Difference between revisions of "Offsite Access"

From CELS IT Wiki
Jump to: navigation, search
 
(What does that mean to me?)
 
(32 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Secure Access Policy (includes SSH and VPN info)
+
__TOC__
  
  1. What is the policy?
+
==Secure Access Policy (includes SSH and VPN info)==
  2. What does that mean to me? (Updated 06/01/2004)
+
===What is the Secure Access policy?===
  3. How do I log in?
 
  4. How do I transfer files?
 
  5. Where do I get SSH software for my computer?
 
  6. What is Port Forwarding and how do I set it up? (includes info for using X windows)
 
  7. How can I check my email when I'm not on the MCS network?
 
  8. Is there any more information about SSH?
 
  9. How will this policy be enforced?
 
 
 
Dialup
 
 
 
  1. How can I dial in over the phone?
 
 
 
Cable Modem/DSL
 
 
 
Many of our users are switching to cable modems, as they are inexpensive (around $50/month) and faster (around 400kbps) than ISDN.  Below are tips you'll use.  Call your local cable company for cablemodem availability.  For DSL, check out DSL Reports.
 
 
 
  1. What do I need to do to be able to interact with the MCS Windows domain?
 
  2. What do I do if I want to use more than one computer?
 
 
 
 
 
 
^ Back to Questions ^
 
 
 
 
What is the Secure Access policy?
 
  
 
External network connections to MCS resources shall not use clear text reusable passwords for authentication.  Additionally, SSH connections without VPN tunneling will not use reusable passwords for authentication.
 
External network connections to MCS resources shall not use clear text reusable passwords for authentication.  Additionally, SSH connections without VPN tunneling will not use reusable passwords for authentication.
 
 
 +
===What does that mean to me?===
  
^ Back to Questions ^
+
It means that if you're using a network to access MCS resources from outside MCS office space, you must use some mechanism to hide your password from being "sniffed" or otherwise captured in transit to the MCS network, especially without your knowledge.
 
 
 
What does that mean to me?
 
 
 
It means that if you're using a network to access MCS resources from outside Argonne Building 221 or MCS office space in Argonne Building 203, you must use some mechanism to hide your password from being "sniffed" or otherwise captured in transit to the MCS network, especially without your knowledge.
 
  
Note: As of April 26, 2003, machines in MCS are, by default, disallowing any password-based authentication on connections initiated from outside the MCS firewall.  The list of machines to which you can SSH directly is:  
+
Note: As of April 26, 2003, machines in MCS are, by default, disallowing any password-based authentication on connections initiated from outside the MCS firewall including wireless.  The list of machines to which you can SSH directly is:  
  
General Login
+
*General Login
 +
**login1.mcs.anl.gov
 +
**login2.mcs.anl.gov
 +
**login3.mcs.anl.gov
 +
**login4.mcs.anl.gov
 +
::(The above can all be accessed as "login.mcs.anl.gov")
  
terra.mcs.anl.gov
 
shakey.mcs.anl.gov
 
harley.mcs.anl.gov
 
  
(The above can all be accessed as "login.mcs.anl.gov")
+
These machines require SSH keys for login.  See the [[SSH_keys| SSH Key FAQ]] for details.  If you use the VPN, you can SSH direct to any machine (except those listed above) you can use onsite, using your password as authentication.
  
DSL-only
+
The current RSA key fingerprint for the login machines will show up as one of the following depending on OS, and version of ssh you are connecting with.
  
wiggum.mcs.anl.gov
+
- RSA key fingerprint is 32:ae:2e:3a:41:1d:06:ab:00:e0:43:b7:13:ff:3f:7c.
  
Chiba City
+
- RSA key fingerprint is SHA256:I/3YpntSAgCpC/CHl/ULXA2elt4GEb+huvJtXoFEOyc.
  
chiba.mcs.anl.gov
+
If you see a warning message that the key has changed and either of the above two keys are listed as the new key, it is the right machine, and you should follow the instructions given in the error message so you can login properly.
 
 
 
These machines require SSH keys for login.  See the SSH Key FAQ for details.  If you use the VPN, you can SSH direct to any machine you can use onsite, using your password as authentication.
 
