Hi
Final reminder: all users of the campus VPN service must switch to the new
VPN service described below prior to tomorrow, Wednesday, August 12th. This
announcement is also available on the web at the following URL.
http://inews.berkeley.edu/articles/Jul2009/VPN
Erik
On Mon, Jul 13, 2009 at 02:33:53PM -0700, Erik Klavon wrote:
> Beginning July 13th a new Campus VPN service is available. All users
> of the current VPN service will need to switch to the new service. The
> current Campus VPN service will be disabled on August 12th. To use the
> new Campus VPN service, users must remove the old
> VPN client and install the new AnyConnect VPN client. System
> administrators may need to adjust firewall rules to permit traffic
> from the new VPN address pools 136.152.208.0/23 (full tunnel) and
> 10.136.0.0/23 (split tunnel). Information on the new service may be
> found at http://net.berkeley.edu/vpn/. Instructions for installing new
> the client may be found at https://kb.berkeley.edu/kb2665.
>
> - Why do we need a new VPN service? -
>
> The current VPN software client is no longer under active development
> by the vendor and security patch service for the client will end in
> the near future. The vendor will no longer support the current VPN
> hardware within a year. Under minimum security standards, we may not
> operate equipment and software without support for security fixes. The
> current VPN client software does not support 64 bit versions of
> Windows Vista.
>
> - Switching to the new VPN service -
>
> General information about the new VPN service is available at the
> following URL.
>
> http://net.berkeley.edu/vpn/
>
> Instructions for installing new the client may be found at the
> following URL.
>
> https://kb.berkeley.edu/kb2665
>
> Host based security software may need to be adjusted for the new VPN
> software client. For example, the campus distributed Symantec Client
> Security software must be configured to trust the Campus VPN
> concentrator; instructions for making this adjustment may be found at
> the above URL.
>
> The new service uses new IP address blocks for VPN client
> addresses, with separate blocks for full and split tunnels. The new
> blocks follow.
>
> full tunnel: 136.152.208.0/23
> split tunnel: 10.136.0.0/23
>
> Note that the split tunnel uses RFC 1918 address space, which is
> routed on campus. For more information on our use of RFC 1918 address
> space on campus see the following document.
>
> http://www.net.berkeley.edu/netinfo/ip/rfc1918.shtml
>
> Since traffic sent via the split tunnel does not leave campus, we do
> not need to use globally routable IPv4 address space for split tunnel
> clients. We are making this change to help conserve our allocation of
> globally routable IPv4 address space.
>
> - New features -
>
> Windows Vista running on 64 bit computers is supported by the new VPN
> client software.
>
> VPN connections made via the new VPN client software will use the SSL
> protocol to carry tunneled traffic back to campus. Since this is the
> same protocol used to securely access web sites, VPN connections made
> using SSL are more likely to work with networks that limit the
> protocols they carry. (The old client software uses the IPsec
> protocol, and we've received some reports of problems of this nature.)
>
> Experimental IPv6 support is available with the new service. You will
> be able to use the new Campus VPN to obtain IPv6 connectivity even
> when your local network (on campus or off) does not support
> IPv6. Until the vendor resolves an issue we identified during our
> testing, IPv6 is an optional feature. You may elect to use IPv6 by
> selecting a group with IPv6 support.
>
> - Shutting down the old service -
>
> This coming Wednesday morning, we will configure a message displayed
> after authentication on the old service informing users that they need
> to switch to the new service by August 12th. This message will include
> the same URLs included above.
>
> We will disable the old service on August 12th. Users will be able to
> connect to the old service, but the service will not pass any
> traffic. Users will continue to see a message about the new
> service. We will operate the old service in this configuration until
> September 1st, or until the number of unique users connecting to the
> old service is insignificant.
>
> - Acknowledgements -
>
> Thanks to Siegrid Rickenbach who handled hardware and network
> configuration, support and documentation, Thomas Beale who handled
> hardware install, Karl Grose and Allison Henry who handled client
> configuration, support and documentation. Thanks also to the folks in
> DOCS and Client Services who helped with client support and testing.
>
> Thanks also go to EECS, the School of Law, RSSP and especially the
> Library for their help with this transition.
>
> Many thanks to the 65 folks who responded to my call on this list for
> help testing new VPN hardware and software during our evaluation
> period and pre production testing.
>
> - Getting Support -
>
> For help with the new VPN service, please contact the service desk
> using the information at the following URL.
>
> http://ist.berkeley.edu/support/service-desk
>
> Thanks
>
> Erik
> for the vpn update team
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about MAGNet, including how to subscribe to or unsubscribe from its mailing list, please visit the MAGNet Web site:
>
> http://magnet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:
To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Received on Tue Aug 11 2009 - 15:18:03 PDT
This archive was generated by hypermail 2.2.0 : Tue Aug 11 2009 - 15:18:07 PDT