patch firewall KU Leuven

[mselwa]

Preparation for new central firewall setup at KU Leuven (not yet to be merged to master until almost applied)

[lexming]

I suggest to not add a new section called Additional Firewall layer as that is ambiguous and a bit confusing. Instead we can rename the previous section from Connections from Abroad to something like Location Access Restrictions; and then explain what restrictions are in place with a tabbed table per site:

• KU Leuven clusters:
  • managed laptops
  • unmanaged laptops
• UAntwerp clusters:
  • restrictions from abroad based on IP (copy paste existing text in Connections from Abroad)
• UGent clusters:
  • restrictions from abroad based on IP (copy paste existing text in Connections from Abroad)
• VUB clusters:
  • restrictions from abroad based on IP (copy paste existing text in Connections from Abroad)

[lexming]

Suggested change

	Beginning of March 2026 an extra firewall layeter will be introdcued to connect to VSC clusters at KU Leuven:
	Beginning of March 2026 an extra firewall layer will be introduced to connect to VSC clusters at KU Leuven:

[lexming]

Maybe it is clear to follow with a list:

Suggested change

	There will be a difference between connecting from a managed Ku Leuven laptop and unmanaged laptops. KU Leuven managed laptops will use only the MFA (certificate) for connections both from Belgium and from abroad (without requesting :ref:`additional firewall login <additional_firewall>`).
	On the other (non-KU Leuven managed laptops) there are several possibilities to connect to the Ku Leuven VSC clusters:
	* Certificate only connection is possible from VSC network (other VSC clusters),
	* Certificate and firewall will be nessary for all other cases: connecting from VPN B zone, from other VSC usniversities, from other Belgian IP addresses and from abroad.
	There will be a difference between connecting from a managed KU Leuven laptop and unmanaged laptops.
	KU Leuven managed laptops
	Use MFA (certificate) for connections both from Belgium and from abroad. No need to request :ref:`additional firewall login <additional_firewall>`.
	Non-managed laptops
	There are several possibilities to connect to the KU Leuven VSC clusters:
	* Certificate only connection is possible from the VSC network (_i.e._ other VSC clusters)
	* Certificate and firewall will be necessary for all other cases: connecting from VPN B zone, from other VSC universities, from other Belgian IP addresses and from abroad

[jooghe]

I suggest to not add a new section called Additional Firewall layer as that is ambiguous and a bit confusing. Instead we can rename the previous section from Connections from Abroad to something like Location Access Restrictions; and then explain what restrictions are in place with a tabbed table per site:

• KU Leuven clusters:

  • managed laptops
  • unmanaged laptops

• UAntwerp clusters:

  • restrictions from abroad based on IP (copy paste existing text in Connections from Abroad)

• UGent clusters:

  • restrictions from abroad based on IP (copy paste existing text in Connections from Abroad)

• VUB clusters:

  • restrictions from abroad based on IP (copy paste existing text in Connections from Abroad)

It is indeed not an additional firewall layer, only a local change in our KU Leuven firewall setup. It moves from the node to the network, but that's not relevant to the user. Changing the "Abroad" section to 'location access restriction' looks like a good solution.