By connecting to the VPN service when you are off campus, you assure that the data you transmit will be secure between your host and the UCSB core network. Once it arrives on campus, it is decrypted and sent in the clear. Furthermore, it allows you to gain access to resources that are restricted based on source address. While you are connected to the VPN server, you appear to other hosts at UCSB as if you were on the UCSB network. This also allows you to gain access to external resources from off campus (such as library resources) that are based on UCSB source addresses.
The UCSB VPN service uses AES (Advanced Encryption Standard) with a key length of 256 bits. The National Institute of Standards and Technology (NIST) has created AES, which is a new Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for IPSec and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. It also uses a technique called Cypher Block Chaining (CBC) in which each plaintext block is XORed with the previous cypher text block before encryption. This makes dictionary-style attacks very difficult and increases the overall effectiveness of encryption.
Should I also use HTTPS, SSH and other "high layer" encrypted services even if I am using the VPN tunnel?
Generally yes. HTTPS and SSH provides end-to-end encryption whereas the VPN server only provides encryption from your client up to the server hardware itself, which is located on the UCSB core network. Once the traffic is on the UCSB core network, it is decrypted and sent to the UCSB host in the clear.
The following limits exist on VPN sessions:
Idle Timeout: 60 min.
Max Session: 720 min. (12 hours)
When five minutes remain on your VPN session, you will be prompted if you would like to extend your session. If you click "Yes," your connection will stay intact and your session timer will be restarted.
Each user may have up to three concurrent VPN sessions active from various devices.
The UCSB VPN Service assigns addresses from the following subnets:
This is an indication that your VPN client is not installed correctly, or you do not have an active connection to the VPN server. Try re-installing the client, or re-initiating your connection from the VPN client. A last option is to reboot your computer and try re-initiating the connection from your VPN client.
As of mid-2017, our VPN customers have had positive experiences connecting to the campus VPN from networks in China, behind the Chinese government's firewall technologies. Ivanti Secure Access uses ESP over port 4500/UDP for VPN transport and will fall-back to SSL over 443/TCP if ESP can not be negotiated (for instance if the ISP is blocking or throttling it.) This provides flexibility for connectivity from remote networks.
Depending on future technical methods deployed by China's government firewalls, it may not be possible to connect to the Ivanti Secure Access VPN. We will update this FAQ as new information is discovered.
Why am I receiving error 1329: "You are not allowed to sign in, please contact network administrator"?
You may receive this message after successful authentication to the Campus VPN Service if you do not have a valid affiliation in the UCSB Campus Directory. Valid affiliations for connection to the Campus VPN service are:
For more information about guest affiliations, see Identity Services pages
If you are receiving this message and have a valid affiliation and valid UCSBNetID and password, your access to the VPN and Wireless may have been blocked administratively by the NOC/SOC due to a network security issue. Please check your email for a message related to the issue.
Each UCSBnetID account may have one or more "affiliations," which indicate the relationship between the account holder and UCSB. For example, a current student would have a "student" affiliation. The affiliation information is automatically updated as people join and leave the campus.
Affiliations eligible for VPN service include:
- Academic Affiliate
You can verify your UCSBnetID password and check your current affiliation information on the UCSBnetID Diagnostics page.
As of August 2, 2021, Duo multi-factor authentication is required to sign in to the campus VPN (Ivanti Secure Access). Once you have signed in with your UCSB NetID credentials and they have successfully authenticated, you will be prompted to enter which device you want to use for MFA for this connection. You have a few options:
- Type 'push' in the designated field to get a push notification via the Duo mobile application on your smartphone. Approve the Duo request on your smartphone and your VPN session will begin.
- Type 'sms' to receive a new set codes via an SMS message on your phone. At this point, the login will fail. You will need to re-enter your credentials and input the fresh SMS passcode in the designated field (see below). SMS passcodes are good for one hour from the time you receive them.
- Enter the passcode from your Duo mobile app, SMS passcode, or hard token.
For more information about Duo usage with Ivanti Secure Access VPN, see: https://guide.duo.com/pulse
For help enrolling your device with UCSB Duo, see: https://www.it.ucsb.edu/mfa
You can find more about the distinctions in Duo device setups here: https://www.it.ucsb.edu/getting-started-mfa-duo/which-devices-should-i-enroll-mfa-duo.
You have a short period of time after entering this information to approve the Duo push notification or enter your code. After you approve the Duo push or enter your code, it should take less than ten seconds for your VPN connection to complete.
