Educause Security Discussion mailing list archives
Re: The VPN question
From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
Date: Wed, 29 Jun 2011 22:38:49 +0000
Hi Jay, Wow, that's a lot of user roles! At Colorado State, we have the same set of technologies that you're talking about (a pair of Cisco ASAs and a pair of SA4000s which we're swapping out for SA4500s). We've been moving away from IPSec for remote access, encouraging everyone to go SSL (either through the web interface or using the full tunnel mode) unless they have some burning need for IPSec. I love the granularity of access control that I get with the Junipers, as well as the freedom from having to chase down installations of old client versions. I'm surprised to hear to say that you're required to create separate roles for Pulse users. Is that something specific to the 6000 hardware? We've had the ability to mix and match for some time now, first using Network Connect and now its replacement (Pulse). We do have this capability enabled natively on some roles, though most people are actually conecting to a specific URL to enable mapping into a NetConnect/Pulse role, and that gets added to whatever other roles they get assigned based on who they are. We've had good results with iOS devices using Pulse, including a surprisingly large number of iPads recently. In fact, at the last two conferences I've traveled to, my iPad got me through the day and my laptop never came out of its bag. We're hoping that upcoming versions of Pulse support VPN functionality for Android devices too, but support for the various flavors is more complicated both technically and contractually, I would imagine. Hope that helps. If you have specific questions, I'd be happy to help; feel free to follow up off-list. Steve =================== Steven Lovaas IT Security Manager Colorado State University steven.lovaas () colostate edu 970-297-3707 =================== ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Jay Graham [jwg+ () pitt edu] Sent: Wednesday, June 29, 2011 3:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] The VPN question Hello Folks, Here at Pitt we are in the process of a few VPN projects. We currently have an SSL VPN (Juniper SA6000s in a redundant config) and are testing Cisco ASAs as our IPSec solution. Background: With our SA6000s we create roles to protected resources based on LDAP groups and currently have over 300 roles. We are now implementing the Pulse Client for this so that iOS and other platforms can use it to access protected resources. With the SA6000s you need to create a "seperate" Pulse role for these users. We are thinking of only creating Pulse roles for people that request them rather than just duplicating all 300 roles believing that not all users will need all roles from the iPad (or other device). (We are not supporting Pulse for Windows or Mac OSes yet, just for mobile devices) The Question: What are other schools doing for mobile device VPN solutions and how are you giving users access to their roles? Thanks in advance. Jay Graham
Current thread:
- The VPN question Jay Graham (Jun 29)
- Re: The VPN question Lovaas,Steven (Jun 29)
- Re: The VPN question Chris Green (Jun 30)
- Re: The VPN question Julian Y Koh (Jun 30)
- Re: The VPN question Bradley, Stephen W. Mr. (Jun 30)
- Re: The VPN question Julian Y Koh (Jun 30)
- Re: The VPN question Bradley, Stephen W. Mr. (Jun 30)
- Re: The VPN question Jeff Kell (Jun 30)
- Re: The VPN question Bradley, Stephen W. Mr. (Jun 30)
- Re: The VPN question Lovaas,Steven (Jun 29)