Over time, the Cisco AnyConnect VPN implementation has become overly complicated and doesn’t provide the best platform for dynamic and granular access to systems and services. UMD has a significant investment in Palo Alto firewalls, and leveraging Palo Alto’s GlobalProtect VPN solution provides improved functionality and security improvements.
Cisco AnyConnect VPN will be turned off on Friday, October 15th.
GlobalProtect is more secure in a number of ways. All connections require Duo/MFA authentication. GlobalProtect users are protected from each other which prevents the possibility of malware spreading between connected devices.
GlobalProtect sessions terminate on a PaloAlto firewall with advanced protection against Spyware, Malware and service exploits. Combined, these improvements help protect you and the data you’re accessing.
That’s true! DIT has implemented GlobalProtect making significant use of Palo Alto’s User-ID feature. This allows GlobalProtect firewall rules to be created in the form of "If the connected user is in 'abc' Grouper/OpenLDAP or Active Directory group, then allow access to 'xyz' network resources."
The Public Beta of GlobalProtect will be announced in early July. This is the perfect time to start making GlobalProtect your primary VPN application.
Clients are available for download on TERPware. For more information, see Connect to GlobalProtect Virtual Private Network (VPN).
Yes. They are available for download on TERPware. For more information, see Connect to GlobalProtect Virtual Private Network (VPN).
Yes. Clients are available for iOS and Android operating systems. For more information, see Connect to GlobalProtect Virtual Private Network (VPN).
Yes. A client is available for Chrome OS. For more information, see GlobalProtect on ChromeOS.
When users connect to GlobalProtect they will be prompted if an upgrade is available. Periodically DIT will force the upgrade upon connection in order to bring everyone up to the current release.
No! This is one of the nice features of GlobalProtect and User-ID. The GlobalProtect firewalls retrieve group membership information from Grouper/OpenLDAP and Active Directory every 15 minutes. If a user is added or removed from a group, their access changes automatically without the need to disconnect and reconnect.
The Best Available is the default and what should be used 99% of the time. This gateway does not tunnel Internet traffic. The TunnelAll Gateway tunnels all traffic from the connected device, even Internet traffic. This is primarily used by those traveling abroad or when accessing resources that must be seen as coming from UMD address space.
All GlobalProtect clients are assigned IP addresses in the 10.206.0.0/17 range.
It does. GlobalProtect Connect Before Logon explains how to activate this feature.
The GlobalProtect client itself collects this data but it is kept local to the device. This information can be used in advance policies however. For example, in the future DIT may limit access to certain resources to only devices that have Anti-Malware software installed, or have their disks encrypted.
This support article provides a step-by-step guide for uninstalling GlobalProtect on Mac OS.
Cisco AnyConnect VPN has been removed from TERPware to minimize additional installations leading up to the beginning of the Fall semester and to reduce the confusion about which VPN client to install.