 
  
^ Back to Questions ^
+
''NOTE''
 +
*Login machines are a shared resource and are meant for login/access purposes only. We will not tolerate any resource intensive processes such as compiling source or long running code. These systems are meant to provide a gateway to other resources here in MCS where you can do your work
 +
*/sandbox no longer exists on the logins. It has been re-tasked to be /scratch and as such will be cleaned out periodically. Currently any file that hasn't changed in 7 days will be deleted from /scratch. This new policy should hopefully help to keep the area from filling up and still provide a local disk to drop files temporarily.
  
+
===How do I log in?===
How do I log in?
 
  
The MCS Systems Group has installed the Secure Shell (SSH) server on all UNIX systems that it maintains.  You can use this protocol from anywhere on the Internet to connect to the above listed MCS computing resources, provided you are set up for SSH key-based login.  If the host to which you need to connect is not in that list, you can either SSH from one of the hosts above, or you can use the MCS VPN client first.
+
The MCS Systems Group has installed the Secure Shell (SSH) server on all UNIX systems that it maintains.  You can use this protocol from anywhere on the Internet to connect to the above listed MCS computing resources, provided you are set up for SSH key-based login.  If the host to which you need to connect is not in that list, you can either SSH from one of the hosts above, or you can use the [https://credentials.anl.gov/VPN/index.htm VPN] client first.
  
 
Other protocols may also be available, depending on circumstance.
 
Other protocols may also be available, depending on circumstance.
 
 
 
+
===How do I transfer files?===
^ Back to Questions ^
 
 
 
 
How do I transfer files?
 
  
 
You're probably asking this question because you're used to using the old Internet protocol FTP.  There are several ways to work around the fact that this protocol uses reusable clear text passwords:
 
You're probably asking this question because you're used to using the old Internet protocol FTP.  There are several ways to work around the fact that this protocol uses reusable clear text passwords:
  
    * Our best recommendation is to use the file transfer protocol that comes with SSH called scp.  This guarantees that you're using full-strength encryption for both the authentication and the file transfer itselfA windows version can be found here.
+
* Use SCP or SFTP to transfer files over SSH.   
    * You can initiate an FTP transfer on the MCS side to any remote site. The policy allows outgoing network connections from MCS to use any protocol you may wish, including traditional FTP.  That might mean, for example, that you log into MCS using SSH, but then FTP back to the remote site you're at.
+
**[http://winscp.net/eng/index.php Windows client]
    * You can use the anonymous FTP server directory ftp://ftp.mcs.anl.gov/incoming as a place to put and get files.  This directory can be accessed at /home/ftp/incoming on all MCS UNIX systems.
+
**[http://rsug.itd.umich.edu/software/fugu/ Mac OS X GUI client]Mac OS X has ssh, scp and sftp built in.
    * You can use port forwarding to tunnel the authentication of FTP through an encrypted SSH linkSee the question "How do I set up port forwarding?" for more information.
+
**linux and unix machines typically have ssh, scp and sftp installed by default.
    * You can use the Windows VPN, and ftp will work as you expect it to normally.
 
 
 
FTP is pretty much disabled on hosts inside the firewall.  The host "unixhome" accepts FTP connections so make sure that's the only host with which you try to use FTP.
 
 
  
^ Back to Questions ^
+
Authenticated FTP is not supported.
  
+
===Where do I get SSH software for my computer?===
Where do I get SSH software for my computer?
 
  
 
This depends on what kind of computer you are using and whether you are an employee of Argonne's MCS Division.
 
This depends on what kind of computer you are using and whether you are an employee of Argonne's MCS Division.
  
For UNIX, you can download the source code for SSH from the InternetWe require SSH Protocol Version 2.
+
Most unix and linux machines have SSH and its associated utilities installed by default.  If you're running your own unix/linux machine, you should know how to get these packages.
 
 
If a search of sites for SSH is unproductive, you can try to get ssh is also via anonymous ftp from the following sites:
 
 
 
