icon-symbol-logout-darkest-grey

ServiceVPN - Virtual Private Network

Multi-factor authentication for logging in to the VPN

Since December 15, 2023, you will need a time-based one-time password (TOTP) in addition to your user name and password to log in to the central VPN service. This is created by a one-time password generator, a so-called token. All further information on multi-factor authentication, instructions and video tutorials on token creation can be found on the linked page
Service catalogue & how tos multi-factor-authentication

Encrypted and secure access to the University network on the go

With VPN technology, you can establish an encrypted connection (remote access) to the Heidelberg University’s internal network from anywhere in the world. Especially when you are on the go and using unencrypted Wi-Fi hotspots or when you are working from home, you can use the VPN to make an encrypted, secure connection. Additionally, the VPN enables you to access the University's internal IT services, which are inaccessible to external users for security reasons.

After connecting your device to the internet, you can start the VPN client, and after logging in, you will have an encrypted connection to the University network.

Target group

  • University members (with Uni ID or project number)

Use

  • Secure, encrypted connection even on the go (such as when using unencrypted Wi-Fi hotspots)
  • Access to internal University services while traveling or working from home

Access and requirements

The University Computing Centre supports the VPN Cisco Secure Client - AnyConnect, which students, doctoral candidates and employees can download for free. A Uni ID or University project number is required to log in.

After downloading and installing Cisco Secure Client - AnyConnect, enter the following VPN server address in the client:

vpn-ac.urz.uni-heidelberg.de

and click "Connect". Then, log in with your Uni ID or project number as requested. If you are experiencing problems, you can find further information in the How-to for installing AnyConnect.

Frequently Asked Questions

Table filters

Table

QuestionAnswer
QuestionAnswer
Recently, an additional input field with the text "Bitte zweiter Faktor eingeben (OTP) / Please enter second factor (OTP)" has appeared during VPN login.
What does this mean?
This is the required additional input of a "time-based one-time password" ((T)OTP) for two-factor or multi-factor authentication (2FA/MFA).
I haven't set up MFA yet, but you can only access the MFA page with VPN. What can I do?
Please contact our IT Service.
Should I always use the VPN when I am working outside of the University network?
When working for the university from outside, VPN should be activated if possible.
In view of the increase in attempted attacks on internal services, more of these services have been offered in the recent past and will only be offered "within the university" in future, meaning that they can only be used from outside with a VPN connection.
Only data to and from the University should sent via the VPN; everything else should use my own internet connection. How do I set this up?

This configuration is called "split tunneling". You can set it up yourself by entering an extended username: Use the following username

<Uni-ID>@split.uni-heidelberg.de 

and your usual password.

The automatic installation on the vpn-ac website is not working. What can I do?
Problem with login? A one-time password (2FA/MFA/token) is now also required here.
Problem downloading? Please contact our IT Service, stating your operating system. You will be sent a download link.
How do I access a network computer on the local network?
When you have an active VPN connection, all data is transferred through an encrypted connection to the URZ. If you wish to, for example. access a network computer on the local network, activate the option “Allow local (LAN) access when using VPN (if configured)” in the AnyConnect Advanced Window (gear icon on the bottom right).
I would like to remotely access my office computer from home. How do I set this up?

The general recommendation is to organise the data storage in such a way that you can also access the data from the remote workstation.

In principle, a corresponding service (RDP, VNC, SSH) must be activated on a suitable port on the office computer in consultation with the IT coordinator and the local firewall must be adjusted. The energy-saving settings of the operating system must be configured so that the computer does not shut down or fall asleep; alternatively, Wake-on-LAN may also be used.
Updates and protection devices on the computer should be up-to-date; all passwords of authorised users on the computer should be strong, e.g. comply with the password rules of the URZ. Make a note of the name or IP address of your computer, the port on which the service is active and the user ID and password for accessing your office computer.
From home, first start the VPN and then the client software with which you want to access the computer.
More detailed information, especially on Windows/RDP, can be found in the Sharepoint section for IT coordinators.

Directly after logging in, multiple new connections are reported. Why does this happen?
For technical optimization, up to three connections are established, and the system sometimes switches back and forth between these connections. This is usually due to peculiarities of the route from your location to the server in the URZ. When this issue does not subside after a minute and keeps happening, please inform the IT Service.
I am experiencing frequent disconnections. Is there anything I can do to improve this?
Using the gear icon in the VPN client, activate the option “Enable automatic VPN reconnect.” If you are experiencing problems persisting past the first minute after logging in, please inform the IT Service.
I have a much better connection bandwidth without the VPN. Is the VPN server overloaded?
The VPN server provides all users with a fixed bandwidth, which is sufficient for even more data-intensive purposes such as video conferences according to our tests. The number of users and the connection load is currently (as of 15.12.2023) far below the possible limit.
I want to have a video conference, but the audio/video quality isn't very good. Is this due to the VPN?
If you have problems, you can try whether it improves without the use of a VPN. In most cases, the problems lie elsewhere (different browser, browser restart, server side).
Is there a VPN client for 32-bit versions of Linux?
Cisco discontinued support for the AnyConnect Client for 32-bit systems in 2016. Windows and MAC OS systems with only 32 bit are outdated and should no longer be used. For Linux-based systems, the use of the free client "openconnect" from the package sources of your operating system may help.
Does the URZ support the free VPN client openconnect?
We generally recommend using the "Cisco Secure Client" ("AnyConnect") that matches the server. For resource reasons, we can only support this one cross-operating system client.
You are also welcome to make an enquiry about this to the IT service; however, we ask for your understanding if such an enquiry cannot be answered quickly or in sufficient detail.
Openconnect with NetworkManager used to work without any issues, but since the introduction of 2FA/MFA there have been problems.

This works with newer versions of NetworkManager, e.g. in Debian12.

If the GUI does not yet work properly in your distribution, you can also establish the VPN connection in the command line:
openconnect --protocol=anyconnect --useragent='AnyConnect' vpn-ac.uni-heidelberg.de
(In some cases, "sudo openconnect..." also helps).

How can I gain access to a network printer or other devices in the local network (LAN)?
If you want to access a network printer or another device on LAN (local network directly connected to your computer), you can set this up in the VPN client by selected “Advanced Window” (gear icon)... > Preferences > check “Allow local (LAN) access when using VPN (if configured)”
Why can't I save the password in the "Cisco Secure Client"?

The software provider wants to offer a security solution, 
and storing the password in the user's operating system is not an option.

However, if you set up your own "automatic login",
please include a pause in the "login script";
otherwise in the event of problems (or if the account expires) such scripts will generate
a large number of incorrect login attempts in our logs, 
without the user noticing and without us being able to report it.