Network Connectivity Changes and Defender Requirement
Announcement from the CISO
“Effective June 10, 2024, OIT will begin blocking connections from the Internet to our internal campus networks, and all systems must have Microsoft Defender installed and running. We understand that your departments may have systems that require inbound connections from the Internet, and we will have an exception process in place for you to request that your system(s) requiring access from the Internet be documented. […] Any university-owned system identified on the network without Microsoft Defender installed and running will be removed from the network until the device is compliant.”
More information at the UT Employee Hub
Networking
What will change?
Most importantly, these changes only affect incoming Internet network connections. Access to the Internet from your system will not be affected. You will continue to be able to browse the web, download files, etc. without noticing any difference. Connections from within the UT network (e.g. remote desktop connections from one system on campus to another) are also not affected. Only connections originating from outside the UT network are affected by this change.
The main takeaway for most users will be that all connections from off-campus will require the use of the UTK VPN.
Windows and MacOS Desktop/Laptop Systems
For the majority of regular desktop/laptop systems, nothing will change. You will continue to use the UT network in much the same way as before. Remote connections to desktops will continue to work through the UTK VPN.
Linux Desktop/Laptop Systems
Secure Shell (SSH) connections to systems on the UT network will require the use of the VPN. If you need to have your SSH connections accessible from the Internet without the VPN requirement, you will need to file an network exception request (see below).
Linux Lab/Virtual Lab Systems
Connections to EECS Linux lab systems (e.g. Hydra) and virtual lab systems (e.g. VLSI) will require use of the UTK VPN. This includes both SSH and RealVNC connectivity.
Servers
If your system provides services to other UTK systems (e.g. shared network drives), you will not need to request an exception. However, any incoming network connection from outside the UT network will either need to go through the UTK VPN or you will need to request an exception. Examples of services that require exceptions include:
- Public-facing (non-intranet) web servers (http and https).
- SSH servers that need to be accessible to non-UTK users.
- Public file sharing services such as anonymous FTP or SFTP.
Network Exception Request
Online Form
OIT has prepared a web form for single-system exceptions. If you have multiple exceptions to request, you may also fill in a spreadsheet and submit them in bulk. Please visit https://utk.teamdynamix.com/TDClient/2277/OIT-Portal/Requests/ServiceDet?ID=54151 for more information.
Exception Details
The form and spreadsheet require several pieces of information about the exception you wish to request. See below for some examples:
| Source (IP name and/or number if known) | Destination (IP name and/or number) | What service does this provide? | What protocols are required for continued access to this system? | Network Port(s) (if applicable) | Why are you requesting access from off-campus? | Who accesses this service? (NetIDs) |
|---|---|---|---|---|---|---|
| 1.2.3.4 | myserver1.eecs.utk.edu | REST API server for project X | http, https | 80, 443 | To provide API access for our customer, Widget Inc. | Widget Inc. support personnel |
| Public access | myserver2.eecs.utk.edu | Public-facing web server for project Y | http, https | 80, 443 | Main website for project Y | general public |
| 30.40.50.70/24 | myserver3.eecs.utk.edu | Login server for collaborators | OpenSSH | 22 | To allow our collaborators to access our research system remotely | Users at Spacely Sprockets coming in from the network specified |
Microsoft Defender
The OIT security office now requires all UT-owned systems to run the Microsoft Defender for Endpoint (MDE) security software. MDE is a cybersecurity platform that provides advanced threat protection, attack surface reduction, and integrated security capabilities for enterprise networks and devices. MDE is available for Windows, MacOS, and Linux.
What will change?
Windows Desktop/Laptop Systems
If your UT-owned Windows Desktop or Laptop was set up by EECS IT, it is already running MDE and you will not need to make any changes. In the very unlikely event that you have a UT-owned Microsoft Windows system that was not installed and configured by the EECS IT staff, please contact us as soon as possible for remediation.
MacOS Desktop/Laptop Systems
For over a year, EECS IT has installed MDE on all MacOS systems that we process at the help desk. However, please confirm that your system is properly protected by MDE. You can check your menu bar for the Defender shield logo. When clicking on this, you should see a menu similar to the one below:
If you do not see the Defender shield logo in your MacOS menu bar or you get any errors, please contact EECS IT at your earliest convenience.
Linux Desktop/Laptop Systems
For any Linux system not managed by EECS IT, you will be responsible for installing MDE. This requires an onboarding package provided by OIT. You can download Defender for Linux from the UT Software Distribution page. If you are currently using a configuration management system, such as Ansible to configure your Linux system(s), automatic onboarding is possible. For assistance, please contact the OIT Help Desk.
Servers
All Windows and Linux servers must also be protected by MDE. There is currently an annual charge of $61 per server for Defender for Endpoint for any server system, Windows and Linux. Research groups will be responsible for funding these costs, whether or not those servers are managed by EECS IT. If your server system is currently managed by EECS IT, you will be contacted by us to arrange for MDE purchase and installation. For self-managed servers, please contact EECS IT so we can assist you with the purchase and onboarding of your system.