NOTICE: Ivanti has rebranded the Pulse Secure client Ivanti Secure Access on Windows, MacOS, Android and IOS.  They have not yet rebranded the Linux client.  We will make references to both Ivanti and Pulse Secure in the below article as applicable.  In other 4Help articles we will use Ivanti.  Functionally the two clients are the same.

Introduction

Secure Sockets Layer (SSL) virtual private network (VPN) provides secure remote access from one machine to restricted/private resources across a public network. Virginia Tech's SSL VPN service referred to as “Remote Access VPN”, is a subscription-based service that allows a user to access Virginia Tech resources remotely across the globe. This service does not provide any end-to-end encryption to other services that are being accessed over VPN but does encrypt the traffic between your machine and the VPN device. 

Top of page

Contents

• Related Links
• Eligibility Requirements
• Supported Platforms
• 2-Factor Authentication
• Connection Options
• Instructions
  
  • Download, Install, and Connect to VPN with the Pulse Secure client
  • Alternate Client for Linux: OpenConnect
    • OpenConnect CLI

Top of page

Related Links

• Downloading, Installing, and Connecting to Remote Access VPN in Windows
• Downloading, Installing, and Connecting to Remote Access VPN in Mac OS 12.6.6 or later
• Connecting to Remote Access VPN in Android or iOS
• Remote Access VPN Frequently Asked Questions

Top of page

Eligibility Requirements

• All current Virginia Tech faculty, staff, and students are eligible to access Remote Access VPN.
• Remote Access VPN is a subscription based, bundled service with the Virginia Tech wireless network service or the Virginia Tech wired Ethernet service. You can verify your subscription by following the instructions at Registering Online for Wireless LAN Service.
• You may use either Virginia Tech provided computers or personally owned computers to connect to Remote Access VPN, as long as they meet the minimum system and password requirements. 
• You must have access to an administrator account on the computer. If you have a device owned by Virginia Tech and do not have that access, contact your Network Liaison or contact 4Help at http://4help.vt.edu by clicking Get Help.

Top of page

Supported Platforms

See Ivanti Secure Desktop Client Supported Platforms Guide for a list of supported operating systems and web browsers.

4Help does not support Linux installations. Due to the wide variety of Linux distributions, 4Help cannot provide any support beyond these basic instructions. We do not guarantee that they will work with your particular device or client.

For security reasons, we ask users to upgrade their machines to the latest version and update them periodically to receive any patches for vulnerabilities. Network Infrastructure and Services (NI&S) is unable to support operating systems that are no longer supported by the operating system manufacturer. 

Top of page

2-Factor Authentication

The Virginia Tech Remote Access VPN service requires 2-factor authentication. For more information, see Enrolling, Adding, Managing, or Removing a Duo 2FA Device.

Top of page

Connection Options

Generally, a) - VT Traffic over SSL VPN is the recommended connection profile, since it provides access to all Virginia Tech resources and doesn't slow down internet traffic to services outside of Virginia Tech. For more information, see the Which Connection Profile Do I Use? section of Remote Access VPN Frequently Asked Questions.

Top of page

Instructions

Download, Install, and Connect to VPN with the Pulse Secure client

Disclaimer: 4Help does not support Linux installations. Due to the wide variety of Linux distributions, 4Help cannot provide any support beyond these basic instructions. We do not guarantee that they will work with your particular device or client.

These instructions were created using Ubuntu. Instructions may differ for other distributions.

