WiscVPN - Overview
WiscVPN description
WiscVPN
The WiscVPN (Virtual Private Network) service is a way for remote users to connect to University of Wisconsin-Madison resources when they are not connected to the Campus Network.
The portal address (VPN termination point) for WiscVPN is uwmadison.vpn.wisc.edu.
For more information, please refer to the WiscVPN entry in the IT services catalogue.
GlobalProtect
WiscVPN is based on the Palo Alto VPN client GlobalProtect. This software allows you to create a private, encrypted connection to the WiscVPN service.
GlobalProtect uses a portal address (uwmadison.vpn.wisc.edu) to access the WiscVPN service.
See Global Protect Accessibility and Usability Information for GlobalProtect accessibility barriers and how to get help with using the software.
Departmental VPN
Departmental VPNs exist for groups who have specific VPN requirements that are not met by WiscVPN. For instance, the College of Engineering has multiple Departmental VPNs to allow access to engineering-specific resources.
In general, portal addresses for Departmental VPNs follow the form of <department name>.vpn.wisc.edu.
Departmental VPN users will need to work with their network administrator to add the new user to their respective Manifest group.
See Departmental VPN - Overview for more information about Departmental VPNs.
How to access WiscVPN
Download and Install the GlobalProtect Client
You have multiple options for downloading the client:
- Recommended - See WiscVPN GlobalProtect - How to Install, Connect, Uninstall, and Disconnect GlobalProtect VPN for complete instructions on downloading and installing GlobalProtect on any operating system (Windows, Mac, iOS, Android, Linux).
- Manually download and install your preferred version of GlobalProtect from this list of GlobalProtect VPN clients
- You cannot access this link if you are not already connected to the VPN or on the Campus Network (UWNet)
- Connect to https://uwmadison.vpn.wisc.edu, using your NetID and NetID password to login. Use the links to manually download and install GlobalProtect for Windows or Mac.
Note: You must use the GlobalProtect client when using the static WiscVPN service. You will not get a static IP address if you configure the native IPSEC client for OSX or Linux. You will get a dynamic IP address, even if you log in with your username_1.
Connect to WiscVPN
Once the GlobalProtect is installed, see WiscVPN GlobalProtect - How to Install, Connect, Uninstall, and Disconnect GlobalProtect VPN for complete instructions on connecting to WiscVPN.
Note: You must use MFA Duo to access WiscVPN. After signing in with your NetID and NetID password, you will be asked to either enter the code from your Duo app or answer a Duo push notification. For more information on MFA Duo, see MFA-Duo - Frequently Asked Questions & Limitations
WiscVPN eligibility
Groups Eligible for WiscVPN Access
- Current UW-Madison Students
- Students actively enrolled in for-credit programs.
- Future Enrolled UW-Madison Students
- Students eligible to enroll in classes. For incoming fall semester undergraduate students, this eligibility begins mid May.
- Current UW-Madison Employees
- People with an active job record in the Human Resources System (paid or unpaid)
- Active Student Employees
- Future UW-Madison Employees
- People with a future dated job record in the Human Resources System (paid or unpaid)
- UW-Madison Affiliates
- Non-UW TimeSheet Approver (POI 13)
- Consultants (POI 14)
- Emeritus (POI 21)
- Volunteers (POI 22)
- Extension POI Affiliates
- All Colleges/Extension Restructure POIs (as entered in as a POI in HRS)
- Special Authorizations
- UW Medical Foundation or UW Hospital and Clinics employees
Ineligible Groups
Users will lose VPN access once they are no longer a member of any of the eligible populations listed in the section above.
For security purposes, there is no grace period to retain VPN services after a user has dropped out of an eligible population. It is worth noting that if you are a member of more than one of the above populations, you will not lose access if only one of your affiliations change. Common reasons for losing eligibility are listed below:
Examples of groups that do not have access to WiscVPN include, but are not limited to:
- Non-emeritus Retirees
- Non-Madison UW students
- Graduating students who are no longer enrolled in classes or eligible to enroll. Membership is usually lost within two weeks of the end of the students' last term.
- Individuals that are no longer employed by the university. Membership is lost when the employee is no longer listed as a current employee in HRS.
Guest/Temporary Access
Users can request temporary VPN access from the Help Desk for up to one month. After that time, the person/contractor who needs the VPN/MFA access needs to either a) have a $0 affiliate appointment to the respective HR department, which will create a SpecAuth account or b) be entered into the HRS system as a Person of Interest (POI), work with your local HR department to accomplish this.
SpecAuth records are created via the Office of Human Resources (OHR). It's similar to an HRS record for an end user. POIs are entered into HRS directly. Once in the HR system, they'll be eligible to use both MFA-Duo and WiscVPN automatically.
Related: Getting NetIDs for Affiliate Populations
You will need to work with your UW Contact that gave you WiscVPN access or the DoIT Helpdesk to resolve issues related to Guest access.
Temporary Access
It is common for graduating students that are still helping in labs or assisting a professor with research to lose VPN access.
