UCSB Departmental VPN

Overview

Departmental VPN service is operated alongside the campus VPN service and provides connected clients an IP address on a UCSB departmental network. It is intended for use by departments hosting services behind a departmental firewall or ACL that restricts the usage of those services to users on the same network. Departmental VPN requires MFA, and departments can independently manage who is permitted use of their VPN.

What You Need

A UCSBNetID
A network connection (for example, dial-up, cable modem, DSL)
A UCSB-customized VPN client for your machine with an additional Connection Profile configured with:
- UCSB Remote Access Trusted
- Server name: https://ps.vpn.ucsb.edu/ra-trusted
An MFA account with UCSB’s Duo Security
Your Department must have established service on Departmental VPN
Departmental VPN Request Form

Request Information

Read installation and usage instructions. Contact ets-info@ucsb.edu for questions, troubleshooting, and support.

Departmental VPN Request Form

Network Architecture

VLAN ID number

Subnet ID/Mask

Subnet Gateway IP Address

Subnet name/identifier

Department network contact

Department contact email

VPN appliance IP addresses

Provide 2 x IP addresses on the Dept. subnet for VPN appliance/node addressing (contiguous preferred)

VPN client IP address allocation

Dept. should consider using a maskable range for easy ACLs, and to ensure adequate quantity to cover expected department’s concurrent VPN users.

Provide IP pool inside Dept. subnet

Campus VPN servers will allocate IP addresses to clients. Addresses not need to be contiguous.

Use existing DHCP server on Dept. subnet for DHCP relay.

Dept. DHCP server will allocate IP addresses to clients

IP address pool(s)

IP Address of Existing DHCP server

DNS preferences (optional)

If desired, department-specific DNS settings can be pushed to VPN clients.

Primary DNS

Secondary DNS

DNS Domain(s)

Group Tagger Managers

We will request a new Group Tagger group created for you from Identity. Your dept. needs to specify who will administer group membership - membership in the group is used for Role Mapping, which presents the Dept. network role choice to user after authentication on the VPN.

UCSBnetID (one per line)

Optional preferences

VPN Session parameters

(idle, max, reminder) if something other than default is desired. Defaults are: idle: 60 min, max session 720 min, reminder 5 min.

Dept Syslog servers