PittNet VPN (GlobalProtect) | Information Technology | University of Pittsburgh
!

You are here

PittNet VPN (GlobalProtect)

Quick Links: Key Benefits I Requirements I Getting Started I More Resources

The GlobalProtect VPN client provides students, faculty, and staff with the ability to connect to restricted University resources while on and off campus. The GlobalProtect client is required to connect remotely to your office computer or for accessing departmental databases and servers that reside behind network firewalls. 

The GlobalProtect client provides the additional benefit of obtaining the user’s identity to make use of directory and security policies. GlobalProtect provides users with the flexibility to connect to restricted University resources while on campus or from home.  While off campus or wireless, the service encrypts traffic between a user’s computer and the University’s network. The service provides more security to University resources to help ensure that remote computers comply with our security framework.

Key Benefits

  • Privacy protection: Use for added safety and confidentiality for public and private network connections.
  • Improved security: Assist with ensuring University network security while connected on and off campus.
  • Mobility: Securely access University resources from anywhere, on or off campus.
  • Access restricted resources: Securely access a private network and share data remotely through public networks.
  • Improved network connectivity via a virtual private network (VPN): Easily and quickly establish long-distance, secure encrypted network connections with high throughput.

Requirements

Connections through GlobalProtect require:

  1. A University of Pittsburgh student, faculty, staff, or sponsored account is required for Global Protect connections.
    Note: You must have registered a device for multifactor authentication before you can establish a secure connection. To request a sponsored account, follow these guidelines.
  2. The Global Protect client is required. The Windows, macOS, or Linux client can be obtained via the Software Download Service. An app is available the Apple App Store (iOS), the Google Play store (Android), and the and the Microsoft Store (Windows 10 mobile devices). 
  3. GlobalProtect establishes a connection from devices to the University's network by first verifying the device as a trusted device. Through such a Health Check, Global Protect reviews configuration settings on devices each time it connects. If the requirements are not met, the device's connection through GlobalProtect is denied. To pass the Health Check, devices must meet the following criteria:
  • A supported, up-to-date operating system:
    • Macintosh, Linux, Android, and iOS automatically pass the Health Check.
    • Windows 10 with Microsoft Automatic Software Update turned on, so you can receive the latest security patches.
  • A software firewall must be installed and enabled on your computer.
  • An approved antivirus solution check must be passed.
    Note: This is just a baseline check of your antivirus that the vendor manages.

Getting Started

The following information is used when connecting with GlobalProtect:

Connecting with Windows or macOS

  1. Open GlobalProtect.
  2. In the Portal address textbox type portal-palo.pitt.edu, then click Connect.
    Note: UPMC users also enter portal-palo.pitt.edu.

  3. Enter your your Pitt credentials, then click Sign In.
  4. Enter "push" to log in using multifactor authentication using your default device. You will see a connection popup.
      
    Note: You should also see a connected icon in your taskbar or menu ribbon.
  5. When finished, locate and click the GlobalProtect icon, click the three-lined icon from the right-hand side of the connection window, then click Disable.

    Note: You will be able to log to PittNet VPN (GlobalProtect) by clicking Enable.

Connecting with Linux

Configure GlobalProtect

Pitt IT recommends running GlobalProtect for Linux via the command line client rather than using the graphic user interface (GUI) client.

The vendor has tested the GlobalProtect command-line client using CentOS/RHEL and Ubuntu.  Other Linux clients may work; however, additional troubleshooting and configuration may be necessary.

Note: Linux version 5.1.1-c17 was used for examples here. Your version number may differ.