    Australia:
 
    ftp://coombs.anu.edu.au/pub/security/tools
 
    Chile:
 
    ftp://ftp.inf.utfsm.cl/pub/security/ssh
 
    Finland:
 
    ftp://ftp.funet.fi/pub/unix/security/login/ssh
 
    Germany:
 
    ftp://ftp.cert.dfn.de/pub/tools/net/ssh
 
    Hungary:
 
    ftp://ftp.kfki.hu/pub/packages/security/ssh
 
    Ireland:
 
    ftp://odyssey.ucc.ie/pub/ssh
 
    Poland:
 
    ftp://ftp.agh.edu.pl/pub/security/ssh
 
    Portugal:
 
    ftp://ftp.ci.uminho.pt/pub/security/ssh
 
    Russia:
 
    ftp://ftp.kiae.su/unix/crypto
 
    Slovenia:
 
    ftp://ftp.arnes.si/security/ssh
 
    United Kingdom:
 
    ftp://ftp.exweb.com/pub/security/ssh
 
    United States:
 
    ftp://ftp.net.ohio-state.edu/pub/security/ssh
 
    United States:
 
    ftp://ftp.gw.com/pub/unix/ssh
 
 
 
If you are an MCS employee using Windows, you can use the MCS site licensed SecureCRT program from VanDyke.  See the MCS Windows software web page for more information about how to install and use SecureCRT.
 
 
 
If you are not an MCS employee, or are using some other operating system, please see  http://www.employees.org/~satch/ssh/faq/ssh-faq-3.html which has been partially reproduced here.  Please read the licensing information carefully; there may be patent issues that restrict your right to use free versions.
 
Win32 (Windows9x, Windows NT, Windows 2000)
 
 
 
    * raju: ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin32/porters/Mathur_Raju
 
    * cigaly: http://www.doc.ic.ac.uk/~ci2/ssh/
 
    * f-secure: http://www.datafellows.com/products/cryptography/ 
 
    * secure crt: http://www.vandyke.com/products/SecureCRT/
 
    * ttssh: http://www.zip.com.au/~roca/ttssh.html
 
    * therapy: http://guardian.htu.tuwien.ac.at/therapy/ssh/
 
    * chaffee: http://bmrc.berkeley.edu/people/chaffee/winntutil.html
 
    * sergey okhapkin: http://miracle.geol.msu.ru/sos/ or http://www.lexa.ru/sos/
 
    * putty: http://www.chiark.greenend.org.uk/~sgtatham/putty.html
 
    * fissh: http://www.massconfusion.com/ssh/
 
 
 
beos
 
 
 
    * http://www.be.com/beware/Network/ssh.html
 
 
 
Windows CE
 
 
 
    * mov: http://www.movsoftware.com/sshce.htm
 
 
 
Java
 
 
 
    * java-applet: http://www.cl.cam.ac.uk/~fapp2/software/java-ssh/
 
    * mindterm: client: http://www.mindbright.se/mindterm
 
    * mindtunnel: server: http://www.mindbright.se/mindtunnel.html
 
 
 
OS/2
 
 
 
    * ftp://hobbes.nmsu.edu/pub/os2/apps/internet/telnet/client/sshos203.zip
 
 
 
Macintosh
 
 
 
    * niftytelnet+ssh: http://www.lysator.liu.se/~jonasw/freeware.html
 
    * f-secure: http://www.datafellows.com/f-secure/
 
  
+
Mac OS X machines include SSH and its associated utilities by default.
  
^ Back to Questions ^
+
Windows clients: [http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY], [http://www.cygwin.com/ cygwin], [http://www.google.com/search?q=free+windows+SSH+clients others]
  
+
===What is port forwarding, and how do I set it up?===
What is port forwarding, and how do I set it up?
 
  
 
Port forwarding is a technique where an insecure protocol (like FTP, X, POP3) is tunneled through a secure protocol (like SSH).  This is a good way to continue to use your familiar protocols in a secure way.
 
Port forwarding is a technique where an insecure protocol (like FTP, X, POP3) is tunneled through a secure protocol (like SSH).  This is a good way to continue to use your familiar protocols in a secure way.
Using SSH Port Forwarding with FTP on UNIX
+
====Using SSH Port Forwarding with X on UNIX or Mac OS X====
 
 
You will need to open two windows to do this, and you will need to pick a random number between 1025 and 65535.  Let's call that number NNNN.
 
 
 
In Window One, use this SSH command to establish a connection to the MCS machine unixhome.  Log in normally with ssh.
 
 
 
ssh -g -L NNNN:unixhome.mcs.anl.gov:21 unixhome.mcs.anl.gov
 
 
 
Once you're logged in, move to Window Two and start FTP using this command line:
 
 
 
ftp my.machine.name NNNN (ftp localhost may not work properly, so use the real machine name.)
 
 
 
You should get the normal FTP login prompt of the MCS machine, at which time you can log in.  Since this is using an SSH encrypted tunnel you are meeting the policy requirement to protect your password from sniffing along the way.
 