Your system is missing the Root or intermediate CAs.
Internet Explorer can install these automatically to the Windows Certificate Store if you browse to https://ps.vpn.ucsb.edu/install) If you don't wish to use Internet Explorer, you can complete this task manually.
Download the root CA and intermediates from the bottom of this page:
After they are downloaded, double-click on each certificate to install them - this will open the Windows Certificate Wizard.
Mac OS X:
Download the root CA and intermediates from the bottom of this page:
After they are downloaded, double-click on each certificate to install them into your system Keychain.
Error 2738 may be due to an earlier install of McAfee, Kaspersky or AVG AV software. This is a known issue and can usually be remedied by temporarily disabling the AV software while you install Ivanti Secure Access. If this does not resolve the problem, (or none of the AV software mentioned is currently installed) it is recommended to run the McAfee removal tool (or the AVG/Kaspersky removal tool), reboot your computer and then try the Ivanti Secure Access install again. You can re-enable the AV software once you have successfully installed the VPN client software.
The McAfee removal tool can be found here: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
The AVG removal tool can be found here: http://www.avg.com/us-en/utilities - download the 32bit or 64bit version depending on your OS type.
The Kaspersky removal tool can be found here: http://support.kaspersky.com/common/service.aspx?el=1464#block1
My VPN client presents a "Software Upgrade for: UCSB Remote Access" window after connecting. Is it safe to install this?
Yes, it is safe to follow the prompts in this message. The VPN server can provide users an up-to-date client to Mac and Windows users automatically. Click "Upgrade" to follow the prompts to upgrade your installed Ivanti Secure Access VPN client (an Administrator username/password are required to complete the upgrade on Mac systems). Any customized connection profiles you created in the Ivanti Secure Access VPN client will be saved after the upgrade.
Click the Apple menu at the top left of your desktop.
Click System Preferences.
Click Security & Privacy.
Click the lock to the unlocked position to make changes.
Click the General tab.
Under Allow apps downloaded from, select App Store and identified developers
Look for the following message: System software from developer "Pulse Secure LLC" was blocked from loading.
Next to the message click Allow to enable the extension.
Click the lock icon to the locked position to save changes.
Close the Security & Privacy window.
The kernel extension has been authorized and full functionality of the Ivanti Secure Access Desktop client should be available.
Restart your computer (important!)
Open the Ivanti Secure Access client and try connecting to the VPN
On my Mac, when launching the custom installer package, it reports that it "Cannot be checked for malicious software" and will not install. How can I fix it?
Apps that are from the Apple Store are subject to review and scanned for malicious content. Apps from outside the Mac App store have not been scanned so when you install them, macOS runs a scan on it. Our installer package has been signed by a valid Developer ID. It should install properly after you follow the instructions on this page to resolve the issue:
Why did I receive Error 1107 (Invalid Server Certificate) when trying to connect to Ivanti Secure Access?
This is likely due to an outdated operating system. An OS upgrade to a supported OS is strongly recommended, but if it's not possible, the user can manually install the updated certificates themselves by downloading and installing the certificates from the tar file provided. Read more about the issue and find the links to the relevant updated certificates.
Instructions on how to decompress a tar file at the Apple Support website.
To install the certificates, double-click each file. The OS should recognize them as certs and open Keychain Access. Add each one to System (instead of Login).
For Windows 7, download the program 7zip to extract the files from the attached tar file.
To install the certificates, double-click each file. Then follow the instructions at Microsoft.com to install the trusted root certificate using the install wizard (the link refers to Skype, but the process works regardless).
Users are permitted three (3) concurrent sessions on the Ivanti Secure Access VPN server. When all three of those sessions are allocated, this error will occur and the user can not sign in. To address this error, we recommend the user sign out of all known VPN connections and then attempt to sign in through the Ivanti Secure Access client again. If there are no known logged-in sessions, please open a ServiceNow ticket at ithelp.ucsb.edu and we will clear your sessions.
During installation, Mac OS presents a "Pulse Secure Would like to Filter Network Content" window after connecting. Is it safe to install this?
Yes, it is safe to click "Allow" in this message. The VPN client from Ivanti Secure Access requires kernel-level access on a Mac OS system in order to take full control of your system's network connection. Click "Allow" to permit use of Ivanti Secure Access VPN client on your system.