  1. If applicable, extract the master PanGPLinux-5.1.1-c17.tgz file:

    $ mkdir /tmp/foo                   # or some other scratch location
    $ tar zCxf /tmp/foo PanGPLinux-5.1.1-c17.tgz
    $ ls -1 /tmp/foo
    GlobalProtect_deb-5.1.1.0-17.deb    # CLI: debian, ubuntu, mint, etc (x86-64)
    GlobalProtect_deb_arm-5.1.1.0-17.deb # CLI: for eg debian on a raspberry pi (arm)
    GlobalProtect_rpm-5.1.1.0-17.rpm    # CLI: rhel/centos, fedora (x86-64)
    GlobalProtect_rpm_arm-5.1.1.0-17.rpm # CLI: for eg fedora on a raspberry pi (arm)
    GlobalProtect_tar-5.1.1.0-17.tgz    # CLI: unpackaged, for eg arch, manjaro, gentoo (x86-64)
    GlobalProtect_tar_arm-5.1.1.0-17.tgz # CLI: for eg arch on a raspberry pi (arm)
    GlobalProtect_UI_deb-5.1.1.0-17.deb # GUI: debian-ish (x86-64)

    GlobalProtect_UI_rpm-5.1.1.0-17.rpm # GUI: rhel-ish (x86-64)
    GlobalProtect_UI_tar-5.1.1.0-17.tgz # GUI: others (x86-64)
    manifest
    relinfo

  2. Install the appropriate package for your distribution. Prefer to use the .deb or .rpm instead of the .tgz if your system allows, so that the globalprotect installation can be manipulated by your package management tools.
    1. Use the following for Debian and derivatives like Ubuntu and Mint:

      $ cd /tmp/foo   # or wherever you put the .deb
      $ sudo dpkg -i GlobalProtect_deb-5.1.1.0-17.deb
      [sudo] password for janedoe: ************   # your password
      Selecting previously unselected package globalprotect.
      (Reading database ... 183692 files and directories currently installed.)
      Preparing to unpack GlobalProtect_deb-5.1.1.0-17.deb ...
      Start installing gp...
      Unpacking globalprotect (5.1.1-17) ... Setting up globalprotect (5.1.1-17) ... Enable gp service...
      Starting gp service... Create symlink for gp cli... Starting gpa...
      Processing triggers for man-db (2.8.7-3) ...
    2. Use the following for RHEL and clones like CentOS and Oracle Linux, as well as Fedora and derivatives:

      Note: CentOS/RHEL 8 and recent Fedora use dnf but an alias for yum commonly exists for backwards compatibility. If yum isn’t found then try 'dnf -y install GlobalProtect_rpm-5.1.1.0-17.rpm' instead.

      $ cd /tmp/foo   # or wherever you put the .rpm

      RHEL/CentOS do not set up sudo access by default while recent Fedora does.

      If sudo is not set up (please note that the target yum command is in quotes):
      $ su -c 'yum -y install GlobalProtect_rpm-5.1.1.0-17.rpm'
      Password: ***********                     # root password

      Else if sudo is set up:
      $ sudo yum -y install GlobalProtect_rpm-5.1.1.0-17.rpm
      [sudo] password for johndoe: ***********    # your password

      Sample Output:
      Last metadata expiration check: 0:08:39 ago on Thu 23 Apr 2020 06:50:40 PM EDT.
      Dependencies resolved.
      ==========================================================

      Package               Architecture    Version            Repository            Size

      ==========================================================

       

      Installing:
        globalprotect         x86_64         5.1.1-17           @commandline          11 M
      Transaction Summary

      ==========================================================
      Install 1 Package

      Total size: 11 M
      Installed size: 25 M
      Downloading Packages:
      Running transaction check
      Transaction check succeeded.
      Running transaction test
      Transaction test succeeded.
      Running transaction
        Preparing       :                                                           1/1
        Running scriptlet: globalprotect-5.1.1-17.x86_64                               1/1
      Start installing gp...
        Installing      : globalprotect-5.1.1-17.x86_64                               1/1
        Running scriptlet: globalprotect-5.1.1-17.x86_64                               1/1
      Enable gp service...
      Starting gp service...
      Create symlink for gp cli...
      Starting gpa...
      Warning: Please switch back to user johndoe before you run globalprotect.
        Verifying       : globalprotect-5.1.1-17.x86_64                               1/1
      Installed:
         globalprotect-5.1.1-17.x86_64 Complete!
    3. Use the following for generic, non-packaged installation for other distributions (Arch, Manjaro, Gentoo, etc)

