Virtual Private Network (VPN) Guide

SF State provides a secure VPN for faculty and staff to access protected on-campus resources.

 

Please note, this document pertains to the upgraded VPN service implemented August 16, 2016. If you experience issues or discover a previously available service is not accessible via VPN, please report the issue to service@sfsu.edu.

When to use VPN

SF State’s VPN has two purposes: It enables campus users to send and receive data across a public network as if their device is directly connected to the campus network, and adds two factor authentication for high security services. VPN is needed:

  1. When accessing a service restricted to use on campus networks or subnets. Examples: Departmental shares/servers, OnBase, Appworx, Windows/Office authentication, and Active Directory access
  2. When accessing services that store Level 1 data (two factor authentication required). Example: Departmental secure shares
  3. When administering servers/applications. Examples: SSH, Oracle, and server maintenance
  4. By PeopleSoft developers with privileged access

 

VPN Security Groups

Current faculty and staff are automatically included in the FACULTY-STAFF security group. For access to other groups, the SF State Virtual Private Network (VPN) Account Authorization form should be completed.

 

VPN Groups
Priority VPN Group Purpose Duo 2FA
0 n/a Deny access to all n/a
1 SYSTEMS Access to campus Systems resources Y
2 GROUP-CMS Access to Campus Management Solution resources Y
3 GROUP-CMS-TEST Access to Campus Management Solution testing resources Y
4 GROUP-ITS Access to Information Technology Services resources Y
5 GROUP-L1-LTD Access to limited high risk Level 1 data protected resources Y
6 GROUP-L1 Access to high risk Level 1 data protected resources (e.g., sec.sfsu.edu) Y
7 GROUP-AT Access to Academic Technology resources Y
8 GROUP-3rdPARTY Vendor access to campus resources N
9 FACULTY-STAFF General access to campus resources from outside the campus firewall N
10 GROUP-STUDENTS-LTD Access to class resources for BECA, Journalism, and Biology students in approved classes N
n/a NETWORKS Access to campus Network resources N

 

NOTE: A SF State ID is required to use VPN. For vendors who do not have a SF State ID, the sponsoring department should contact Human Resources for Community Member credentials before completing the SF State Virtual Private Network (VPN) Account Authorization form on the vendor's behalf. Community Member credentials must be renewed annually.

 

AnyConnect VPN for Windows

Install AnyConnect for Windows

  1. Download the AnyConnect VPN Windows Installer
  2. Double click the downloaded file to launch the installer
  3. Click Next
  4. Accept the License Agreement and click Next
  5. Click Install
  6. If required, enter Administrator credentials
  7. When the install is complete, click Finish

Run AnyConnect for Windows

  1. Launch the installed Cisco AnyConnect Secure Mobility Client application
  2. Enter vpn.sfsu.edu in the Connect box and click Connect
    AnyConnect Server Screenshot
  3. Select the lowest Group for which you have credentials from the Group pulldown (Note: If you have access to multiple groups, selecting a higher group will result in login failure)
  4. Enter your SF State ID
  5. Enter your SF State Password
    AnyConnect Credentials Screenshot
  6. Users in groups requiring Duo Authentication, complete your Duo Authentication/Second Password
  7. Click OK

Note: When connected, the AnyConnect icon will appear in the system tray (area by the clock). To disconnect, right click the icon and select VPN Disconnect.

Windows AnyConnect Icon Screenshot

 

AnyConnect VPN for Mac

Install AnyConnect for Mac

  1. Download the AnyConnect VPN Mac Installer
  2. Double click the downloaded file to open the virtual drive
  3. Double click the included installer file, AnyConnect.pkg
  4. Click Continue
  5. Click Continue
  6. Click Agree
  7. Uncheck Web Security and Posture, then click Continue
  8. Click Install
  9. If required, enter Administrator credentials
  10. When the install is complete, click Close

Run AnyConnect for Mac

  1. Launch the installed Cisco AnyConnect Secure Mobility Client application
  2. Enter vpn.sfsu.edu in the Connect box and click Connect
    Mac Anyconnect Server Screenshot
  3. Select the lowest Group for which you have credentials from the Group pulldown (Note: If you have access to multiple groups, selecting a higher group will result in login failure)
  4. Enter your SF State ID
  5. Enter your SF State Password
    Mac AnyConnect Login Screenshot
  6. Users in groups requiring Duo Authentication, complete your Duo Authentication/Second Password
  7. Click OK

Note: When connected, the AnyConnect icon will appear in the Apple menu bar (by the clock). To disconnect, click the icon and select Disconnect.

Mac AnyConnect Icon

 

AnyConnect VPN for iPhone/iPad

Install AnyConnect for iPhone/iPad

  1. Open the App Store app
  2. At the bottom of the App Store screen, click on Search, and type Cisco AnyConnect in the search box. When it appears in the list, tap Cisco AnyConnect
  3. Tap Get, then tap Install to download the Cisco AnyConnect app
  4. When prompted, enter your Apple ID & Password
  5. Once the application is installed, tap Open to open the application
  6. Tap OK when prompted that Cisco AnyConnect will extend the VPN capabilities of your device
  7. Tap Connections
  8. Tap Add VPN Connection...
  9. Enter a description (e.g., SF State VPN)
  10. Enter vpn.sfsu.edu as the Server Address
  11. Tap Save

Run AnyConnect for iPhone/iPad

  1. Open the AnyConnect App
  2. Toggle the AnyConnect On/Off to On
  3. Select the lowest group for which you have credentials from the GROUP menu (Note: If you have access to multiple groups, selecting a higher group will result in login failure)
  4. Duo Authentication users: If you use the same iPhone/iPad for Duo, get your Duo credential before entering your ID and Password
  5. Enter your SF State ID
  6. Enter your SF State Password
  7. Users in groups requiring Duo Authentication, complete your Duo Authentication/Second Password
  8. Click Connect
  9. To disconnect, toggle the AnyConnect On/Off to Off

 

Run AnyConnect VPN from your Browser

Running AnyConnect from a browser is not recommended but is available for software downloads and Duo enrollment/account updates.

  1. Navigate your Web browser to https://vpn.sfsu.edu
  2. Select the lowest group for which you have credentials from the GROUP pulldown (Note: If you have access to multiple groups, selecting a higher group will result in login failure)
  3. Enter your SF State ID
  4. Enter your SF State Password
  5. Users in groups requiring Duo Authentication, complete your Duo Authentication/Second Password
  6. Click Login
  7. Depending on your browser settings, you may see a Java warning. Allow the Java applet to run
  8. Click Run
  9. If required, enter Administrator credentials
  10. Outcomes:
    • You are connected and can see the confirmation message: You are all set to use the VPN connection
    • You are connected but the Web page says it was unsuccessful: You are all set to use the VPN connection, the message can be ignored
    • You are NOT connected and the Web page says it was unsuccessful: Complete a manual installation and connection of the client

Note: Connection status can be found by hovering over the AnyConnect icon in the system tray (Windows) or Apple menu bar (Mac).

Troubleshooting

Login

The most common cause of VPN Login issues is the selection of an incorrect security group. If you are unsure of your group, please submit a service request asking for security group verification.