SLAC Computer Security
Search SLAC

Alternatives to VPN

VPN has been used by many home/remote SLAC Windows users for several years. The risk of VPN outweighs the benefits and we highly recommend the use of the alternatives to VPN found on this page. CERN discontinued their VPN services on 1/29/08.

Please let us know if there are any tasks you need to perform which cannot be done via one of the alternative methods listed below. We will work with you to find an acceptable solution.

SSH Tunneling and Single Sign On

By starting 3 programs on your computer at boot time (OpenAFS for Windows, MIT Kerberos for Windows, and either SecureCRT or PuTTY) you can most likely use SSH tunnels to avoid the need for using the Windows Citrix Farm. The SSH tunnel alternative is preferable to Citrix for many people due to intermittent connection failures and limited video card capabilities on the Citrix Farm.  Additionally, the use of OpenAFS and MIT Kerberos for Windows allows you to enter your Unix password only once! Your SSH client (SecureCRT or PuTTY) can be set up to use the credentials you obtained at boot time. More info on Single-Sign-On can be found here: More info on SSH tunneling can be found on the following pages: SSHv2 Software, New SSH at SLAC, and SSH Tricks.


Outlook from Offsite (RPC over HTTPS or Outlook Anywhere) - Those with laptops who currently use RPC over HTTPS we believe you'll want to stay with this solution in Exchange 2007. The name has changed to Outlook Anywhere. Configuration instructions are here: Outlook Anywhere.

Outlook 2007 IMAP or Thundirbird IMAP

Outlook Web Access

SLAC Windows Citrix Farm also has an Outlook application.

Other methods of connection are described on the SLAC e-mail configuration page.

Files AFS Files: OpenAFS Client and MIT Kerberos for Windows - available for download from Currently xweb is only available from onsite but we are working to remove this restriction. Until this changes please use Citrix to gain access to xweb. You can also download them directly from here:
Windows Files: Windows Citrix Farm gives you a SLAC "desktop" from wherever you are. This desktop has the regular windows file shares (Groups, Users) as well as access to your local hard drive. This allows you to move files from your computer to a SLAC shared file system or vice versa. From the SLAC Citrix Windows Desktop you have access to more applications than you probably have on your own computer: Oracle; Hypersnap; WinSCP; Adobe Reader; Hyena; Winzip; Office; etc.

Moving From Home Computer to Office Computer: See via SSH in the Remote Desktop section below.
Internal Web Servers Many of the restricted pages at SLAC are only restricted to the extent that you need to enter your SLAC Windows userid and password to gain access. However, there are some pages which are only available to computers on the SLAC network (like xweb). For these you can use the Citrix Farm (use either Internet Explorer or Windows Desktop) or use an SSH tunnel.
To Be Written: Specific instructions for setting up a web tunnel
Remote Desktop Via Citrix: Login to the Citrix web page and select "Windows Desktop". You'll find Remote Desktop Connection in the Programs menu, under Accessories.
Via SSH: We have documentation so that you can just tunnel your Remote Desktop session through SSH. No need for Citrix! Basically you start a specially configured SSH connection to one of the central SCCS Unix servers (e.g. noric). This gets your computer a secure communication path into the SLAC network.  Then you can start the Remote Desktop client on your computer and instead of connecting to the windows computer at SLAC you will connect to the SSH connection you just created. 

If you also want to share your local hard drives to the session then you just configure the Remote Desktop client to do so (e.g. Options on the Remote Desktop startup window; Local Resources tab; More button; Place a checkmark on the drive you want shared to session).

The SSH client handles the whole communication stream between your home computer and your SLAC computer, passing it all through a SLAC Unix server

Owner: SLAC Computer Security
Page Created: 02/16/2008
Last Updated: 10/07/2010
Feedback: Please send to
Computer Security Feedback