This site requires JavaScript to be enabled

GlobalProtect Remote Access VPN - Allow agent to manually choose SSL

6974 views

9.0 - Updated on 02-14-2022 by Gregory Fox (gdf24)

8.0 - Updated on 10-13-2021 by Gregory Fox (gdf24)

7.0 - Updated on 05-11-2021 by Michael Giornesto (mcg12)

Note to authors: Formatting for this article is partially defined/set in a <style> element in the HTML of the main section. (This note is automatically hidden when published [but portions may still appear in search results].)

Article Intended For

All Penn State Faculty, Staff, Students, and affiliates that use the GlobalProtect VPN service.

For more information about GlobalProtect, and a list of related articles, see KB0013431, GlobalProtect Remote Access VPN - Overview.

Article Body

When and Why to use SSL as a VPN transport

Generally, IPSec is able to transport data with little additional latency and provides a better user experience.  However, IPSec VPN tunnel stability is dependent on a reliable connection path between the GP user and Penn State's VPN systems.  Using SSL as transport is able to sustain more VPN path connectivity issues than IPSec can.  However, the use of SSL as a transport, even on a reliable path, is still susceptible to more latency than IPSec and is noticeable to the GlobalProtect VPN users as a slow connection.

Vendor description:

To mitigate the challenges of reliable connectivity in regions where IPSec is not permitted or to offer a fallback option to use SSL instead of IPSec, you can now specify whether to use SSL in the app configuration of your GlobalProtect portal.

When the user successfully establishes a VPN connection, on the GlobalProtect app they can verify whether the connection uses SSL or IPSec.

PSU Implementation:

This configuration option was enabled for each of the Fac/Staff-Managed, Fac/Staff-Unmanaged, Student, and Affiliate external Gateways.  No Internal Gateways were modified.

How to Use:

Open the GlobalProtect agent, click the 3-line hamburger menu, choose "Settings" then the "General" tab.  In the "VPN" section, the configuration option of "Connect with SSL Only" can be enabled or disabled (default):

When "Connect with SSL Only" is checked, SSL is the only transport that is utilized.  When unchecked, The GlobalProtect agent first attempts to utilize IPSec as the VPN transport.  If an IPSec VPN is unable to be established, the GP will automatically fall-back to use SSL as the transport.

Utilizing this feature in the GP agent takes effect on the connection following the config change.  Toggling the checkbox while already connected to a gateway has no impact on the transport protocol being used.

Verification of the VPN transport protocol is available in the Connection tab:

How to Get Help

If you have questions or experience difficulties, use any of the following methods to contact the IT Service Desk for help:

 

Revised by Gregory Fox (gdf24)
Last modified 02-14-2022 05:40:18 PM