Networking, Firewall, Service Plan Details

For IT Pros This page contains links to information about the different settings available in the campus firewall groups available for use by campus IT pros.

Because no two departments on campus are the same, several firewall plans are provided to serve a variety of needs. The group model allows departments to benefit from the protection of the firewalls that are already in place at the entrance and exit of the campus network, while also allowing Technology Services to maintain a manageable and flexible rule set on the campus firewalls.

The firewall groups without "+ UI" in their titles treat the Springfield and Chicago campuses as external to the Urbana firewall. The groups with "+ UI" identifiers treat all three University of Illinois campuses as within the firewall. See Networking, Guide to University of Illinois IP Spaces for a list of the IP ranges that are treated as internal network space in the +UI firewall groups.

Click on a firewall group's name for more details.

Group name
Allows in
Good for
Fully Closed *
OR
Fully Closed + UI
None
(Fully Closed  is the default group)
Desktops
Fully Closed + Remote Administration
OR
Fully Closed + Remote Administration + UI
Only SSH and some Apple remote administration ports (22, 3283, and 5988)
If you require Windows RDP access you can use the campus RDP Gatway: rdpgateway.illinois.edu
Desktops
Mostly Closed *
OR
Mostly Closed + UI
Only the most popular services such as web, email, and file transfer. (Port list) Web/email servers
Mostly Closed + Remote Administration
OR
Mostly Closed + Remote Administration + UI
Popular services such as web, email, and file transfer plus remote administration ports. (Mostly Closed port list + remote administration port list) Web/email servers
Mostly Open *
OR
Mostly Open + UI
All except web, mail, and a selected assortment of other services. (Port list) Other servers
Fully Open All except ports always blocked at the campus firewall Special cases

* Note that port behaviors have changed with the recent security policy changes to block at risk ports.  For Telnet (port 23), RDP (port 3389), VNC (port 5900), and upcoming as of May 30, 2017 SSH (port 22), the current policy is to always allow these ports from other UI campus, and always block them from anywhere else.

Private IP space, NAT, and campus firewalls

Private IP space is comprised of IP addresses that can be used internally within the campus network, but are not routed on the Internet. Networking, Guide to University of Illinois IP Spaces explains the private IP ranges available and the recommendations for their use.

Computers which are hosted in private IP space can connect to the Internet with the help of Network Address Translation (NAT), which maps the computer's private IP address to a public IP address.

If you are interested in using NAT with private IP space, contact Network Engineering. NAT is most useful for large networks that can free up many large IP blocks.




Keywords:firewalls, firewall groups, firewall plans, UI, IP ranges, fully closed, remote administration, mostly closed, fully open, mostly open, private IP space, NAT, Network Address Translation, IP blocks   Doc ID:47748
Owner:David G.Group:University of Illinois Technology Services
Created:2015-02-27 11:33 CDTUpdated:2017-04-17 11:08 CDT
Sites:University of Illinois Technology Services
Feedback:  1   0