fermilab Photo of the Day
  • For Fermilab employees: payroll, timesheets
You do NOT need VPN for: kinit, ssh, scp, sftp to cmslpc*.fnal.gov, you may continue using those remotely without VPN.

How do I setup and use VPN?

The most complete information is here in the Fermilab Service Desk article about getting VPN.
Requirements for VPN:
  1. FNAL RSA soft token - may take up to 1 business day to obtain. Note you will also need to Setup your RSA PIN
  2. Fermilab certificates installed (not needed for Fermilab owned computers)
  3. Services password (DIFFERENT from Kerberos): obtain it from the Fermilab Service Desk: Password obtain/reset at Fermilab
  4. VPN software
    • Use Self-Service for FNAL owned computers
    • Download at https://vpn.fnal.gov after doing the VPN setup above and logging into 02_General-Users-RSA (NOT the default-employees will choose a different option) using the VPN instructions (also below) for passwords

Once VPN is setup, you choose 02_General-Users-RSA (employees will choose a different option) and enter:
  • Password: Services password (DIFFERENT from Kerberos)
  • UI Verify Method (or Second Password) (RSA knowledgebase):
    • Non-Android: RSA PIN followed by RSA token
    • Android (RSA pin used in app): RSA token
    • NOTE, the above is a generalization for soft RSA keys, and may NOT work for every version of Android, please consult the Fermilab RSA knowledgebase for correct instructions and get help from the Fermilab Service Desk when needed.


MFA (Multi-Factor Authentication) for Fermilab Microsoft Exchange email

Note: If you have an email with forwards from @fnal.gov to another place, this is not an issue for you. This will be needed for Fermilab employees and some Fermilab users who have full Microsoft Exchange @fnal.gov email.

Main page of information: mfa.fnal.gov - requires a VPN connection or being onsite at Fermilab to access. Alternately, see Offsite accessible mfa documentation

MFA requirements:

  • Full Microsoft Exchange fnal.gov email
  • FNAL RSA soft token - may take up to 1 business day to obtain. Be sure to advise the Service Desk if your MFA was turned on and you cannot check your @fnal.gov email as you must do that from your smartphone to obtain the token.
  • Services password (DIFFERENT from Kerberos): obtain it from the Fermilab Service Desk: Password obtain/reset at Fermilab
Note: You will use your FNAL RSA soft token code for Fermilab MFA in the same way as above for VPN.
  • Non-Android: RSA PIN followed by RSA token
  • Android (RSA pin used in app): RSA token


Zoom Videoconferencing at CERN

  • All CERN account holders can create their own CERN Zoom account, following the instructions on the the CERN Zoom FAQs
  • Main CERN Zoom page

Zoom Videoconferencing at Fermilab

Zoom tips and more documentation


Fermilab office telephones


SSH connection issues

In case your ssh connection keeps timing out, you may find this useful in your local computer's ~/.ssh/config file (original settings guide here):
Host cmslpc*.fnal.gov
    ServerAliveInterval 60
    TCPKeepAlive yes
    KeepAlive yes

General work from home advice

Here are some guides that CERN and others have shared. Not everything is applicable for working from home for Fermilab machines (for instance, we will not install nomachine)

Fermilab Badge and remote computing accounts

  • If you already have a valid FNAL computing account, there is a new form for onsite access (Feburary 2022)
  • Be aware that you will still have to Renew your computing account as usual, often 4-6 weeks before expiration to not lose remote computing access. In some cases, onsite access requests may also have additional review time, please plan in advance.
Webmaster | Last modified: Monday, 18-Apr-2022 13:11:54 CDT