U-wide initiative to consolidate VPNs gets underway
The average number of daily virtual private network (VPN) users at the University of Utah and University of Utah Health jumped from 1,000 to 2,800 in 2020 after the pandemic prompted a surge in remote work and online learning.
VPN applications create a secure connection between a device and the U’s network when the user is off campus. By using a VPN client, members of the U community may access resources that aren’t available through the public internet, such as Windows file shares, private IP-addressed systems (10.x.x.x, 172.16.x.x), and Marriott Library article databases, e-journals, and e-books.
UIT responded to the jump in VPN use by boosting the bandwidth and number of internet protocol (IP) addresses of the university’s two VPN solutions — Cisco AnyConnect and Palo Alto GlobalProtect.
This measure met increased demand but created an inconsistent user experience, and presented a challenge around troubleshooting dual “tunneling” modes for campus and hospital users. Tunneling refers to the VPN path — the encrypted connection between your device and the internet surrounds your data like a tunnel.
In order to create a central, more user-friendly, and easy-to-manage VPN service, the university and U of U Health are partnering on a project to consolidate VPN services for university use. The Cisco AnyConnect VPN client will be replaced with the Palo Alto GlobalProtect VPN client. This initiative will impact everyone who uses a university Cisco VPN service.
“Consolidating our VPN services will allow us to streamline our security efforts and take advantage of the more robust features of the Palo Alto VPN,” said Chief Information Security Officer Corey Roach. “Security controls work best when they are unobtrusive as possible. This is an opportunity to improve security and user experience.”
User migrations will take place as follows:
- Phase 1: UIT will migrate individual Cisco user accounts without elevated privilege needs
- Phase 2: UIT will migrate users with elevated privilege needs based on implemented RADIUS server realms (e.g., uNID@department.utah.edu)
A phased approach allows UIT’s Information Security Office and Network Services time to design the IT architecture in consultation with INVITE Networks, a Salt Lake City-based telecommunications and cloud solutions vendor, and affords users the opportunity to train for a new VPN workflow. A project timeline, system requirements, training information, and additional project details will be provided to the U community as they become available.
The project’s executive sponsors are CISO Corey Roach and Chief Technology Officer Jim Livingston. An advisory committee has been meeting each week since mid-February 2021 to discuss various aspects of the network design and communication needs.
For a refresher about university VPN use, please visit this IT Knowledge Base article.
Please remember that:
- The VPN is a limited, licensed resource that isn’t necessary to access most of the university's online resources (e.g., UMail, UBox, CIS, Kronos, and Pulse). University-utilizing VPNs are restricted to services that aren’t available off-campus through a secure connection from your individual internet service provider.
- Employees and students must have Duo 2FA enabled on the device they would like to use for VPN.
- First-time VPN users are asked to use the Palo Alto client (http://vpn.utah.edu).
- Streaming services (e.g., Netflix, Hulu, and Twitch) accessed via VPN are blocked.
Note: This announcement will be cross-posted to @theU and other communication channels.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.