Virtual private network (VPN)

VPN service upgrade

You now need to access the Cisco AnyConnect Client using your Single Sign-On (SSO) password.

 

Internet traffic goes through University servers. While using the VPN some of your internet traffic will route through the University.  You are therefore bound by our IT Rules and Regulations until you close the connection.

Some web pages and online resources can only be accessed by computers directly connected to the Oxford University campus network.  Access to these restricted resources from outside the campus network is provided via the IT Services VPN Service.

Using the Cisco AnyConnect client, the VPN service provides your device with virtual connection to the campus network so it behaves as it would when on campus.

Expand All

The following is required to access the IT Services VPN service:

The Cisco AnyConnect VPN client, renamed Cisco Secure Client for some mobile devices, is available for a number of operating systems.

University devices

Cisco AnyConnect may already be installed on devices provided by your college or department

 

 

  1. Download the appropriate AnyConnect VPN client from our Software downloads page for:

    • Windows 11 (64-bit)
    • Current Microsoft supported versions of Windows 10 x86 (32-bit) and x64 (64-bit)

  2. Launch the installer and complete the installation
  3. Open the Cisco AnyConnect application
  4. Enter vpn.ox.ac.uk into the dropdown box
  5. Select Connect
  6. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Single Sign-On (SSO) password

Orchard devices

For Managed Mac (Orchard) devices, please refer to the service's own installation instructions

 

 

  1. Download the appropriate AnyConnect VPN client from our Software downloads page for:

    • macOS 13 Ventura (64-bit)
    • macOS 12 Monterey (64-bit)
    • macOS 11 Big Sur (64-bit)

  2. Launch the installer and complete the installation
  3. Open the Cisco AnyConnect application
  4. Enter vpn.ox.ac.uk into the dropdown box
  5. Select Connect
  6. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Single Sign-On (SSO) password

It is recommended that you disable the VPN menu if you do not use the built-in client for any other connections. The Cisco AnyConnect client will add itself to the macOS menu bar to allow easy starting of the client. This means that the VPN menu is redundant and can be removed to avoid confusion.

macOS prior to Ventura (13.0) 

  1. Click on the Apple menu in the upper-left corner of the screen and select System Preferences
  2. Click on the Network icon
  3. Select the VPN connection from the list on the left-hand side of the window
  4. Uncheck the box next to Show VPN status in menu bar to disable the VPN menu bar icon
  5. Click Apply

macOS Ventura (13.0) +

  1. Click on the Apple menu in the upper-left corner of the screen and select System Settings
  2. Click on the Control Centre icon
  3. Scroll down to the Other Modules section and locate the VPN option
  4. Click on the VPN option to modify its setting
  5. Select Don’t Show in Menu Bar to disable the VPN menu bar icon
     
  1. Download the Cisco Secure Client from the device’s app store
  2. Open the application
  3. Select Connections > Add VPN Connection...
  4. Select Server Address, provide vpn.ox.ac.uk
  5. Select Save
  1. Download the Cisco Secure Client from the device’s app store
  2. Open the application
  3. Select Connections > Add New VPN Connection
  4. Select Server Address then provide vpn.ox.ac.uk
  5. Select Done
  1. Open the launcher and select the Chrome Web Store
  2. Search for the Cisco AnyConnect app, then add it to Chrome
  3. Open the application
  4. Select Add New Connection
  5. For the Server Address provide vpn.ox.ac.uk
  6. Select Save
    1. The AnyConnect VPN Client for Linux is available from our Software downloads page for:

      • Linux Red Hat 8 and 9
      • Ubuntu 20.04 and 22.04

      Other Linux distributions that may fulfil the requirements are detailed in the release notes.

    2. If not extracted automatically, unpack the downloaded file using an archive manager or type tar -xzvf filename from a terminal window (replacing filename with the file's name)
    3. In a terminal window, navigate to the newly created directory beginning 'anyconnect', then to the VPN directory
    4. Start the installation by typing sudo ./vpn_install.sh
    1. Open the Cisco AnyConnect application
    2. Type vpn.ox.ac.uk into the dropdown box
    3. Select Connect
    4. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Single Sign-On (SSO) password

    Note:

    You will need to enter your Oxford username and Single Sign-On password every time you log in.