      Extract the contents of GlobalProtect_tar-5.1.1.0-17.tgz somewhere:

      $ cd /tmp/foo                      # or wherever you put the .tgz
      $ mkdir bar                        # or some other scratch location
      $ tar zCxf bar GlobalProtect_tar-5.1.1.0-17.tgz
      $ cd bar

      If sudo is set up:
      $ sudo ./install.sh
      [sudo] password for janedoe: ********** # your password

      Else:
      $ su -c ./install.sh
      Password: ***********                  # root password

      Sample output:
      systemd is detected.
      Enable gp service...
      Create symlink for gp cli... Starting gp service...
      Enable gp autostart...
      Starting gpa…

Connect to GlobalProtect

Run the globalprotect command as your regular account, not as root or through sudo. During the first connection, specify the Pitt portal. The GlobalProtect client encrypts and caches connection settings under ~/.GlobalProtect, so you don’t need to specify the portal each time. The installer should also put a link to the globalprotect command in your path and a manual with basic information – man globalprotect – in an appropriate location

  1. Use the the command prompt to enter account information, portal information, and user login information:

    $ whoami                      # checks that you are not root
    janedoe
    $ globalprotect connect --portal portal-palo.pitt.edu   # Pitt portal
    Retrieving configuration...
    portal-palo.pitt.edu - Enter login credentials
    username:jdoe16         # Pitt account 
    Password:************   # Pitt password
    Discovering network...
    Choose a secondary factor from ('push1', 'push2', 'phone1', 'phone2', 'sms1', 'sms2')
    or enter passcode::****    # Enter push to select your default multifactor authentication device
    Connecting...
    Connected
    $

  2. You should now be connected. When you are done with your session, temporarily disable GlobalProtect:

    $ globalprotect disable
    Disable is successful.

  3. To reconnect to GlobalProtect:

    $ globalprotect connect 
    Retrieving configuration... 
    Discovering network...
    Choose a secondary factor from ('push1', 'push2', 'phone1', 'phone2', 'sms1', 'sms2')
    or enter passcode::**** # Enter push to select your default multifactor authentication device
    Connecting...
    Connected

Note: While portal settings and Pitt user credentials are cached, You are always prompted to use multifactor authentication to connect to GlobalProtect.

Connecting an Android Device

  1. Open the app.
  2. Enter portal-palo.pitt.edu.
    Note: UPMC users also enter portal-palo.pitt.edu.
  3. Tap Connect.
    Note: As a first-time user, you may see a pop-up message saying "Cannot Verify Server Identity." Ignore this message.
  4. Tap Continue.
  5. Enter your Pitt credentials, then tap Sign In
  6. Tap OK. Once connected, the app displays a green shield icon on a blue background.
  7. To disconnect from the VPN, tap the shield. When disconnected, the app will display a grey shield on a grey background. 
  8. To change settings or sign out, tap the menu icon in the top left. 
     

Connecting a Chromebook

  1. Open the GlobalProtect app.
  2. Enter portal-palo.pitt.edu, then click Add Connection.
    Note: UPMC users also enter portal-palo.pitt.edu.
  3. Click the status area in the bottom-right corner of the screen to pop up a menu.
  4. Select VPN Disconnected, then click the entry.
  5. Enter your Pitt Credentials, then click Connect.
  6. When you are finished accessing University resources, please end your GlobalProtect connection.

Connecting an iOS Device

  1. Open the GlobalProtect app.
  2. Tap Allow to get notifications.
  3. Enter portal-palo.pitt.edu.
    Note: UPMC users also enter portal-palo.pitt.edu.
  4. Tap Allow to add the VPN configuration to this device.
  5. Enter your Pitt credentials, then tap Sign In.
  6. Log in using multifactor authentication.
  7. You will be connected. When you are finished, tap Disconnect.

More Ways to Get the Most from GlobalProtect: