This site requires JavaScript to be enabled
An updated version of this article is available

GlobalProtect Remote Access VPN - Allow agent to manually choose SSL

423 views

9.0 - Updated on 02-14-2022 by Gregory Fox (gdf24)

8.0 - Updated on 10-13-2021 by Gregory Fox (gdf24)

7.0 - Updated on 05-11-2021 by Michael Giornesto (mcg12)

Article Intended For

All Penn State Faculty, Staff, Students, and affiliates that use the GlobalProtect VPN service.

NOTE:   GlobalProtect will replace Cisco’s AnyConnect as the official University VPN as of June 19, 2021. The AnyConnect VPN will no longer work as of that date. Once you have installed and enabled GlobalProtect, you should no longer use AnyConnect.

Article Body

When and Why to use SSL as a VPN transport

Generally, IPSec is able to transport data with little additional latency and provides a better user experience.  However, IPSec VPN tunnel stability is dependent on a reliable connection path between the GP user and Penn State's VPN systems.  Using SSL as transport is able to sustain more VPN path connectivity issues than IPSec can.  However, the use of SSL as a transport, even on a reliable path, is still susceptible to more latency than IPSec and is noticeable to the GlobalProtect VPN users as a slow connection.

Vendor description:

To mitigate the challenges of reliable connectivity in regions where IPSec is not permitted or to offer a fallback option to use SSL instead of IPSec, you can now specify whether to use SSL in the app configuration of your GlobalProtect portal.

When the user successfully establishes a VPN connection, on the GlobalProtect app they can verify whether the connection uses SSL or IPSec.

PSU Implementation:

This configuration option was enabled for each of the Fac/Staff-Managed, Fac/Staff-Unmanaged, Student, and Affiliate external Gateways.  No Internal Gateways were modified.

How to Use:

Open the GlobalProtect agent, click the 3-line hamburger menu, choose "Settings" then the "General" tab.  In the "VPN" section, the configuration option of "Connect with SSL Only" can be enabled or disabled (default):

When "Connect with SSL Only" is checked, SSL is the only transport that is utilized.  When unchecked, The GlobalProtect agent first attempts to utilize IPSec as the VPN transport.  If an IPSec VPN is unable to be established, the GP will automatically fall-back to use SSL as the transport.

Utilizing this feature in the GP agent takes effect on the connection following the config change.  Toggling the checkbox while already connected to a gateway has no impact on the transport protocol being used.

Verification of the VPN transport protocol is available in the Connection tab:

How to Get Help

If you have questions or experience difficulties, use any of the following methods to contact the IT Service Desk for help:


Revised by Michael Giornesto (mcg12)
Last modified 05-11-2021 01:42:26 PM