Project to consolidate VPN services is underway

ANNOUNCEMENTS

The average number of daily virtual private network (VPN) users at the University of Utah and University of Utah Health jumped from 1,000 to 2,800 in 2020 after the pandemic prompted a surge in remote work and online learning.

VPN applications create a secure, encrypted connection between a device and the U’s network when the user is off campus. By using a VPN client, members of the U community may access resources that aren’t available through the public internet, such as Windows file shares, private IP-addressed systems (10.x.x.x, 172.16.x.x) and Marriott Library article databases, e-journals and e-books.

UIT responded to the jump in VPN use by boosting the bandwidth and number of internet protocol (IP) addresses of the university’s two VPN solutions—Cisco AnyConnect and Palo Alto GlobalProtect.

This measure met the increased demand but created an inconsistent user experience, and presented a challenge around troubleshooting dual “tunneling” modes for campus and hospital users. Tunneling refers to the VPN path—when you connect to the internet with a VPN, the encrypted connection between your device and the internet surrounds your data like a tunnel.

In order to create a central, more user-friendly, and easy-to-manage VPN service, the university and U of U Health decided to partner on a project to consolidate VPN services for university use. The Cisco AnyConnect VPN client will be replaced with the Palo Alto GlobalProtect VPN client, which will impact everyone who uses a university Cisco VPN service.

“Consolidating our VPN services will allow us to streamline our security efforts and take advantage of the more robust features of the Palo Alto VPN,” said Chief Information Security Officer Corey Roach. “Security controls work best when they are unobtrusive as possible. This is an opportunity to improve security and user experience.”

User migrations from the Cisco to Palo Alto service will take place as follows:

  • Phase 1: UIT will migrate individual Cisco user accounts without elevated privilege needs
  • Phase 2: UIT will migrate users with elevated privilege needs based on implemented RADIUS server realms (e.g., uNID@department.utah.edu)

A phased approach allows UIT’s Information Security Office and Network Services time to design the IT architecture in consultation with INVITE Networks, a Salt Lake City-based telecommunications and cloud solutions vendor, and affords users the opportunity to train for a new VPN workflow. A project timeline, system requirements, training information, and additional project details will be provided to the U community as they become available.

The executive sponsors of the project are CISO Corey Roach and Chief Technology Officer Jim Livingston. An advisory committee has been meeting each week since mid-February 2021 to discuss various aspects of the network design and communication needs.

For a refresher about university VPN use, please visit this IT Knowledge Base article.

Please remember that:

  • The VPN is a limited, licensed resource that isn’t necessary to access most of the university’s online resources (e.g., UMail, UBox, CIS, Kronos, and Pulse). University-utilizing VPNs are restricted to services that aren’t available off-campus through a secure connection from your individual internet service provider.
  • Employees and students must have Duo 2FA enabled on the device they would like to use for VPN.
  • First-time VPN users are asked to use the Palo Alto client (vpn.utah.edu).
  • Streaming services (e.g., Netflix, Hulu and Twitch) accessed via VPN are blocked.