Using SSH Port Forwarding with FTP on Windows
 
 
 
See the Windows FAQ.
 
Using SSH Port Forwarding with X on UNIX
 
  
This is easy--you don' t have to do anything!  If it doesn't work, you can try "ssh -X" instead of just ssh.
+
This is easy, just use ssh -Y <hostname> and your X display settings will be sent to the remote machine, and all X Windows will open on your own display.
  
 
If you have a $DISPLAY set properly, and use ssh to connect to another system, ssh will automatically set $DISPLAY on the remote end and set up everything for you.  All you have to do is start your favorite X application on the remote end.  Check to make sure you're not setting your $DISPLAY in any of your startup files.  Also, never use xhost +, especially in your startup files, as it's a big security hole.
 
If you have a $DISPLAY set properly, and use ssh to connect to another system, ssh will automatically set $DISPLAY on the remote end and set up everything for you.  All you have to do is start your favorite X application on the remote end.  Check to make sure you're not setting your $DISPLAY in any of your startup files.  Also, never use xhost +, especially in your startup files, as it's a big security hole.
Using SSH Port Forwarding with X on Microsoft Windows with SecureCRT
 
  
See the X-Windows section in the Windows FAQ.
+
If you're using a Mac OS X computer, remember that X11 is not installed by default.  Instructions on installing X11 on Mac can be found at [http://xquartz.macosforge.org/trac The Xquartz site].
 
  
^ Back to Questions ^
+
====Using SSH Port Forwarding with X on Microsoft Windows====
  
+
Use Cygwin.  See [[Windows#X_Windows| Windows instructions]].  Follow the Unix instructions above after cygwin is installed.
How can I check my email when I'm not on the MCS network?
 
  
There are three methods, Secure Protocols, VPN and portforwarding.
+
==Windows interaction==
 +
===What do I need to do to be able to interact with the ANL or MCS Windows domain?===
  
Secure Protocols
+
Use the [http://www.anl.gov/employees/working-remotely/virtual-private-network-vpn VPN].
 
 
We're now supporting SMTP, IMAP and POP via SSL/TLS. You authenticate using your regular unix credentials.
 
 
 
The relevant servers and ports are:
 
 
 
    * Secure POP: imap.mcs.anl.gov (port 995) (yes, the hostname doesn't make a lot of sense)
 
    * Secure IMAP: imap.mcs.anl.gov (port 993)
 
    * SMTP: mailgw.mcs.anl.gov (port 25 or port 465) (You might have more luck with port 465)
 
 
 
The certificates are self-signed. You can accept the certificate (if you view it you'll see it's really us). If your mail application won't seem to remember your preference for allowing a self-signed certificate, some tips are included in the instructions below.
 
 
 
Mailer specific instructions:
 
 
 
Eudora:
 
 
 
  1. Click Tools, then Personalties.
 
  2. Right-click in the white area and choose "New"
 
  3. Click the Skip directly to advanced setup option and choose Finish:
 
  4. Fill in the required information. SMTP server is mailgw.mcs.anl.gov, check Authentication allows and Use relay personality.  Under Secure Sockets when Sending, choose "Required, Alternate Port".  Check the "Check Mail" box as well.
 
  5. Select the Incoming Mail tab and fill in the required information.  Server is imap.mcs.anl.gov, regardless of if you're using POP or IMAP.  Under Secure Sockets when Receiving, choose "Required, Alternate Port in the SSL".  Choose OK.
 
  6. You may get an error. It's okay.
 
  7. We need to add the certificate, so right click the Personality you just created and choose Properties.
 
  8. Choose the Incoming Mail tab, and click the Last SSL Info button.
 
          * If you get an error, cancel from this menu and try to check your mail.  Then, after the error, return to step 7.
 
  9. Choose the Certificate Information Manager button.
 
  10. Click Add to Trusted.
 
  11. Click Done, then OK, then OK, then click the Mailboxes tab in the lower left of the Eudora Window. If using IMAP, Right-click the personality you created, and choose Refresh Mailbox List.
 
  12. For sending mail, repeat steps 7-11 but use the Generic Properties Tab in step 8, and try sending mail instead of checking it in the sub-step.
 
 
 
You're done!
 