The following are instructions on how to "deep clean" an old version from your Mac OS:
1. Open a terminal window and enter the following commands to show "hidden" files:
- defaults write com.apple.Finder AppleShowAllFiles true
- killall Finder
2. Remove the old Pulse Secure files with the following commands:
- sudo rm -rf ~/Library/Application\ Support/Juniper\ Networks/SetupClient
- sudo rm -rf ~/Library/Application\ Support/Juniper\ Networks/HostChecker.app
- rm -rf ~/Library/Logs/Juniper\ Networks
- sudo rm -rf /Applications/Network\ Connect.app
- sudo /usr/local/juniper/nc/install/uninstall_nc.sh
3. Open Finder. If present, drag the following to Trash:
- Library/Application Support/Juniper Networks
- Library/Application Support/Juniper Networks (from the User profile )
- Library/Application Support/Juniper Networks (from root/Macintosh HD )
4. Also try the following:
- Uninstall Junos Pulse (if installed) by dragging /Applications/Junos Pulse.app to the Trash.
- Remove /Library/LaunchDaemons/net.juniper.UninstallPulse.plist.org.
- Remove ~/Library/Application Support/Juniper Networks/SetupClient.
5. When done, reboot the machine and install the new Ivanti Secure Access client.
Sometimes the geolocation for an IP or set of IPs can get confused, resulting in Google categorizing the IP as being in Hong Kong. To resolve this issue, first try going to Google's "no country redirect" URL at google.com/ncr. That will reset cookies and should reorient you to the proper geolocation (such as USA). You can also try using Google’s IP problem form to report the issue (though resolution can take weeks).
I get "Connection Error message 'Network unreachable (Error:1133)'" or no network connection once signed in to the VPN - what can I do to resolve this?
The first thing to try when you are having network issues is to restart your computer. The vast majority of issues resulting from error 1133 are resolved via a reboot.
You could also try disabling IPv6 in your network settings. On a Mac, open System Preferences > Network, select the active network adapter, click on the Advanced button from the right panel, click on the TCP/IP tab, select the Configure IPv6 drop-down menu, and set it the to Off. Click OK and restart your Mac.
To manually configure your UCSB connection profile in the Ivanti Pulse Secure client, add a new connection profile and enter the following key components:
Connection Name: UCSB Remote Access Trusted
Ensure that you have typed the URL exactly as listed above - http: will not work - it must be https:
The connection name and URL are the only adjustments required. Everything else can stay as default. Once you've entered the information, choose "Add". You should now be able to connect with your newly created profile.
Our campus VPN vendor, Pulse Secure, was purchased by a software company called Ivanti in December of 2020. The transition has been largely transparent thus far. However, after July 22, 2022, some users may notice that their clients have updated and changed version number, icon, and name. Previously, the Pulse Secure mobile app appeared as a dark icon with a green stylized S. The new Ivanti Secure Access Client app appears as a red/orange icon with a key.
For all other intents and purposes, nothing else about the Campus VPN service has changed. You can still expect the same functionality from the new Ivanti Secure Access client - the change in name and look is purely cosmetic, as Ivanti has been running Pulse Secure for nearly two years as of the client update.
You can read the Ivanti knowledge base article about the changeover here: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB45301
If you have upgraded from the old Pulse Secure VPN client to the Ivanti Secure Access VPN client on MacOS and are having trouble with the new client, it is likely there are orphaned VPN files that need to be removed. Unfortunately, just moving the Pulse Secure application to the Trash does not remove the associated preference files. We recommend uninstalling both VPN services, then remove the following files either using a terminal window or with Finder (with "hidden" files visible):
Application and Files related to Pulse Secure client (please remove all of these):
/Library/Application Support/Pulse Secure/
~/Library/Application Support/Pulse Secure (folder)
~/Library/Logs/Pulse Secure (folder)
Application and Files related to Ivanti Secure Access client (please remove all of these):
/Applications/Ivanti Secure Access.app
After the files above are removed, restart the computer and attempt a fresh install of the Ivanti Secure Access App from the UCSB Box location here (you will need to sign in using your UCSB NetID and password):
If logging in with Ivanti Secure Access fails the first time, please give it another try. The second attempt should succeed.
If you are having trouble with SSH while connected to the Campus VPN on an Ubuntu* machine while logged in via the GUI, try logging in via the CLI instead. Conversely, if you're having trouble with SSH while logged into the CLI, try the GUI instead. You can find instructions on our VPN Client on Linux page.
If you have tried both methods and are still experiencing a connection issue, please submit a ServiceNow ticket via this link.
*The only reports we've had of this issue are from Ubuntu users. If you experience this issue on another Unix client, please let us know by emailing email@example.com.