1. Click one of the following links to download the Pulse installer appropriate for your version of Linux:
   • Pulse Secure 22.6r1.0 Linux Desktop Client:
     
     
     • Debian/Ubuntu 64-Bit Installer (MD5 signature: a00805d426e7b9ea9abf5869623b1007 )
     • RHEL 8 or newer 64-Bit RPM-based Installer (MD5 signature: 30f3f1e3c60823afebc7a42faba1b5ef )
     • RHEL 7 or older RPM-based Installer MD5 signature: 286949137b04612c744d18de106ff756 )
       
       
2. Installation:
   • Note: The nss3-tools and net-tools are dependency packages required to successfully install the VPN client.  Use one of the following commands to install these dependency tools manually:
     
     
     • Ubuntu/Debian: sudo apt-get install libnss3-tools net-tools
     • RHEL/CentOS: yum install nss-tools net-tools
       
       
   • Install the VPN client using one of the following commands:
     
     
     • Ubuntu/Debian: Install the VPN client package using the command: sudo dpkg -i <package name>
       
     • RHEL/CentOS: Install the VPN client package using the command: sudo rpm -ivh <package-name>
       
       
   • The upgrade from the old VPN client to the new VPN client is not supported.  If you have an older version of the VPN client already installed use the following command to remove it prior to upgrading:
     
     
     • Ubuntu/Debian: sudo dpkg -r <package name>
     • RHEL/CentOS: sudo rpm -e <package name>
       
       
3. Use the graphical Pulse Secure interface to create a connection.
   
   1. On the Dock, use the graphical search menu to search for: pulse
      
   2. To start Pulse, double-click Pulse Secure Client.
   3. Create the first connection. (Recommended connection profile)
      
      1. In the Pulse Secure window, click the plus sign (+).
      2. In the Name: text box, type: a) - VT Traffic over SSL VPN
      3. In the URL: text box, type:  https://vpn.nis.vt.edu/vttraffic
         
      4. Click Add.
   4. Create the second connection.
      
      1. In the Pulse Secure window, click the plus sign (+).
      2. In the Name: text box, type: b) - All Traffic over SSL VPN
      3. In the URL: text box, type: https://vpn.nis.vt.edu/alltraffic
         
      4. Click Add.
         
         
         
         
4. Use the graphical Ivanti Secure Access interface to connect.
   1. Click Connect.
   2. An authentication confirmation window will appear.  Click Ok to continue.
      
      
      
      
   3. A Pulse Secure message about Chromium Embedded Browser (CEF) window will appear if it is not already installed.  Click OK to download and install the CEF browser.
      
      
      
      
      1. CEF requires root privileges and (depending on your setup) may fail to install after downloading the installer files.  If this occurs run the following command:
         
         
         • On Ubuntu:
           
               sudo /opt/pulsesecure/bin/setup_cef.sh install
           
           
         • On Fedora run the following two commands:
           
               sudo dnf install perl-Digest-SHA-1
               sudo /opt/pulsesecure/bin/setup_cef.sh install
           
           Once the CEF install completes relaunch the Pulse Secure application.
           
           
   4. Type your credentials.
      
      1. In the Username text box, type your VT PID, which is the first part of your @vt.edu email address.
      2. In the Password text box, type your PID password.
      3. Click Login.
         
         
         
         
   5. When prompted, complete 2-factor authentication with your second factor. For instructions, see Authenticating with Your Second Factor.
      (If your second factor device is unavailable or broken, see Lost, Forgot, Broke, or Unavailable 2-Factor Device.)
      
      
      
      The screen will default to your preferred 2-factor method.  If you prefer to use another method click on the Other options link.  The following list is the options available for 2-factor authentication 
      
      
      • To use push notification:
        
        1. Select Duo Push from the Other options list.
           (This will send a push notification to the first push-capable device that is enrolled in your Duo account. To send the push notification to a different device, select the last item from the Other options list, Manage devices.)
           
        2. When the push notification appears, accept the Duo push notification.
           1. If the push notification does not appear, see Duo Mobile App Errors, Problems, and Connection Issues / Duo Push Not Received.
        3. When the connection is complete, the window will automatically close, and the Ivanti icon will have a green arrow.
      • To use SMS text message:
        
        1. Select Text message passcode from the Other options list.
           (This will send an SMS to the first SMS-capable device that is enrolled in your Duo account. To send the SMS to a different device, select the last item from the Other options list, Manage devices.)
           
