VPN Service Frequently Asked Questions

By connecting to the VPN service when you are off campus, you assure that the data you transmit will be secure between your host and the UCSB core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN server, you appear to other hosts at UCSB as if you were on the UCSB network. This also allows you to gain access to external resources from off campus (such as library resources) that are based on UCSB source addresses.

The UCSB VPN service uses AES (Advanced Encryption Standard) with a key length of 256 bits. The National Institute of Standards and Technology (NIST) has created AES, which is a new Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary-style attacks very difficult and increases the overall effectiveness of encryption.

Generally yes. HTTPS and SSH provides end-to-end encryption whereas the VPN server only provides encryption from your client up to the server hardware itself, which is located on the UCSB core network. Once the traffic is on the UCSB core network, it is decrypted and sent to the UCSB host in the clear.

The following limits exist on VPN sessions:

Idle Timeout: 60 min.
Max Session: 720 min. (12 hours)

When five minutes remain on your VPN session, you will be prompted if you would like to extend your session. If you click "Yes," your connection will stay intact and your session timer will be restarted.

Each user may have up to three concurrent VPN sessions active from various devices.

This is an indication that your VPN client is not installed correctly, or you do not have an active connection to the VPN server.  Try re-installing the client, or re-initiating your connection from the VPN client.  A last option is to reboot your computer and try re-initiating the connection from your VPN client.

As of mid-2017, our VPN customers have had positive experiences connecting to the campus VPN from networks in China, behind the Chinese government's firewall technologies.  Pulse Secure uses ESP over port 4500/UDP for VPN transport and will fall-back to SSL over 443/TCP if ESP can not be negotiated (for instance if the ISP is blocking or throttling it.)  This provides flexibility for connectivity from remote networks.

Depending on future technical methods deployed by China's government firewalls, it may not be possible to connect to the Pulse Secure VPN.  We will update this FAQ as new information is discovered.

You may receive this message after successful authentication to the Campus VPN Service if you do not have a valid affiliation in the UCSB Campus Directory.  Valid affiliations for connection to the Campus VPN service are:

  • contractor
  • employee
  • extension
  • pre-hire
  • student
  • academic-affiliate

For more information about guest affiliations, see Identity Services pages

If you are receiving this message and have a valid affiliation and valid UCSBNetID and password,  your access to the VPN and Wireless may have been blocked administratively by the NOC/SOC due to a network security issue.  Please check your email for a message related to the issue.

Your system is missing the Root or intermediate CAs.

Windows:

Internet Explorer can install these automatically to the Windows Certificate Store if you browse to https://ps.vpn.ucsb.edu/install)  If you don't wish to use Internet Explorer, you can complete this task manually.

Download the root CA and intermediates from the bottom of this page:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View...

After they are downloaded, double-click on each certificate to install them - this will open the Windows Certificate Wizard.

 

Mac OS X:

Download the root CA and intermediates from the bottom of this page:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View...

After they are downloaded, double-click on each certificate to install them into your system Keychain.

Error 2738 may be due to an earlier install of McAfee, Kaspersky or AVG AV software. This is a known issue and can usually be remedied by temporarily disabling the AV software while you install Pulse Secure. If this does not resolve the problem,  (or none of the AV software mentioned is currently installed) it is recommended to run the McAfee removal tool (or the AVG/Kaspersky removal tool), reboot your computer and then try the Pulse Secure install again. You can re-enable the AV software once you have successfully installed the VPN client software.

The McAfee removal tool can be found here: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

The AVG removal tool can be found here: http://www.avg.com/us-en/utilities  - download the 32bit or 64bit version depending on your OS type.

The Kaspersky removal tool can be found here: http://support.kaspersky.com/common/service.aspx?el=1464#block1

Yes, it is safe to follow the prompts in this message.   The VPN server can provide users an up-to-date client to Mac and Windows users automatically.  Click "Upgrade" to follow the prompts to upgrade your installed Pulse Secure VPN client (an Administrator username/password are required to complete the upgrade on Mac systems).  Any customized connection profiles you created in the Pulse Secure VPN client will be saved after the upgrade.

  1. Click the Apple menu at the top left of your desktop.

  2. Click System Preferences.

  3. Click Security & Privacy.

  4. Click the lock to the unlocked position to make changes.

  5. Click the General tab.

  6. Under Allow apps downloaded from, select App Store and identified developers

  7. Look for the following message: System software from developer "Pulse Secure LLC" was blocked from loading.

  8. Next to the message click Allow to enable the extension.

  9. Click the lock icon to the locked position to save changes.

  10. Close the Security & Privacy window.

  11. The kernel extension has been authorized and full functionality of the Pulse Desktop client should be available.

  12. Restart your computer (important!)

  13. Open the Pulse Secure client and try connecting to the VPN

Apps that are from the Apple Store are subject to review and scanned for malicious content. Apps from outside the Mac App store have not been scanned so when you install them, macOS runs a scan on it. Our installer package has been signed by a valid Developer ID. It should install properly after you follow the instructions on this page to resolve the issue: 

Apple support: Protect Your Mac from Malware

Each UCSBnetID account may have one or more "affiliations," which indicate the relationship between the account holder and UCSB. For example, a current student would have a "student" affiliation. The affiliation information is automatically updated as people join and leave the campus.

Affiliations eligible for wireless service include:

  • Academic Affiliate
  • Contractor
  • Employee
  • Extension
  • Pre-hire
  • Student

You can verify your UCSBnetID password and check your current affiliation information on the UCSBnetID Diagnostics page.

This is likely due to an outdated operating system. An OS upgrade to a supported OS is strongly recommended, but if it's not possible, the user can manually install the updated certificates themselves by downloading and installing the certificates from the tar file provided. Read more about the issue and find the links to the relevant updated certificates

Instructions on how to decompress a tar file at the Apple Support website.

To install the certificates, double-click each file. The OS should recognize them as certs and open Keychain Access. Add each one to System (instead of Login). 

For Windows 7, download the program 7zip to extract the files from the attached tar file. 

To install the certificates, double-click each file. Then follow the instructions at Microsoft.com to install the trusted root certificate using the install wizard (the link refers to Skype, but the process works regardless).

Users are permitted three (3) concurrent sessions on the Pulse Secure VPN server. When all three of those sessions are allocated, this error will occur and the user can not sign in. To address this error, we recommend the user sign out of all known VPN connections and then attempt to sign in through the Pulse Secure client again. If there are no known logged-in sessions, please contact vpn-support@ucsb.edu and we will clear your sessions.