University Client VPN

Overview

The University Client VPN provides encrypted, authenticated access to the PennNet network and uses PennKey credentials with Duo Two-Step Verification. It delivers a full tunnel for client traffic, meaning that all traffic from the client (whether destined for services at Penn or off-campus) uses the VPN connection to reach its destination. 

The encrypted VPN connection provides access to protected Penn systems and services that are limited to campus IP addresses. It also allows users to create a trusted connection when using non-Penn networks, such as public Wi-Fi from hotels, airports, coffee shops, etc.

While connected to the University Client VPN service, users can access the same resources available to them when using AirPennNet. This service does not replace other VPN services used to access restricted services.

Note: To conserve resources, please only use this tool when you are away from campus and disconnect from the VPN when it's not in use.

 

How to download and install GlobalProtect

The University Client VPN operates on Palo Alto firewalls using the GlobalProtect client. The GlobalProtect client is available for the following platforms:

  • macOS
  • Windows
  • iOS
  • Android

Contact your IT Support Provider if you need assistance with installing or connecting to this service.

macOS

Downloading and installing

  1. Download GlobalProtect for Mac
  2. Open the downloaded GlobalProtect.pkg file and follow the prompts to install the GlobalProtect VPN application.
  3. On some versions of macOS, you may see a System Extension Blocked prompt. If you do, click Open Security Preferences, then click Allow to approve the "Palo Alto Networks" extension to load. 

 

Configuring the application and connecting to the VPN

  1. Once you have installed the application, click the GlobalProtect icon in the menu bar.
  2. Enter vpn.upenn.edu in the portal address field and click Connect.
  3. A browser window will open to a PennKey login screen. Enter your PennKey username and password, then click Log in.
  4. Follow the prompts for Two-Step Verification (Duo). After logging in, your device will connect to the University Client VPN service. 

Note: Two browser windows/tabs may open when you are prompted to log in. Both can be closed once successfully connected to the VPN.

Windows

Downloading and installing

  1. Download GlobalProtect:

    GlobalProtect for Windows (64-bit)
    GlobalProtect for Windows (32-bit)
    Note: Most Windows systems are 64-bit. If you are unsure which version to download, try the 64-bit installer first.
  2. Open the downloaded GlobalProtect64.msi file (or GlobalProtect.msi for 32-bit systems) and follow the prompts to install the GlobalProtect VPN application.

 

Configuring the application and connecting to the VPN

  1. Once you have installed the application, click the GlobalProtect icon in the taskbar.
  2. Enter vpn.upenn.edu in the portal address field and click Connect.
  3. A browser window will open to a PennKey login screen. Enter your PennKey username and password, then click Log in.
  4. Follow the prompts for Two-Step Verification (Duo). After logging in, your device will connect to the University Client VPN service. 

Note: Two browser windows/tabs may open when you are prompted to log in. Both can be closed once successfully connected to the VPN.

iOS

Downloading and installing

Search for and install the GlobalProtect app in the App Store.

 

Configuring the application and connecting to the VPN

Open the GlobalProtect app, then enter vpn.upenn.edu in the address field and tap Connect.

 

Android

Downloading and installing

Search for and install the GlobalProtect app in the Google Play Store.

 

Configuring the application and connecting to the VPN

Open the GlobalProtect app, then enter vpn.upenn.edu in the address field and tap Connect.

Linux

Please note: Linux is not an officially supported operating system at Penn. Installers are provided "as-is."

Current Linux installers, as well as installation instructions describing GUI and CLI-based installs can be found in the following Penn+Box folder:

GlobalProtect Linux Installers (Box link)

Additional resources:

 

University Firewall FAQ

Additional FAQs for IT providers is available here

What is the University Firewall?

The University Firewall is an automated security tool used to filter out known malicious network traffic. Malicious network activity is designed to exploit vulnerabilities in devices connected to Penn’s network, allowing others to gain unauthorized access to, and control of, your devices and the information they hold.

The University Firewall permits Penn to quickly, consistently, and broadly defend against attacks that could result in in the destruction, alteration, and disclosure of confidential University data.

How do you know what to let in, and what to keep out?

The University Firewall is maintained by a team of Penn network administrators and security specialists who ensure that the list of identifiable threats being blocked by the Firewall is kept current, based upon trends in real-time network activity around the globe, threat reporting from authoritative third-party sources, and a thorough examination of known attack vectors.

