Upcoming Changes Provide Improved Performance for bSecure GlobalProtect VPN

December 3, 2020
Jenn Stringer, Associate Vice Chancellor for IT and Chief Information Officer and Dave Browne, Director of IST-Infrastructure Services and Telecommunications

Associate Vice Chancellor - IT and Chief Information Officer

One IT Colleagues,

On Monday, Dec. 21, a change will be made to the GlobalProtect software that provides the bSecure Remote Access Service to improve user performance of the VPN. The change will allow the use of a different protocol and will be transparent to the vast majority of users. When users connect to the service after the change many will experience noticeable improvements in the performance of communications using the VPN.

The change will enable IPSec tunneling in addition to SSL, which is what is currently in use. IPSec uses much less overhead and is now recommended by our vendor to be the primary communication method instead of SSL. Starting Dec. 21, the client will now be able to negotiate either protocol with the bSecure system and pick the one that works best at that time and location.

No Action Needed

When the update is made, most users will have a seamless experience. Users and support staff do not need to take any action.

Edge Cases

There are two edge cases for client issues:

  • The first issue relates to some regions of Verizon LTE wireless Internet service. During our original implementation we found that in a small number of Verizon LTE customers would connect successfully, but then not be able to reach any sites. 

  • The second is the rare case where customers create VPN tunnels within the GlobalProtect VPN tunnel. Some services (like the Microsoft encrypted network file service) also use IPSec, and there can be issues tunneling IPSec inside of another IPSec tunnel. 

We estimate 99% of our users will not run into either issue but we have already implemented a solution. To resolve these edge cases, an alternative bSecure Portal named ssl.vpn.berkeley.edu is now online, and using it instead of vpn.berkeley.edu will force GlobalProtect to use SSL only. If a user is able to connect to VPN, but unable to communicate/connect to other systems, please ask them to use this alternative portal to see if that resolves the issue.

More Info & Contact

Please read the knowledge base article on bSecure GlobalProtect: Remote Access Portals for more detailed information. If you have any questions about this updated service, please contact Sean Schluntz (sschluntz@berkeley.edu).

Regards,

Jenn Stringer, Associate Vice Chancellor for IT and Chief Information OfficerDave Browne, Director of IST-Infrastructure Services and Telecommunications

If you are a manager who supervises UC Berkeley employees without email access, please circulate this information to all.

CalMessages footer - BearsCare with CA COVID NOTIFY icon

via Calmessages