Educause Security Discussion mailing list archives

Re: VPN service -- Quick Poll (split tunneling?)

From: Dave Koontz <dkoontz () MBC EDU>
Date: Tue, 13 Mar 2012 18:52:58 -0400

On Sun, Mar 11, 2012 at 11:59 PM, Valdis Kletnieks
<Valdis.Kletnieks () vt edu>wrote:

On Fri, 09 Mar 2012 19:56:02 EST, Dave Koontz said:

First disclosure, we only allow supervisor approved access to our VPN
for our users, and only on institutionally owned machines.  A fall back
for a pandemic or other emergency is in place where those rules change.


OK, I'll bite - have you *tested* being able to get VPN enabled on
user-owned
machines on short notice when everybody is out sick?  If so, what snags
did you
hit, and any advice for others who are looking at having to do this sort of
emergency rollout?

(Sorry, anytime I see "rules change in an emergency", I see potential for
screw-ups, either from people and systems that don't know that the rules
are different, or from insufficient testing of cut-over).


Hi Valdis, sorry for my delayed response, but things have been crazy here.

To answer your question completely requires a little clarification.  When
you indicate "everybody is out sick", are you referring to IT personnel or
campus users?

SSL VPNs are extremely user friendly, and in our case only requires the
entry of a username and password, and the VPN gateway.  In fact, so easy, I
am concerned about users trying to setup themselves up without approval.
 The login prompts are not much different than a user logging into a
Microsoft domain if you think about it, the only change is the VPN gateway
address instead of the domain.

We have the SSL VPN setup well documented, which is only a paragraph or so
long, along with screen shots.  While we have no way of doing a complete
full fledged emergency test (nor want to given access policies), we have
shared the documentation with very non-technical users in some of our
remote offices without any issues.

Coming back to your "everybody is out sick" question,  the clarification is
key.  The question is this, can anyone in IT move users or groups of users
in AD into the proper group, and forward the instructions on how to access
the SSL VPN?  If everyone in IT is out, then I suspect you have more issues
than just VPN emergency access.

Just my two cents...  <grin>

Current thread:

Re: VPN service -- Quick Poll, (continued)
- Re: VPN service -- Quick Poll Morrow Long (Mar 09)
  - Re: VPN service -- Quick Poll Patrick Ouellette (Mar 09)
- Re: VPN service -- Quick Poll Miller,James R (Mar 09)
- Re: VPN service -- Quick Poll (split tunneling?) Kris Monroe (Mar 09)
  - Re: VPN service -- Quick Poll (split tunneling?) Miller,James R (Mar 09)
  - Re: VPN service -- Quick Poll (split tunneling?) Julian Y Koh (Mar 09)
  - Re: VPN service -- Quick Poll (split tunneling?) Jeff Kell (Mar 09)
  - Re: VPN service -- Quick Poll (split tunneling?) Schumacher, Adam J. (Mar 09)
  - Re: VPN service -- Quick Poll (split tunneling?) Dave Koontz (Mar 09)
    - Re: VPN service -- Quick Poll (split tunneling?) Valdis Kletnieks (Mar 11)
    - Re: VPN service -- Quick Poll (split tunneling?) Dave Koontz (Mar 13)
- Re: VPN service -- Quick Poll Hugh Burley (Mar 09)