By connecting to the VPN service when you are off campus, you assure that the data you transmit will be secure between your host and the UCSB core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN server, you appear to other hosts at UCSB as if you were on the UCSB network. This also allows you to gain access to external resources from off campus (such as library resources) that are based on UCSB source addresses.

The UCSB VPN service uses AES (Advanced Encryption Standard) with a key length of 256 bits. The National Institute of Standards and Technology (NIST) has created AES, which is a new Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary-style attacks very difficult and increases the overall effectiveness of encryption.

Generally yes. HTTPS and SSH provides end-to-end encryption whereas the VPN server only provides encryption from your client up to the server hardware itself, which is located on the UCSB core network. Once the traffic is on the UCSB core network, it is decrypted and sent to the UCSB host in the clear.

The following limits exist on VPN sessions:

Idle Timeout: 60 min.
Max Session: 720 min. (12 hours)

When five minutes remain on your VPN session, you will be prompted if you would like to extend your session. If you click "Yes," your connection will stay intact and your session timer will be restarted.

Each user may have up to three concurrent VPN sessions active from various devices.

The UCSB VPN Service assigns addresses from the following subnets:


This is an indication that your VPN client is not installed correctly, or you do not have an active connection to the VPN server.  Try re-installing the client, or re-initiating your connection from the VPN client.  A last option is to reboot your computer and try re-initiating the connection from your VPN client.

As of mid-2017, our VPN customers have had positive experiences connecting to the campus VPN from networks in China, behind the Chinese government's firewall technologies.  Pulse Secure uses ESP over port 4500/UDP for VPN transport and will fall-back to SSL over 443/TCP if ESP can not be negotiated (for instance if the ISP is blocking or throttling it.)  This provides flexibility for connectivity from remote networks.

Depending on future technical methods deployed by China's government firewalls, it may not be possible to connect to the Pulse Secure VPN.  We will update this FAQ as new information is discovered.

You may receive this message after successful authentication to the Campus VPN Service if you do not have a valid affiliation in the UCSB Campus Directory.  Valid affiliations for connection to the Campus VPN service are:

  • contractor
  • employee
  • extension
  • pre-hire
  • student
  • academic-affiliate

For more information about guest affiliations, see Identity Services pages

If you are receiving this message and have a valid affiliation and valid UCSBNetID and password,  your access to the VPN and Wireless may have been blocked administratively by the NOC/SOC due to a network security issue.  Please check your email for a message related to the issue.

Your system is missing the Root or intermediate CAs.


Internet Explorer can install these automatically to the Windows Certificate Store if you browse to  If you don't wish to use Internet Explorer, you can complete this task manually.

Download the root CA and intermediates from the bottom of this page:

After they are downloaded, double-click on each certificate to install them - this will open the Windows Certificate Wizard.


Mac OS X:

Download the root CA and intermediates from the bottom of this page:

After they are downloaded, double-click on each certificate to install them into your system Keychain.

Error 2738 may be due to an earlier install of McAfee, Kaspersky or AVG AV software. This is a known issue and can usually be remedied by temporarily disabling the AV software while you install Pulse Secure. If this does not resolve the problem,  (or none of the AV software mentioned is currently installed) it is recommended to run the McAfee removal tool (or the AVG/Kaspersky removal tool), reboot your computer and then try the Pulse Secure install again. You can re-enable the AV software once you have successfully installed the VPN client software.

The McAfee removal tool can be found here:

The AVG removal tool can be found here:  - download the 32bit or 64bit version depending on your OS type.

The Kaspersky removal tool can be found here:

Yes, it is safe to follow the prompts in this message.   The VPN server can provide users an up-to-date client to Mac and Windows users automatically.  Click "Upgrade" to follow the prompts to upgrade your installed Pulse Secure VPN client (an Administrator username/password are required to complete the upgrade on Mac systems).  Any customized connection profiles you created in the Pulse Secure VPN client will be saved after the upgrade.

  1. Click the Apple menu at the top left of your desktop.

  2. Click System Preferences.

  3. Click Security & Privacy.

  4. Click the lock to make changes.

  5. Click the General tab.

  6. Under Allow apps downloaded from, select App Store and identified developers

  7. Look for the following message: System software from developer "Pulse Secure LLC" was blocked from loading.

  8. Next to the message click Allow to enable the extension.

  9. Close the Security & Privacy window.

  10. The kernel extension has been authorized and full functionality of the Pulse Desktop client should be available.