GlobalProtect VPN Frequently Asked Questions


Table of Contents


Why the change to GlobalProtect?

Over time, the Cisco AnyConnect VPN implementation has become overly complicated and doesn’t provide the best platform for dynamic and granular access to systems and services. UMD has a significant investment in Palo Alto firewalls, and leveraging Palo Alto’s GlobalProtect VPN solution provides improved functionality and security improvements. 

Top

When will Cisco AnyConnect VPN be going away?

Cisco AnyConnect VPN will be turned off on Friday, October 15th.

Top

How is GlobalProtect more secure?

GlobalProtect is more secure in a number of ways. All connections require Duo/MFA authentication. GlobalProtect users are protected from each other which prevents the possibility of malware spreading between connected devices.

GlobalProtect sessions terminate on a PaloAlto firewall with advanced protection against Spyware, Malware and service exploits. Combined, these improvements help protect you and the data you’re accessing.

Top

Is this true that access to network resources can be controlled by OpenLDAP/Grouper groups or Active Directory groups?

That’s true! DIT has implemented GlobalProtect making significant use of Palo Alto’s User-ID feature.  This allows GlobalProtect firewall rules to be created in the form of "If the connected user is in 'abc' Grouper/OpenLDAP or Active Directory group, then allow access to 'xyz' network resources."   

Top

When can I start using GlobalProtect?

The Public Beta of GlobalProtect will be announced in early July. This is the perfect time to start making GlobalProtect your primary VPN application.  

Top

How can I install the client?

Clients are available for download on TERPware. For more information, see Connect to GlobalProtect Virtual Private Network (VPN).

Top

Are there Linux clients?

Yes. They are available for download on TERPware. For more information, see Connect to GlobalProtect Virtual Private Network (VPN).

Top

Are there clients for phones and tablets?

Yes. Clients are available for iOS and Android operating systems. For more information, see Connect to GlobalProtect Virtual Private Network (VPN).

Top

Is there a client for Chrome OS?

Yes. A client is available for Chrome OS.  For more information, see GlobalProtect on ChromeOS.

Top

How do I upgrade the client?

When users connect to GlobalProtect they will be prompted if an upgrade is available. Periodically DIT will force the upgrade upon connection in order to bring everyone up to the current release. 

Top

How long can I stay connected to GlobalProtect?

7 days.

Top

Do I have to log out and back in for group changes to take effect?

No! This is one of the nice features of GlobalProtect and User-ID. The GlobalProtect firewalls retrieve group membership information from Grouper/OpenLDAP and Active Directory every 15 minutes. If a user is added or removed from a group, their access changes automatically without the need to disconnect and reconnect.  

Top

What’s the difference between the “Best Available” and "TunnelAll" Gateway?

The Best Available is the default and what should be used 99% of the time. This gateway does not tunnel Internet traffic. The TunnelAll Gateway tunnels all traffic from the connected device, even Internet traffic. This is primarily used by those traveling abroad or when accessing resources that must be seen as coming from UMD address space.

Top

What if I run into issues or can’t get to something?

Report an issue.

What IP addresses do GlobalProtect clients have?

All GlobalProtect clients are assigned IP addresses in the 10.206.0.0/17 range.

Top

Does everyone have to log in through CAS and do Duo authentication?

Yes.

Top

Does GlobalProtect support Windows Start Before Logon (SBL)?

It does. GlobalProtect Connect Before Logon explains how to activate this feature.

Top

Does GlobalProtect support Apple AirDrop, Handoff, and other Continuity features?

No.

Top

What data does GlobalProtect collect and where does it go?

The GlobalProtect client itself collects this data but it is kept local to the device. This information can be used in advance policies however. For example, in the future DIT may limit access to certain resources to only devices that have Anti-Malware software installed, or have their disks encrypted.    

Top

How do I uninstall GlobalProtect on Mac OS?

This support article provides a step-by-step guide for uninstalling GlobalProtect on Mac OS.

Top

Why can't I download the Cisco AnyConnect VPN client from TERPware?

Cisco AnyConnect VPN has been removed from TERPware to minimize additional installations leading up to the beginning of the Fall semester and to reduce the confusion about which VPN client to install.

Top