!

Secure Remote Access: Connect with IPSec (Mac)

Overview

The Secure Remote Access service is the preferred mechanism to establish virtual private network (VPN) connections to PCs, servers, databases and printers on the University network. This service (often referred to by the shorthand “SRemote”) allows client systems running the Pulse Secure application to set up a VPN session with resources in a University network zone. These sessions can be used to connect to a printer, a file share, a database or to establish a remote desktop connection to a PC or server.

The University also supports an alternative VPN service that is based on the IPSec network security protocol. This service was established to support specialized VPN needs such as clients running a Linux/Unix operating system as well as high-performance applications that require more capacity than the Secure Remote Access service can support.

The IPSec service was created to fill specific remote access needs that may have been addressed by recent changes to the Secure Remote Access service. Before attempting to set up a VPN session using IPSec, you should investigate whether suitable VPN access is available using the Pulse client.

Multifactor and Secure Remote Access 

If you use the University’s Secure Remote Access service, either through the recommended Pulse client or via the IPSec client, you will need to use multifactor authentication for your secure remote connections. This requirement affects all students, faculty, and staff who use the Secure Remote Access service.

Note that you must already have registered a device for multifactor authentication before you can complete the steps below.

Connection Requirements

You must be approved by your Responsibility Center Account Administrator to access restricted network resources using Secure Remote Access with the IPSec VPN client. Contact the Technology Help Desk at 412-624-HELP [4357] to request the service.

Prior to using the built-in IPSec VPN application, you must obtain the following:

•  membership in an IPSec access group (set up by your department’s RC Administrator).

•  a pre-shared text key (provided by your department’s IT administrator or  Responsibility Center administrator)

•  group name information (provided by your department’s IT administrator or  Responsibility Center administrator)

 Your computer must be running Mac OS 10.5 or higher.

Configure the IPSec VPN Client

1.  Click the Apple menu and select System Preferences. In the Internet and Wireless category, select Network.

 

2.  Click the plus sign option in the bottom left-hand corner to add a new network connection.

 

3.  Enter the following:

a.  Interface: VPN

b.  VPN Type: Cisco IPSec

c.  Service Name: PittNet VPN

 

4.  Click the Create button.

5.  Enter the following:

a.  Server Address:  vpn.pitt.edu

b.  Account Name:  your University Computing Account username

c.  Password: Leave this set to “Server will prompt for password”

d.  Make sure the box next to Show VPN status in menu bar is checked.

6.  Click the Authentication Settings… button.


7.  Enter the following:

a.   Shared Secret: Your department’s pre-shared text key or shared password

b.  Group Name: Your department’s group name

8.  Click the OK button.

9.  Click the check box for Show VPN status in menu bar.

 

10.  The IPSec VPN option will display in your list of network connections.

Establish a Secure Connection

1. Click the VPN icon in the menu bar. Select Connect PittNet VPN, where PittNet VPN is the name of the IPSec connection that you use.

 

2.  Enter your University Computing Account username. 

3. In the password field, you have several options to authenticate with multifactor authentication:

  • Type your password only. This will use the default multifactor authentication method you selected when registering your device. For example, if you chose to always receive a Push notification, then typing your password will automatically send a Duo Push notification to your registered device. Accept the Push notification to complete the authentication process. 
  • If you want to use the "Call Me" option for multifactor authentication, type your password followed by the word phone in this format: password,phone.  This will automatically call your registered device. Press 1 on your dialpad to authenticate.
  • If you want to authenticate with a passcode, generate a passcode within the Duo mobile app, then type your password followed by Duo passcode in this format: password,token. For example, if the passcode you generated was 123456, you would type password,123456 in the Password field.
  • If you want to be sent a passcode via text message (SMS), then type your password followed by sms in this format: password,sms. Your login attempt will fail and you will receive a six-digit passcode via text message. Retype your password followed by the passcode that you received in this format: password,123456.

4. Click the OK button.

 

5.  A VPN icon will display in your menu bar once the connection has been established.

6.  Start the application that requires a secure connection, such as a database client or Web application.

Disconnect from the Service

1.  Close any applications that are using the secure connection.

2.  Click the VPN icon in your menu bar. Select Disconnect MY VPN, where MY VPN is the service name you selected.

 

Note: You may use the Secure Remote Access Service for up to four hours at a time or may be idle up to 30 minutes before you will be automatically disconnected from the service.