Re: VPN Concentrator replacement

["Pardonek, Jim" <jpardonek () LUC EDU>]

We’ve had GP on PA for a few years now.  We have it on a small box, mostly because we use the host checking feature and 
the license has to be for the max number of VPN connections that the box is capable of.  When we switched from 
PulseSecure we already had in place RSA’s MFA for authentication so we didn’t see any reason to change it at the time.  
We currently have an initiative to change to Microsoft’s MFA mostly because we switched to an E5 license and MFA comes 
with it.  Once that happens, we will use either the MS Authenticator App or Gemalto tokens.

Best of Luck!

Jim

James Pardonek, MS, CISSP, CEH, GSNA
Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, IL  60660

•: (773) 508-6086

Loyola University Chicago will never ask you for your username or password.
For the lastest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: https://www.facebook.com/lucuiso/
Our Blog http://blogs.luc.edu/uiso/

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Bandy, John
Sent: Wednesday, May 8, 2019 7:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] VPN Concentrator replacement

+1 for PA GP client.  We do have a very small number of users allowed to use the native VPN on mobile devices using an 
IPSec tunnel set up on the PA without requiring the PA mobile client.

John Bandy
Chief Information Security Officer
Technology Services

205-726-2692<tel:+1205-726-2692> | office
205-726-2692 | fax
JBandy () Samford Edu<mailto:JBandy () Samford Edu>
Twitter<http://twitter.com/SamfordInfoSec>
800 Lakeshore Drive
Birmingham, AL 35229<https://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US>

[mford Samford University Logo]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Francisco Chavez
Sent: Tuesday, May 7, 2019 4:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] VPN Concentrator replacement

We have moved our VPN services off of the Cisco AnyConnect (ASA) over to PaloAlto Global Protect since we already had 
the hardware in place. We implemented Global Protect with SSO for authentication and use DUO for MFA when accessing 
this system. This has been well received by our community since the look and feel of logging into the PaloAlto GP 
client is just like out Client Portal. The installation for the client specifically on MacOS has been a little bit of a 
challenge for us since users tend to not read the instructions when installing the application. The users seem to 
glance over the portion that requires the enablement of an extension within System Preferences. The PaloAlto Global 
Protect client is easy to administer and is very user friendly.

Also, a note… When you speak to your rep they will most likely highlight that the mobile devices like iPad, iPhone, 
Android, etc… are an extra cost. We surveyed our VPN users and determined a small group of people use mobile devices to 
access the campus through VPN and for those we will use a smaller PAN device to reduce licensing costs.


Regards,
- Francisco Chavez

-----------------------------------------------------------------------------------
Francisco Chavez
Manager, IT Security | Saint Mary's College of California
925-631-8236 | fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu>

[cid:image002.jpg@01D50575.A4015180]

On May 7, 2019, at 2:23 PM, Telfer, Will <Will_Telfer () BAYLOR EDU<mailto:Will_Telfer () baylor edu>> wrote:

We moved from a Cisco appliance/Cisco AnyConnect to Palo Alto Global Protect because we already had the hardware in 
place. One of the largest advantages was that Global Protect integrated with our Duo implementation so it looked like 
all the other Duo Authentication screens, where as the Cisco AnyConnect required users to type their second factor of 
authentication into the 2nd PW box on the login screen. We have not disabled Cisco AnyConnect yet so some users are 
still using that method, but I have switched to Global Protect & it is easy & very user friendly.

Thank You,
Will Telfer, M.S.
Information Security Analyst
Information Technology Services

Follow BearAware for Cybersecurity Tips on:
Twitter: @BearAware
Facebook: 
facebook.com/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__facebook.com_BearAware&d=DwMFaQ&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=rEBQriUB7kU_t6oAksu5pMPHrCub_HcRbmBX-fT96-E&m=DbB-FrSwOYutzhmiFD4IGqO7kWeUA6HGRHpKWQro6gQ&s=QOeoL51hKcidBSFlgNzXjLFBvYk6XxzAFQuL7noXr_M&e=>
Website: 
baylor.edu/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__baylor.edu_BearAware&d=DwMFaQ&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=rEBQriUB7kU_t6oAksu5pMPHrCub_HcRbmBX-fT96-E&m=DbB-FrSwOYutzhmiFD4IGqO7kWeUA6HGRHpKWQro6gQ&s=zJ6kG8SPQqQRxbqO3r-VdYCmf7HBKPNq65ld23UlDrk&e=>

<image001.png>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () listserv 
educause edu>> On Behalf Of Akey, Michael
Sent: Tuesday, May 7, 2019 3:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () listserv educause edu>
Subject: [SECURITY] VPN Concentrator replacement

Hello Security list,

At OSU we're looking to replace our aging Cisco ASA devices with a new VPN solution.  We wanted to know what other 
higher-ed institutions are using these days with regards to VPN for end users (not site-to-site/cloud VPN).  Our 
current solution was very over-built for how it was ultimately used and we only have about 100-300 concurrent users on 
any given day.  Any solution we go with must support Duo 2fa - though I'm seeing that nearly any VPN service is 
supported by way of a RADIUS shim or custom login pages for SSL web VPNs.

If you've recently moved to a new VPN solution and are willing to briefly share your experiences with certain 
vendors/products I would appreciate it.  If you know of a good article or existing survey of what other higher-ed 
institutions use for client VPNs I'd love that too.

Thank you,

Mike Akey
Systems Engineer, IT Infrastructure
University Information and Technology | Oregon State University
541-737-4948 | 
uit.oregonstate.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__uit.oregonstate.edu&d=DwMFaQ&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=rEBQriUB7kU_t6oAksu5pMPHrCub_HcRbmBX-fT96-E&m=DbB-FrSwOYutzhmiFD4IGqO7kWeUA6HGRHpKWQro6gQ&s=03KrnEBcNxY-U7bjlDawATVgqbVV2wR7ka3sMjihJR4&e=>