If you need VPN access for less than a month, you can reach out to the DoIT Help Desk to receive temporary access. However, if you need longer term access (greater than one month), you will need to work with your local HR department to get added as a Person of Interest (POI) in HRS. Persons of Interest are eligible to use Duo and VPN for the duration of their engagement as entered into HRS.
Static and dynamic IP addressing
Dynamic IP Addressing
WiscVPN will dynamically provide random available IP addresses to computers connecting to the network. Each time you connect, you may be assigned a different campus IP address.
When workstations are connected to the WiscVPN (uwmadison.vpn.wisc.edu) service, the client computers will not be NAT translated while on campus and use the IP address ranges of:
- 10.130.176.0/20 (10.130.176.0-10.130.191.255)
- 10.254.0.0/16 (10.254.0.0-10.254.255.255)
All workstations, servers, firewalls, networking equipment on campus will see the 10.130.176.0/20 or 10.254.0.0/16 as a source IP address.
When workstations are connected to the GlobalProtect VPN service and accessing non-campus Internet sites, the client computers IP source address will be translated to 144.92.38.224/27
Static IP Addressing
For more information about Static IP address and how to request one, see WiscVPN GlobalProtect - Static IP Addresses
When you log into WiscVPN (uwmadison.vpn.wisc.edu) using the GlobalProtect VPN client, using your "username_#", like "bbadger_1", you'll be assigned your static IP after a successful authentication. Static IPs are assigned from:
- 146.151.192.0/19 (146.151.192.0 - 146.151.223.254)
Note: You MUST use a GlobalProtect client when using the static WiscVPN service. You will not get a static IP address if you configure the native IPSEC for OSX or Linux. You will get a dynamic IP address even if you log in with your "username_1".
Who currently has access to reserve a static IP address?
- All Current and Future Employees
- Consultants (as entered in as a POI in HRS)
- Special Authorizations
- Manifest groups who have requested WiscVPN services via Manifest process in Manifest - Services
FAQ - IP Addressing
Q: How many static IPs can I reserve?
A: "4" per user NetID
Q: I don't see uwmadison.vpn.wisc.edu when I go to https://access.services.wisc.edu/IPaddress, why?
A: You most likely don't have access. All current employees of UW Madison should have access. If you feel this is in error, please create a ticket with the Helpdesk. They'll add you to a temporary group until IAM and Network Services looks at the users and figures out what population may have been missed during the authentication migration on 2/21/2021.
Q: Where can I find the list of static IPs for a group of users?
A: There is no way for a single user today to be able to view the static IPs of other WiscVPN users. CyberSecurity is looking into feasibility of providing such information. Last Updated: 3/2/2021 For now, a user will have to login into https://access.services.wisc.edu/IPaddress, to see their static IP and send it to admins requesting it.
Q: I need to reserve a static IP for a new employee, how can I do this on their behalf?
A: Reserving a static IP for someone else is not possible after 2/21/2021. CyberSecurity is currently looking into whether to provide that ability in the near future. Last Updated:3/4/2021 Today, all new employees can go to https://access.services.wisc.edu/IPaddress, to request their static IP address.
Q: What happens if I connect multiple times with my static WiscVPN username?
A: If you do not log out of the static WiscVPN service, any additional logins to the service will result in your workstation being assigned a dynamic IP address from the non-static WiscVPN service.
Troubleshooting
General FAQ
Q: How do I know what IP address my workstations got assigned (i.e. maybe I forgot to log out on my work machine and I am connecting in from another computer):
A: You may view the currently assigned IP address by clicking on the Palo Alto GlobalProtect icon in your tray, selecting "Settings" from the drop-down menu, and then clicking on the "Connection" tab and viewing "Assigned Local IP:" Or you can use one of the "what is my IP address" web sites to view what external network sees your computer. Typing in "what is my ip address" in a google.com search will give you that information.
Q: How does GlobalProtect handle tunneling?
A: The old WiscVPN service allowed the user to pick either off or on campus profiles as a method to pick either fully tunneling all VPN traffic or only traffic to UW campus resources. The new GlobalProtect VPN service tunnels ALL internet bound traffic though campus.
Q: How does the VPN service handle traffic filtering?
A: The new service allows for protection of client devices though the use of URL filtering of malware and phishing sites. The policy of what is filtered is determined and implemented though the Office of Cyber security. NO SSL decryption is enabled so no banking and passwords are decoded.
Q: Why is Multi-factor authentication(MFA) being enabled on WiscVPN? (UW-Madison uses Duo for MFA)
A: MFA-Duo provides two pieces of evidence to ensure the user is who they say they really are and in return protecting the resources they have access to.
Q: I can't log into WiscVPN.
A1: If after 8/23/2021, please make sure you are MFA-Duo enrolled.
A2: If you are a guest/contractor, please reach out to your UW contact to confirm your account is still WiscVPN eligible.
A3: Please reach out to the DoIT Helpdesk, they may need to add you to the "mfa_eligibility" Manifest group.