     
    1. Open the Cisco AnyConnect application
    2. Type vpn.ox.ac.uk into the dropdown box
    3. Select Connect
    4. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Single Sign-On (SSO) password

    Note:

    You will need to enter your Oxford username and Single Sign-On password every time you log in.

     
    1. Open the Cisco AnyConnect / Secure Client application
    2. Select the AnyConnect VPN toggle
    3. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Single Sign-On (SSO) password

    Note:

    You will need to enter your Oxford username and Single Sign-On password every time you log in.

     
    1. Open the Cisco AnyConnect / Secure Client application
    2. Select the AnyConnect VPN toggle
    3. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Single Sign-On (SSO) password

    Note:

    You will need to enter your Oxford username and Single Sign-On password every time you log in.

     
    1. Select the WiFi icon in the notifications bar
    2. Choose VPN and select vpn.ox.ac.uk
    3. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Single Sign-On (SSO) password

    Note:

    You will need to enter your Oxford username and Single Sign-On password every time you log in.

     
    1. To start the client either:

      • Select Cisco AnyConnect Secure Mobility Client from the Applications menu
      • Type vpnui at the command line in the installation directory (for Ubuntu this is /opt/cisco/bin)

    2. Provide vpn.ox.ac.uk then Connect
    3. Provide your Oxford username in the format abcd1234@ox.ac.uk and your Single Sign-On (SSO) password

    Note:

    You will need to enter your Oxford username and Single Sign-On password every time you log in.

     
    1. Select the VPN icon in the system tray
    2. Select Disconnect
    1. Select the VPN icon in the system tray
    2. Select Disconnect
    1. Open the Cisco AnyConnect / Secure Client application
    2. Toggle the VPN connection to show as disconnected
    1. Open the Cisco AnyConnect / Secure Client application
    2. Toggle the VPN connection to show as disconnected
    1. Select the WiFi icon in the notifications bar
    2. Select VPN
    3. Select Disconnect
    1. Select the VPN client in the system tray
    2. Select Disconnect

    Please do not install third-party or native VPN clients as they will not allow you to access the upgraded VPN service: VPN (virtual private network) replacement project

    Cisco AnyConnect VPN Client

    The Cisco AnyConnect VPN client requires an SSL tunnel and optionally a DTLS tunnel.

    SSL TCP port 443
    DTLS UDP port 443

    Firewalls

    VPN clients contact the VPN servers in the netblock 192.76.7.64/27.

    VPN clients will be given an IP address from the private IP ranges of 10.1.32.0/20 or 10.10.64.0/18.  These private addresses will be mapped to a public IP in the 129.67.116.0/22 netblock by the use of dynamic PAT.

    Information is also provided in the Cisco AnyConnect client's own FAQtroubleshooting guide and release notes.

    If this does not, or the troubleshooting guide and FAQ below, resolve your issue you can contact your local IT Support Staff or the Service Desk, including details of:

    • Your operating system and version
    • Your AnyConnect VPN Client version
    • Your Internet Service Provider

    Expand All

    Some University online resources, particularly web pages, can only be accessed by devices directly connected to the University's network.

    Examples of restricted services include:

    • Accessing the HR Self-Service for online payslips
    • Accessing certain secured departmental and college web pages
    • Connecting to local departmental services
    • Accessing departmental network drives
    • Viewing external websites when using the OWL WiFi network

    Use your Oxford username followed by @OX.AC.UK, for example abcd1234@OX.AC.UK.

    Your Single Sign-On password is also used for your Nexus365 account and the password can be set up or reset at Accounts and passwords

    There is no way to make the client remember your Oxford username or Single Sign-On (SSO) password.

    Each time you log in to the Cisco VPN you will need to use your Oxford username and Single Sign-On (SSO) password.

    Please note that with the upgraded service:

    • The Cisco AnyConnect Client is configured to enable local network access (for local printing and file access) while the VPN is connected, so you no longer need to log out and back in to carry out those tasks
    • High volume Microsoft traffic (such as Teams) is sent outside the VPN tunnel by default, which means the service has greater capacity so there is no need to disconnect from the VPN service when not using it
    • If you are using managed staff (CONNECT) devices, these are now set up in such a way that you can access University network drives without you having to personally connect to the VPN. You will still need to start the VPN to use other services that need it, for example HR Self-Service.