 
 
Outlook/Outlook Express: To make your mailer remember your certificates, point Internet Explorer (not any other browser)at https://imap.mcs.anl.gov:993 and choose to view the certificate. Click Install Certificate, then when asked where you'd like to place the certificate, choose "Place all certificates in the following store" and Browse to "Trusted Root Certificate Authority", then click Next, then Finish. It will ask to confirm (say yes), then you can click your way through with "OK". When back at the Security Alert window, choose no and close the browser.  Now do the same with https://mailgw.mcs.anl.gov:465 for the SMTP certificate.  Outlook now has the mail server's certificate.
 
 
 
MacOS X Mail: Follow the directions here.
 
 
 
VPN or Portforwarding:  Windows users click here, Unix/Linux read below
 
 
 
The easiest way is to just ssh to an MCS host and run pine from there.
 
 
 
But if you really want to run it from your local machine, here's how.You need SSH installed to do this.  First of all, edit the inbox-path field of your .pinerc like so:
 
 
 
    inbox-path={localhost:2143}inbox
 
 
 
Now, before running pine, make sure you have a secure session with port forwarding enabled.  To do this, execute the following command:
 
 
 
    ssh terra -L 2143:imap.mcs.anl.gov:143
 
 
 
As long as this ssh session is open, all connects to local port 2143 will go to imap.mcs.anl.gov's port 143, which is the IMAP port.  The change you made in pine above tells pine to use this new, forwarded local port, so when pine is started, you'll actually be talking to the mail server, and the entire session is secure.
 
 
 
 
^ Back to Questions ^
 
 
 
 
Is there any more information about SSH?
 
 
 
Yes, there are several commercial providers of SSH and related products:
 
 
 
    * SSH Communications Security is the Finnish organization that developed and now markets various versions of SSH.  Their web site is full of good information.
 
    * Data Fellows sells a full range of SSH-based software products in the United States.
 
    * Van Dyke Technologies also sells SSH-based software products in the United States.  They are the authors of the SecureCRT program for which MCS has purchased a site license.
 
 
 
You should also look at the SSH FAQ at http://www.employees.org/~satch/ssh/faq/ for more information and additional legal analysis about free vs. licensed versions of SSH software.
 
 
 
 
^ Back to Questions ^
 
 
 
 
How will this policy be enforced?
 
 
 
After 9:00 AM CDT on Tuesday, 22 June 1999, we put a filter in the MCS network routing equipment to disallow incoming network connections using the well known TCP/IP ports for Telnet, FTP, and rlogin.  There will be some exceptions, such as for the anonymous FTP server.
 
 
 
As of January 3, 2003, another filter was put in place restricting access to the hosts listed above.
 
 
 
As of April 26th, 2004, the above hosts were changed to accept only host-based and public-key logins.
 
 
 
Everyone in MCS is intelligent, and we are confident that many MCS employees can figure out ways around this particular enforcement mechanism.  However, please be aware that doing this will not only increase your own exposure to risk but that of the division as a whole.  If this policy or its enforcement causes you a particular problem, please feel free to contact systems@mcs.anl.gov at any time to discuss how we can best work together to meet your needs.
 
 
 
 
^ Back to Questions ^
 
 
 
 
How can I dial in over the phone?
 
If you want a PPP connection, you have a couple of choices.  Please note that if you want to use anything other than Windows for your dialup networking, you are on your own.
 
 
 
    * You can sign up with ECT's  modem pool. This is painless, but you need a cost code.  This is also the type of account you'll need for toll-free dialup.  Your local access number can be found here.  The list of pertinent ECT info, including instructions, numbers, and the 800 number can be found here.
 
    * If you're running Windows, and don't want to pay for a dialup, try a free dialup provider, such as NetZero.
 
 
 
 
 
 
^ Back to Questions ^
 
 
 
 
What do I need to do to be able to interact with the MCS Windows domain?
 
 
 
Use the VPN.
 
 
 
 
^ Back to Questions ^
 
 
 
 
What do I do if I want to use more than one computer with my connection at home?
 
  
Send e-mail to systems@mcs.anl.gov to request a NAT box.
+
You'll need to be added to the access list before you can use the VPN. You can contact the CELS Help Desk by emailing help@cels.anl.gov, this will generate a ticket to them and they will let you know when you have been added and can start using the VPN.

Latest revision as of 16:26, 26 June 2018

Secure Access Policy (includes SSH and VPN info)

What is the Secure Access policy?

