Cut-Over Details
The cut-over is scheduled for this Friday, 9/18. Starting late in the evening of 9/17, customers will no longer be able to connect to the old server sds.oregonstate.edu. If they have a connection already, they will be able to stay connected until it times out (18 hours) but after that they will need to switch their server to vpn.oregonstate.edu.
Common Requests
Some customers have installed the newer AnyConnect 4.x client, but are still connecting to sds.oregonstate.edu. They just need to enter vpn.oregonstate.edu when they connect.
Some customers are still running a 3.x client or were using a built-in VPN (e.g. on Mac or Linux). For those users, they need to install the AnyConnect 4.x client and point it at vpn.oregonstate.edu. See: Guide: VPN Setup
Some customers may not have local admin rights. If they are on a CN, SMS checkout or COVID loaner, we can help them. If their computer is managed by another distributed IT team, we will need to refer them to that other team.
For VPN disconnects, see: VPN – Resolve Frequent Disconnects
Note that customers need to Duo auth every time they connect to the VPN. The option to select split or full tunnel is in a window that hides behind the login screen.
If customers are having trouble or are not eligible to use the new VPN, remember that we have several VPN alternatives documented.
Notifications
Customers who are still using the old server have been notified via email in June, July, and August that they need to move to the new server. A final reminder email is going out to individuals on 9/17. The project team also notified ITCC and IT Pros, and an additional reminder went to IT Pros on 9/16.
Information about the new VPN and why we are changing is on the landing page: https://is.oregonstate.edu/vpn
There were over 4,000 users on the old VPN as of June. That number has fallen to just under 1,300 as of 9/14. Most VPN users have managed to move to the new server without assistance, so I do not expect them all to call us on Friday. We are still monitoring usage this week, and if it looks like we might get a lot of calls, I will add additional resources to our phone queue for Friday.
VPN Eligibility, Exceptions, Temporary Extensions, and Temp Access to the Old Server
VPN eligibility on the new server has changed over the past few months, and I apologize for the confusion. At this time, all current students, employees, associates and sponsored account holders have VPN access automatically. Look for the groups “vpnFullTunnel” and “vpnSplitTunnel” in RefTool. (See VPN – Who is Eligible for VPN Access?)
VPN Exception:
If a customer is an external person (does not have an ONID account), they need an exception in order to use the VPN. An IT Pro needs to fill out the request (we can do this for CN-supported departments), a current OSU employee needs to sponsor the request, and the request needs to be reviewed by the Office of Information Security. If OIS approves it, Service Desk adds the user to a group that grants them access.
External users will need to use a delegated account in ONID AD. We can create the account, set the password, and help the external person change it via MyCN (it’s not an ONID account, so they can’t use ONID to reset password, fyi). These requests will mostly be for vendors and contractors who need remote access to support systems on our network.
See: VPN Exception Process for non-ONID User (Internal)
Extend Access to VPN for ONID User:
If a customer has an ONID account but is not “current” – for example, a student who hasn’t been registered for a while, or an employee who is between jobs at OSU – another OSU employee who is current can sponsor them for a temporary VPN extension, up to 90 days. These requests do not need to go to the Office of Information Security, but we do need a sponsor to vouch for the person, and we need to collect a business reason for the request. I expect these requests to be rare, and we should always ask why they need VPN and explore alternatives before suggesting this option.
See: Extend Access for Non-Current ONID User (Internal)
Temp Access to Old VPN Server:
Finally, if someone has an urgent, mission-critical reason to connect to the old VPN server, we can grant them temporary access. This probably shouldn’t happen at all. And if it does, please notify me! The old server will be around for a little while just in case it is needed for some very urgent reason, but it will be shut down completely soon.
See: VPN – Temporarily Allow a User on SDS.oregonstate.edu (Internal)
Questions?
I think that is everything you need to know about VPN! Questions? Please ask. I’m… here all week.