The actions of the team are guided by a governance group containing representatives from Schools and Centers across the University.

Are you blocking or censoring certain types of content?

No. The University Firewall is not designed to inspect the semantic content of any network traffic, and upholds Penn’s commitment to open expression and electronic privacy. Instead, it is focused on protecting against certain categories of functional threats (such as seizing control of your computer from a remote location) that can compromise devices connected to Penn’s network.

How will I know if the Firewall is preventing me from seeing a website?

You will receive a message in your web browser stating that the web page you are trying to view has been blocked by the University Firewall. 

If you are having trouble connecting to networked resources outside of Penn using tools other than web browsers, contact your Local Support Provider (LSP) for help in identifying the root cause of your connectivity issue.

Doesn’t my part of campus already have a firewall?

Possibly. Some Schools and Centers at Penn have deployed local firewalls designed to protect a specific group of assets within the University network. The University Firewall is configured to protect “at the border,” at a network transmission’s first point of contact with any protected portion of the entire Penn campus network. If your School or Center has also activated a local firewall, you may be receiving an additional set of protections that support your organization’s specific needs. Your Local Support Provider (LSP) can provide clarification about your particular situation.

Are my connectivity issues related to the Firewall?

It’s highly unlikely. Because the University Firewall is designed to block identified threats, your actions on the network would remain completely unaffected by the Firewall unless they would bring you into contact with a verified threat source. As always, your Local Support Provider (LSP) remains the best source of information about your particular connectivity issue when you are using the campus network.

Will the Firewall interfere with my access when I’m off-campus?

It should not. The University Firewall is designed to block incoming and outbound network traffic which has been reliably identified as a known threat, such as traffic originating from malicious hosts in remote locations or traffic from Penn hosts attempting to reach malicious off-campus hosts. The devices and hosts you use to conduct your Penn-related activities while you are away from campus are extremely unlikely to be among the sources of malicious activity that the Firewall blocks from campus.

The recommended practice of using only known, secured networks to conduct University-related activities while away from campus also helps ensure that your access to University assets remains unaffected by the Firewall.

Will the Firewall interfere with my research?

The University Firewall is constructed in alignment with, and in support of, Penn’s academic mission. Because the Firewall is not designed to inspect the semantic content of any network traffic, it does not restrict the open exchange of ideas and information.

In exceptional cases where the work of Penn researchers requires direct contact with known sources of technical threats to the campus network (e.g., computer security research), or relies upon high-performance computing that may be affected by the Firewall, a researcher can initiate a request for network arrangements outside the University Firewall. Should you need these arrangements, speak with your Local Support Provider (LSP) to learn more about how to proceed.

Will the Firewall protect me from computer viruses?

It is ill-advised to rely upon the University Firewall for comprehensive virus protection. The University Firewall is designed to block known threats that employ the campus network at the very moment their attacks are being carried out. Many computer viruses and other malware remain dormant or encrypted while they are being spread, actively attacking infected devices at a later point in time.

It is also possible to acquire computer viruses when your device operates outside the University Firewall. While the Firewall may allow Penn to identify network traffic to malicious host sites from our campus, it is by no means designed to detect or report all compromised devices.

To protect your devices against viruses, malware, and other forms of transmissible compromise, speak with your Local Support Provider (LSP) about antivirus tools and best practices.

What happens if an infected device is brought inside the Firewall?

The University Firewall is set up to block known threats from traffic to and from the Penn campus network. It is not designed to examine individual devices within the campus network and assess whether those devices have been compromised, nor is it designed to examine all traffic within the Penn campus network. If an infected device is connected to the campus network, the potential remains for that device to infect other devices on the campus network.

Although the Firewall will identify when devices connected to the campus network attempt to connect to malicious remote sites, these connection attempts may take place weeks, or even months, after those devices have been compromised. In the interim, the malware that initially compromised those devices can continue to rapidly and silently spread.

Speak with your Local Support Provider (LSP) about tools and best practices for detecting and protecting against the compromise of any device you use to conduct University-related activities.

If we have a firewall, why am I still getting junk emails?

The University Firewall is not designed to inspect the semantic content of any network traffic, and thus cannot categorize individual emails based upon their subject matter. If you feel you are receiving too much irrelevant email in your Penn email account, speak with your Local Support Provider (LSP) about available options for filtering your email content.