External network connections to MCS resources shall not use clear text reusable passwords for authentication. Additionally, SSH connections without VPN tunneling will not use reusable passwords for authentication.

What does that mean to me?

It means that if you're using a network to access MCS resources from outside MCS office space, you must use some mechanism to hide your password from being "sniffed" or otherwise captured in transit to the MCS network, especially without your knowledge.

Note: As of April 26, 2003, machines in MCS are, by default, disallowing any password-based authentication on connections initiated from outside the MCS firewall including wireless. The list of machines to which you can SSH directly is:

  • General Login
    • login1.mcs.anl.gov
    • login2.mcs.anl.gov
    • login3.mcs.anl.gov
    • login4.mcs.anl.gov
(The above can all be accessed as "login.mcs.anl.gov")


These machines require SSH keys for login. See the SSH Key FAQ for details. If you use the VPN, you can SSH direct to any machine (except those listed above) you can use onsite, using your password as authentication.

The current RSA key fingerprint for the login machines will show up as one of the following depending on OS, and version of ssh you are connecting with.

- RSA key fingerprint is 32:ae:2e:3a:41:1d:06:ab:00:e0:43:b7:13:ff:3f:7c.

- RSA key fingerprint is SHA256:I/3YpntSAgCpC/CHl/ULXA2elt4GEb+huvJtXoFEOyc.

If you see a warning message that the key has changed and either of the above two keys are listed as the new key, it is the right machine, and you should follow the instructions given in the error message so you can login properly.

NOTE

  • Login machines are a shared resource and are meant for login/access purposes only. We will not tolerate any resource intensive processes such as compiling source or long running code. These systems are meant to provide a gateway to other resources here in MCS where you can do your work
  • /sandbox no longer exists on the logins. It has been re-tasked to be /scratch and as such will be cleaned out periodically. Currently any file that hasn't changed in 7 days will be deleted from /scratch. This new policy should hopefully help to keep the area from filling up and still provide a local disk to drop files temporarily.

How do I log in?

The MCS Systems Group has installed the Secure Shell (SSH) server on all UNIX systems that it maintains. You can use this protocol from anywhere on the Internet to connect to the above listed MCS computing resources, provided you are set up for SSH key-based login. If the host to which you need to connect is not in that list, you can either SSH from one of the hosts above, or you can use the VPN client first.

Other protocols may also be available, depending on circumstance.

How do I transfer files?

You're probably asking this question because you're used to using the old Internet protocol FTP. There are several ways to work around the fact that this protocol uses reusable clear text passwords:

  • Use SCP or SFTP to transfer files over SSH.

Authenticated FTP is not supported.

Where do I get SSH software for my computer?

This depends on what kind of computer you are using and whether you are an employee of Argonne's MCS Division.

Most unix and linux machines have SSH and its associated utilities installed by default. If you're running your own unix/linux machine, you should know how to get these packages.

Mac OS X machines include SSH and its associated utilities by default.

Windows clients: PuTTY, cygwin, others

What is port forwarding, and how do I set it up?

Port forwarding is a technique where an insecure protocol (like FTP, X, POP3) is tunneled through a secure protocol (like SSH). This is a good way to continue to use your familiar protocols in a secure way.

Using SSH Port Forwarding with X on UNIX or Mac OS X

This is easy, just use ssh -Y <hostname> and your X display settings will be sent to the remote machine, and all X Windows will open on your own display.

If you have a $DISPLAY set properly, and use ssh to connect to another system, ssh will automatically set $DISPLAY on the remote end and set up everything for you. All you have to do is start your favorite X application on the remote end. Check to make sure you're not setting your $DISPLAY in any of your startup files. Also, never use xhost +, especially in your startup files, as it's a big security hole.

If you're using a Mac OS X computer, remember that X11 is not installed by default. Instructions on installing X11 on Mac can be found at The Xquartz site.

Using SSH Port Forwarding with X on Microsoft Windows

Use Cygwin. See Windows instructions. Follow the Unix instructions above after cygwin is installed.

Windows interaction

What do I need to do to be able to interact with the ANL or MCS Windows domain?

Use the VPN.

You'll need to be added to the access list before you can use the VPN. You can contact the CELS Help Desk by emailing help@cels.anl.gov, this will generate a ticket to them and they will let you know when you have been added and can start using the VPN.