Virtual Private Network (VPN) Guide

SF State provides a secure VPN for faculty and staff to access protected on-campus resources.

• When to use VPN
• VPN Security Groups
• Cisco AnyConnect Installation - Windows/Apple/iOS devices
• AnyConnect VPN for iPhone/iPad
• VPN Access Control and Authorization (VPN Management)
• Two-Factor (2FA) Authentication Guide
• Troubleshooting

Please note, this document pertains to the upgraded VPN service implemented August 16, 2016. If you experience issues or discover a previously available service is not accessible via VPN, please report the issue to service@sfsu.edu.

---

When to use VPN

SF State’s VPN has two purposes: It enables campus users to send and receive data across a public network as if their device is directly connected to the campus network, and adds two factor authentication for high security services. VPN is needed:

1. When accessing a service restricted to use on campus networks or subnets. Examples: Departmental shares/servers, OnBase, Appworx, Windows/Office authentication, and Active Directory access
2. When accessing services that store Level 1 data (two factor authentication required). Example: Departmental secure shares
3. When administering servers/applications. Examples: SSH, Oracle, and server maintenance
4. By PeopleSoft developers with privileged access

NOTE: Before VPN access is granted, completion of the Data Security and FERPA annual training is required and will be validated.

VPN Security Groups

Current faculty and staff are automatically included in the FACULTY-STAFF security group. For access to other groups, the SF State Virtual Private Network (VPN) Account Authorization form should be completed.

VPN Groups

Priority	VPN Group	Purpose	Duo 2FA
0	n/a	Deny access to all	n/a
1	SYSTEMS	Access to campus Systems resources	Y
2	GROUP-CMS	Access to Campus Management Solution resources	Y
3	GROUP-CMS-TEST	Access to Campus Management Solution testing resources	Y
4	GROUP-ITS	Access to Information Technology Services resources	Y
5	GROUP-L1-LTD	Access to limited high risk Level 1 data protected resources	Y
6	GROUP-L1	Access to high risk Level 1 data protected resources (e.g., sec.sfsu.edu)	Y
7	GROUP-AT	Access to Academic Technology resources	Y
8	GROUP-3rdPARTY	Vendor access to campus resources	N
9	FACULTY-STAFF	General access to campus resources from outside the campus firewall	N
10	GROUP-STUDENTS-LTD	Access to class resources for BECA, Journalism, and Biology students in approved classes	N
n/a	NETWORKS	Access to campus Network resources	N

NOTE: A SF State ID is required to use VPN. For vendors who do not have a SF State ID, the sponsoring department should contact Human Resources for Community Member credentials before completing the SF State Virtual Private Network (VPN) Account Authorization form on the vendor's behalf. Community Member credentials must be renewed annually.

Cisco AnyConnect Installation - Windows/Apple/iOS devices

Users on a Managed Machine

Cisco AnyConnect is a standard software installation. You will see the software in the Applications folder (Apple) or the Application Menu (Windows). The AnyConnect application automatically updates when a new version is available, when connecting to “vpn.sfsu.edu”.

Managed Windows Users

Update Using the Microsoft Software Center:

1.  Click the Start Menu 

2.  In the Application Menu, select click on the Cisco folder

3.  Run the AnyConnect application 

4.  When an update is available the update will start, wait for the update to complete

5.  Application will open when completed

6.  Verify application version by clicking the about “I” icon

Software Installation Service Request

If you are prompted for an administrator password, Create a Software Installation Service Request for your IT support team.

The URL for “Software Installation Service Request” is:
https://sfsu.service-now.com/sp?id=sc_cat_item&sys_id=f2016d06db862bc009...

Personal Computers / Users with Administrative Rights

Verify if AnyConnect is Installed / Has Updated:

1.  Go to the Application Menu or Folder to find the Cisco application

2.  If installed, run the AnyConnect application

3.  Connect to: vpn.sfsu.edu

4.  If an update is available, the update will start automatically.

5.  You will be prompted to authenticate.

6.  Application will open when completed

7.  Verify application version by clicking the about “I” icon (Windows) or the Cisco Main Menu -> About Cisco AnyConnect (Apple)

First-time Installation

Download and Install AnyConnect Secure Mobility Client

1. Navigate your web browser to https://vpn.sfsu.edu
2. Select the lowest group for which you have credentials from the GROUP pulldown 

Note: If you have access to multiple groups, selecting a higher group will result in login failure

3. Enter your SF State ID
4. Enter your SF State Password
5. Click Login
6. Users in groups requiring Two-Factor (2FA) Authentication, enter your second password.
7. You may be prompted with the Java Detection (installation using Java) step. Please wait about one minute and allow for the step to time out: 
8. Once prompted with the Download (manual installation) step, download the AnyConnect VPN installer and run it to install the client. 

Run AnyConnect Secure Mobility Client

1. Launch the installed Cisco AnyConnect Secure Mobility Client
2. Enter vpn.sfsu.edu in the Connect box and click Connect
   
3. Select the lowest Group for which you have credentials from the Group pulldown (Note: If you have access to multiple groups, selecting a higher group will result in login failure)
4. Enter your SF State ID
5. Enter your SF State Password
   
6. Users in groups requiring Two-Factor (2FA) Authentication, enter your second password.
7. Click OK

AnyConnect VPN for iPhone/iPad

Install AnyConnect for iPhone/iPad

1. Open the App Store app
2. At the bottom of the App Store screen, click on Search, and type Cisco AnyConnect in the search box. When it appears in the list, tap Cisco AnyConnect
3. Tap Get, then tap Install to download the Cisco AnyConnect app
4. When prompted, enter your Apple ID & Password
5. Once the application is installed, tap Open to open the application
6. Tap OK when prompted that Cisco AnyConnect will extend the VPN capabilities of your device
7. Tap Connections
8. Tap Add VPN Connection...
9. Enter a description (e.g., SF State VPN)
10. Enter vpn.sfsu.edu as the Server Address
11. Tap Save

Run AnyConnect for iPhone/iPad

1. Open the AnyConnect App
2. Toggle the AnyConnect On/Off to On
3. Select the lowest group for which you have credentials from the GROUP menu (Note: If you have access to multiple groups, selecting a higher group will result in login failure)
4. Duo Authentication users: If you use the same iPhone/iPad for Duo, get your Duo credential before entering your ID and Password
5. Enter your SF State ID
6. Enter your SF State Password
7. Users in groups requiring Duo Authentication, complete your Duo Authentication/Second Password
8. Click Connect
9. To disconnect, toggle the AnyConnect On/Off to Off

Troubleshooting

Login

The most common cause of VPN Login issues is the selection of an incorrect security group. If you are unsure of your group, please submit a service request asking for security group verification.