        2. You will receive an SMS text message that starts with "VT DUO: SMS passcodes:" to your primary mobile phone. Open that text message which will contain a seven digit passcode.
        3. In the "Passcode" text box, type in the passcode from the SMS text message.
        4. Click Verify.
        5. When the connection is complete, the window will automatically close, and the Ivanti icon will have a green arrow.
      • To use a voice phone call:
        
        1. Select Phone call from the Other options list.
           (This will call the first voice-capable device that is enrolled in your Duo account. To send the phone call to a different device, select the last item from the Other options list, Manage devices.)
        2. The primary telephone number associated with your Duo account will ring. Answer the telephone.
        3. Press one of the number keys on the phone to confirm the authentication.
        4. When the connection is complete, the window will automatically close, and the Ivanti icon will have a green arrow.
      • To use a Yubikey:
        
        1. The Yubikey must be previously registered with Duo as AES. U2F tokens will not work. For instructions, see Enrolling a YubiKey as AES/OTP to Use in Any Browser.
        2. Select Security key from the Other options list.
        3. When prompted to "Touch your security key" tap your YubiKey. The passcode will be automatically generated and submitted by the YubiKey for you.
        4. When the connection is complete, the window will automatically close, and the Ivanti icon will have a green arrow.
      • To use a 6-digit numeric passcode from the Duo mobile app:
        
        1. Start the Duo mobile app.
        2. In the Duo mobile app, tap Show to the right of the hidden Passcode.
        3. On your computer select Duo Mobile passcode from the Other options list.
        4. In the Passcode text box, type the 6-digit numeric passcode from the Duo mobile app.
        5. Click Verify.
        6. When the connection is complete, the window will automatically close, and the Ivanti icon will have a green arrow.
      • To use a 6-digit numeric passcode from a D-100 token or a software token:
        
        1. Use the D-100 token or the smartphone application to generate a 6-digit numeric code.
        2. On your computer select Duo Mobile passcode from the Other options list.
        3. In the Passcode text box, type the 6-digit D-100 numeric passcode.
        4. Click Verify.
        5. When the connection is complete, the window will automatically close, and the Ivanti icon will have a green arrow.
           
           
   6. If this is the first time connecting on your machine you will receive the following prompt: 
      
      
      
      If the computer is public or shared between multiple users select "No, other people use this device" so that your VPN login information is not saved.  If you are the only user of the computer select "Yes, this is my device".
      
      
   7. When the connection is complete, Connect will change to Disconnect.
      
      
      
      
5. When you are finished using the remote access VPN, disconnect from it by clicking Disconnect.

Top of page

 

Alternate Client for Linux: OpenConnect

Disclaimer: 4Help does not support Linux installations. Due to the wide variety of Linux distributions, 4Help cannot provide any support beyond these basic instructions. We do not guarantee that they will work with your computer.

OpenConnect CLI:

If you prefer not to use Pulse Secure, the command line OpenConnect VPN client has been tested on Ubuntu and Linux Mint and verified working.  Just like the Pulse Secure client it still requires the use of a web browser to perform the authentication. But once authenticated the browser will automatically close and leave OpenConnect running in a terminal. 

A set of scripts have been created to manage the authentication and login to the VT VPN.  This script can be used as is, or modified by the user if they so choose.

1. Please read the below README document for the instructions on setting up and running the OpenConnect CLI scripts:
   
   
   • README-VPN.txt
2. After reviewing the document the scripts can be downloaded from the following link:
   
   • OC-VPN.tar.gz
3. When you connect with these scripts you will see a browser window similar to that from the Pulse Secure step 4, subsection D, E and F.  Refer to those steps above for how to authenticate.
4. To disconnect from the VPN use the keystroke Ctrl-C in the terminal window that OpenConnect is running in.

Top of page