WiscVPN - Departmental VPN

WiscVPN/UW Madison VPN:

Nearly all active NetIDs currently have access to uwmadison.vpn.wisc.edu.  If you are having issues connecting to this VPN termination point using the Palo Alto Global Protect VPN client, please contact the Helpdesk.

Departmental VPN:

Departmental VPN access is controlled by the departmental Firewall/VPN/Network administrators.  They do this either by Manifest (preferred) or by their local departmental authentication system.  Please contact your departmental Firewall/VPN/Network administrator(s) for access to a Departmental VPN.
 

The external Public IP used for GlobalProtect Departmental VPN are allocated from 144.92.105.0/26 (with some grandfathered exceptions)

The End User IP assignments for Departmental VPN GlobalProtect users are assigned from 10.130.240.0/20 (with some grandfathered exceptions)

Filtering: The service allows for protection of client devices through the use of URL filtering of malware and phishing sites. The policy of what is filtered is determined and implemented through the Office of Cybersecurity.

Tunneling: The GlobalProtect VPN service tunnels ALL traffic though campus.

NOTE: The service does NOT yet support IPv6

Handy UW Madison VPN addresses:

 https://kb.wisc.edu/108255  Ways in which to get the Palo Alto Global Protect VPN client.
 https://manifest.services.wisc.edu  Control who is allowed to authenticate to the VPN termination point and/or self assign a static IP address.(If Central Campus RADIUS or AD is being used.)
 https://access.services.wisc.edu  This is a site that allows end users to self assign a static IP address per VPN group they belong to above. (If Central Campus RADIUS is being used.)
 uwmadison.vpn.wisc.edu  The main UW Madison VPN termination point.  Requires the Palo Alto Global Protect client.
 <dept_name>.vpn.wisc.edu  This is an example of a department's VPN termination point.
 

VPN Authentication Methods:

 NS = Network Services

 Authentication Method

 Preferred

Site Redundant System

Supports NetID

 Static IP Assignment

Supports Static IP Self-Assignment 

Multi-Factor Auth. - DUO Capable

User Based Firewall Rules

 Group Based Firewall Rules

 Central Campus RADIUS  Yes  Yes  Yes  Yes  Yes  Yes  Yes  Yes - In conjunction with Campus AD (Uses UUID group names)
 Central Campus AD

 No

(No MFA)

 Yes  Yes  Yes - With some NS manual intervention per user  No  No  Yes  Yes - But uses UUID group names
 Departmental AD

 No

(No MFA)

 Dept. Dependent  No  Possibly - With some NS manual intervention per user  No  No  Yes  Yes
 Departmental RADIUS

 No

(No MFA)

 Dept. Dependent  No  Possibly - Dept. Dependent  Possibly - Dept. Dependent  Possibly - Dept & DoIT IAM interaction required  Yes  No
 
 
 

If using MFA, your GlobalProtect client will look like this when MFA is enabled.

 
GlobalProtect MFA Image
 
 
 

How Do I Request a Dept. VPN?

Decide on the following:
  1. Can the "uwmadison.vpn.wisc.edu" VPN termination point meet your VPN requirements today?
    1. If it can, please use uwmadison.vpn.wisc.edu, with or without static IP assignments, today.
      1. UserID to IP mappings can be sync'd between this VPN and your Palo Alto vsys firewall.  Please create a WiscIT ticket.
    2. If not, please create a ticket with the Helpdesk, submitting answer to the following questions?
      1. I would like a Departmental VPN because ...
      2. Using the VPN Authentication Method table above, decide on which one you'd like to use and include it in the request.
        1. It is required for all new VPNs to support Multi Factor Authentication(MFA).  Central Campus uses Duo.
      3. Roughly how many users in a 24 hour time frame could connect to your Dept. VPN?
      4. Do you have the need for IPs being assigned to specific users?
        1. If so, how many?
      5. Do you already have a Palo Alto virtual firewall that you manage?
        1. If so, what is the name/vsys#?
      6. What do you want to name the VPN termination point?  (Example: <something>.vpn.wisc.edu)
 
 
 

General VPN Diagram:

General VPN Diagram


Keywordswiscvpn uwmadison uwmadison.vpn.wisc.edu dept department departmental vpn manifest access.service.wisc.edu remote virtual private network   Doc ID93628
OwnerScott B.GroupNetwork Services
Created2019-08-06 16:30:08Updated2023-03-28 14:38:24
SitesDoIT Help Desk, Network Services, Systems & Network Control Center
Feedback  1   3