    To access the VPN you will need:

    You will not be able to use the VPN service where:

    • You cannot install new software onto your device, such as in an internet café or public library
    • Your Internet Service Provider or organisation blocks the use of a VPN
    • You are trying to access it through software other than the Cisco AnyConnect Client
    • You are trying to sign in using your Remote Access, instead of Single Sign-On (SSO) password
    • Your Cisco Client is not up-to-date
    • You are not using a supported operating system 

    Many services do not require the VPN and are restricted by Single Sign-On (SSO) only, this includes services such as email, Nexus365 apps (for example Microsoft Teams) and the Libraries SOLO service.

    The standard VPN configuration is to allow you to connect to devices, such as home assistants or printers on your local wireless network, during an active VPN connection.

    If you find this is not the case, you can set this functionality manually by selecting the settings cog icon   at the bottom left of the Cisco client login screen. Select the Preferences tab and tick Allow local (LAN) access when using VPN (if configured).

    The Cisco AnyConnect socket filter uses a network system extension on macOS and has a role in monitoring, routing and filtering network traffic on the VPN connections. It runs all the time, even when VPN is not connected, although it doesn’t actively do much.

    If this component appears to cause problems the first step should be to ensure the most recent VPN Cisco client is running. You can see the latest versions of the Cisco AnyConnect VPN client from our Software downloads page. If this is the case and issues persist, the component can be uninstalled by deleting the application Cisco AnyConnect Socket Filter.app and rebooting.

    This is not the case, but people using macOS may get this impression because of a network extension called the Cisco AnyConnect Socket Filter. This is designed to run all the time, even when the VPN client is not active. However, it doesn't connect to anything (it chiefly does monitoring, routing and filtering of network traffic on the VPN connection), and certainly isn’t an indication that the VPN is connecting automatically.

    Make sure you are entering your Single Sign-On (SSO) password. You can reset your Single Sign-On password at Accounts and passwords.

    If you use Kaspersky security software you may need to add an exception to trust the VPN software.

    To add an exception to either Kaspersky Internet Security 2010 and Kaspersky Anti-Virus 2010:

    1. Right-click on the Kaspersky icon near your system clock and choose Settings
    2. Select Options > Threats and exclusions
    3. Under the Exclusions section, select Settings....
    4. Select the Trusted applications tab, then Add
    5. Select Browse...
    6. Locate the vpnagent program (normally in C:\Program Files\Cisco\Cisco AnyConnect VPN Client), then Open.
    7. In the window titled Exclusions for application, under Exclusions check the box Do not scan network traffic.
    8. Click OK, OK, then OK again to close the settings window and apply the changes.

    To check whether you have the current version installed:

    1. Start the AnyConnect VPN Client.
    2. Compare the latest version of the software available for your operating system in the VPN section of the IT Services software download page.

      • On Windows and Linux systems, select the About tab.
      • On macOS systems, check the bottom-right of the AnyConnect VPN Client window.

    3. If the version number shown on the downloads page for your operating system is higher than the start of your version, download and install it.

    Windows

    1. Select Start Menu > Settings > Apps
    2. Select the entry for Cisco AnyConnect Secure Mobility Client, then Uninstall

    macOS

    1. Select ApplicationsCisco
    2. Select Uninstall AnyConnect
    3. Follow the prompts to uninstall the program.

    Linux

    1. Open a terminal window
    2. Type the command sudo /opt/cisco/vpn/bin/vpn_uninstall.sh.
    3. You will be prompted for your password.

    Sometimes you may feel that the network you are using is particularly untrustworthy (for instance if you get an on-screen warning that the network is not secure).  In these circumstances you should use VPN encryption on all your network communication. To do so, you should connect to vpn.ox.ac.uk/tunnel-all by typing this into the login box instead of vpn.ox.ac.uk.  This will cause all network traffic to go through the VPN tunnel.  It will still be possible to access your local network (for local printing and file access) with this configuration.

    Get support


    If you cannot find the solution you need here then we have other ways to get IT support

    GET IT SUPPORT