Networking, Firewall, Service Plan Details

For IT Pros This page contains links to information about the different settings available in the campus firewall groups available for use by campus IT pros.

Because no two departments on campus are the same, several firewall plans are provided to serve a variety of needs. The group model allows departments to benefit from the protection of the firewalls that are already in place at the entrance and exit of the campus network, while also allowing Technology Services to maintain a manageable and flexible rule set on the campus firewalls.

The firewall groups without "+ UI" in their titles treat the Springfield and Chicago campuses as external to the Urbana firewall. The groups with "+ UI" identifiers treat all three University of Illinois campuses as within the firewall. See Networking, Guide to University of Illinois IP Spaces for a list of the IP ranges that are treated as internal network space in the +UI firewall groups.

Click on a firewall group's name for more details.

Table of port groups
Group name
Allows in
Good for
Fully Closed *
OR
Fully Closed + UI
None
(Fully Closed  is the default group)
Desktops
Fully Closed* + Remote Administration
OR
Fully Closed + Remote Administration + UI
Only SSH and some Apple remote administration ports (22, 3283, and 5988)
If you require Windows RDP access you can use the campus RDP Gatway: rdpgateway.illinois.edu
Desktops
Web Only *
OR
Web Only + UI
Only web services (Port list) Web servers
Mostly Closed *
OR
Mostly Closed + UI
Only the most popular services such as web, email, and file transfer. (Port list) Web/email servers
Mostly Closed + Remote Administration
OR
Mostly Closed + Remote Administration + UI
Popular services such as web, email, and file transfer plus remote administration ports. (Mostly Closed port list + remote administration port list) Web/email servers
Mostly Open *
OR
Mostly Open + UI
All except web, mail, and a selected assortment of other services. (Port list) Other servers
Fully Open All except ports always blocked at the campus firewall Special cases

* Note that port behaviors have changed with the recent security policy changes to block at risk ports.  For Telnet (port 23), RDP (port 3389), VNC (port 5900), and as of May 30, 2017 SSH (port 22), the current policy is to always allow these ports from other UI campus, and always block them from anywhere else.  For SSH only, traffic from other UI campuses to Fully Closed (but not Fully Closed + Remote Access) is blocked.

Private IP space, NAT, and campus firewalls

Private IP space is comprised of IP addresses that can be used internally within the campus network, but are not routed on the Internet. Networking, Guide to University of Illinois IP Spaces  explains the private IP ranges available and the recommendations for their use.

Computers which are hosted in private IP space can connect to the Internet with the help of Network Address Translation (NAT), which maps the computer's private IP address to a public IP address.

NAT is enabled for all private networks routed on campus. Without NAT enabled, private networks may not be able to reach certain cloud resources such as Azure AD, email relays, and Shibboleth. If you do not want NAT enabled on a certain network contact Network Engineering.



Keywords:
firewalls, firewall groups, firewall plans, UI, IP ranges, fully closed, remote administration, mostly closed, fully open, mostly open, private IP space, NAT, Network Address Translation, IP blocks 
Doc ID:
47748
Owned by:
Network E. in University of Illinois Technology Services
Created:
2015-02-27
Updated:
2023-10-20
Sites:
University of Illinois Technology Services