VFN VPN connection for external vendors

External vendors can connect to the VFN network via a VPN TLS tunnel. It is necessary to establish a tunnel:

  • Establish an external user account and appoint an access guarantor for the VFN;
  • Enter the guarantor's request into the ServiceDesk to create a VPN access;
  • Set up multifactor authentication for an external user using Microsoft Authenticator;
  • Install and set up a Cisco AnyConnect VPN client.
Setting up an external user account

The detailed procedure is given at https://www.vfn.cz/externista.

Is necessary fill in form F-VFN-463 "User request to set up external user access to the VFN network" including the signature of the guarantor of external access (VFN employee responsible for access and work of an external user in the VFN network) a deliver the UNSIGNED form in person to the address:

Department of Informatics and Digital Transformation - IC Dispatching (Headquarters Building A5, working days 7:00 - 16:00)
General University Hospital in Prague, U Nemocnice 499/2, 128 08 Prague 2

Guarantor's request to create a VPN access

About VPN access for an external user asks the guarantor by setting up a claim by ServiceDesk, where he must state:

  • name and surname of the external user,
  • external user account in VFN,
  • the company,
  • phone,
  • e-mail,
  • area of activity in relation to VFN,
  • which devices (modalities, servers) the external user should have access to and to what extent (IP, ports),
  • the validity period of the VPN access, if it is to be for a definite period.
Multi-factor authentication settings

You must set up multi-factor authentication for your Office 365 VFN account (@vfn) before running VPN for the first time. The required authentication method is notification from the Microsoft Authenticator mobile applicationthat you need to install on your mobile device. Please note that other methods (SMS, application code,…) do not work for VPN.

Here's how to do it:

Install Cisco AnyConnect VPN Client

Install the client:

Set up your client:

  • Description: optional
  • Server address: vpn.vfn.cz
  • Advanced Preferences…: unchanged

If you use FW / Proxy in your organization, you must enable bidirectional communication on the port TCP 443.

Start AnyConnect VPN Client Cisco

If you have already used a client, before the first start new versions, first delete all xml files in your "C: \ ProgramData \ Cisco \ AnyConnect Secure Mobility Client \ Profile".

Next, follow these steps:

  1. Double-click the Cisco AnyConnect Secure Mobility Client icon.
  2. If the client reports: "Ready to connect.", Enter:"vpn.vfn.cz ", click on "Connect".
  3. In the "Username:"Enter yours Username and in the "Password: “your password, click on "OK".
  4. On your mobile phone, confirm access in Microsoft Authenticator using the "Approve " (Authorize).
  5. Click "Accept".

It is necessary to finish the work sign out by clicking the Cisco AnyConnect Secure Mobility Client icon and clicking "Disconnect ".


Department of Informatics and Digital Transformation - IC dispatching
General University Hospital in Prague
U Nemocnice 499/2, 128 08 Prague 2
Telephone: +420 224 962 119 (on weekdays 7:00 -16: 00)
E-mail: dispecink@vfn.cz

Emergency ÚI: +420 702 083 578 (outside working hours of ÚI Dispatching)

Updated July 28, 2020

Do NOT follow this link or you will be banned from the site!