VPN Access Control and Authorization Guide

The campus virtual private network (VPN) service provides VPN access control groups that use Active Directory (AD) security groups for group membership. Active Directory security groups have an associated manager who is responsible for group membership.  Active Directory security groups may contain nested groups. VPN access control security group membership must be actively managed by delegated AD administrators with all changes tracked using Footprints tickets. Each VPN access control group is associated with an IP range assigned to users after successful authentication. Because users can belong to more than one group but can only log in as one group, some groups may have more access permission than needed.


Active Directory Groups

Users must set up their SF State password before they can be added to an Active Directory security group.

How to Determine Which VPN Group a User Should Choose

Use Active Directory Users and Computers (ADUC) to determine which VPN related Active Directory groups an individual is a member of. Compare the AD group membership to the mapping below to identify the groups an individual is a member of.

Each VPN group is associated with an Active Directory security group that may include nested groups. Individuals can be a member of more than one group, but must select the group with the lowest number they are a member of. Example: if someone is a member of groups 11.FACULTY-STAFF, 4.GROUP-ITS, and 2.GROUP-CMS they must select 2.GROUP-CMS when they login.

VPN Group Priority and AD Group Mapping

The campus VPN service provides the following VPN groups for access control. Some groups use Duo two-factor authentication (2FA). The groups are listed in relative priority order.

VPN Groups
Priority VPN Group Purpose Managed By AD Groups Mapped to VPN Group (Includes nested groups) Duo 2FA
0 n/a Deny access to all ITS Information Security SFS-vpn_access-denied n/a
1 SYSTEMS Access to campus Systems resources ITS Systems SFS-vpn_systems Yes
2 GROUP-HR Access to Human Resources ITS Accounts SFS-vpn_HR Yes
3 GROUP-CMS Access to Campus Management Solution resources ITS Accounts SFS-vpn_CMS Yes


Access to Information Technology Services resources ITS Accounts SFS-vpn_ITS
SFS-ITS-staff (auto)
5 GROUP-L1-LTD Access to high risk Level 1 data protected resources ITS Accounts SFS-vpn_L1_limited
6 GROUP-L1 Access to high risk Level 1 data protected resources (sec.sfsu.edu) ITS Accounts SFS-vpn_L1
7 GROUP-AT Access to Academic Technology resources Academic Technology SFS-vpn_AT Yes
8 GROUP-3rdPARTY Vendor access to campus resources ITS Accounts SFS-vpn_3rdParty No
9 FACULTY-STAFF General access to campus resources from outside the campus firewall ITS Information Security SFS-vpn_general_access
SFS-faculty (auto)
SFS-staff (auto)
10 GROUP-STUDENTS-LTD Access to class resources for BECA, Journalism, and Biology students in approved classes Academic Technology

Academic Technology - Student VPN - *

n/a NETWORKS Access to campus Network resources ITS Network   n/a

Responsibilities of a Delegated Administrator

Each area that manages AD security groups must identify the AD delegated administrators assigned to manage the group. AD delegated administrators are responsible for:

  • Checking for current affiliation before adding members
  • Reviewing membership monthly and removing members without a business need for access
  • Granting access to only primary 9xxxxxxxxx IDs – no secondary or shared accounts permitted
  • Advising individuals if they lose their current affiliation they will be automatically dropped
  • Use privileged P9xxxxxxx account to manage security groups that have access to Level 1 data

VPN Membership Request Review Procedure

  1. Determine if individual has a current affiliation – student, staff, faculty or community member – if not, advise user to obtain affiliation before request can be processed
  2. Determine if user has existing VPN access based upon employee affiliation or existing membership in a security group that provides VPN access.
  3. Review reason to determine if VPN is necessary, request additional info
  4. If needed, has current affiliation, and does not have existing access or requires a higher level of access:
    1. Add to VPN exception spreadsheet log
    2. Login using privileged P9xxxxxxx account and use Active Directory Users and Computers to manage group membership (Note: Legacy groups can be managed using Gateway until they are converted to be managed by privileged P9xxxxxxx accounts)
    3. Add the user to the appropriate security group
    4. Notify user request is complete

VPN Membership Monthly Review Procedure

  • Monthly review of the users in the security group
  • Identify those with no current affiliation or the end date has been reached
  • Notify user that they need a current affiliation and access will be revoked in 2 weeks if they do not obtain such an affiliation. VPN access is restricted to individuals with a current status*
  • Notify users that have automatic access because they are an employee that the exception will be removed