This content is viewable by Everyone

VPN - Remote connection

SSO Enabled Requires users to sign-in to MyAccess SSO to access
MFA Required Requires users to accept a Duo prompt to access

Save

Support:

Log in via MyAccess to get help with this service

How to Request Access

You will need your UCSF email address and DUO authentication through Okta to log into GlobalProtect VPN.

Please contact the IT Service Desk at 415-514-4100 for further assistance if needed.

Description

UCSF Remote VPN can be accessed by (1) using the Palo Alto GlobalProtect VPN client on your Windows or Mac computer, smartphone, and tablet or (2) using the VPN web portal. All methods require that you have a UCSF Active Directory account and Duo two-factor authentication. See VPN Web Portal for more details.

The Palo Alto GlobalProtect VPN client is an application that runs on your desktop, laptop or mobile device and allows you to connect directly to the UCSF network as if you were on campus.

A locally installed VPN client simplifies access when you are not on campus, it is a good idea to make it your primary choice when connecting remotely. Review information about how to Install GlobalProtect VPN on Windows and Mac, or contact the IT Service Desk for assistance.

Getting Support?

You can find more information about VPN on our VPN Frequently Asked Questions page, or call the IT Service Desk for assistance at 415-514-4100.

Using Remote VPN

The GlobalProtect VPN client is required in order to run:

A full desktop email client, such as Microsoft Outlook or Apple Mail, from your desktop or laptop
A remote terminal session to access a server's command line
A remote desktop session initiated to connect to another computer at UCSF

The Remote VPN client is not required to use:

The native email client on your iOS or Android phone or tablet
Cloud applications such as UCSF Outlook Web (email.ucsf.edu), Box, DocuSign, Qualtrics or Zoom.

Connect on mobile devices

GlobalProtect VPN is available to connect on iOS and Android mobile devices via the Intune Company Portal. See VPN Web Portal for more details.

Connect via the UCSF web portal

The UCSF VPN web portal is your alternative method for accessing UCSF applications when you are on a non-UCSF computer and you cannot download and install the local GlobalProtect VPN client. See VPN Web Portal for more details.

Important:

The web VPN portal is only an alternative tool to access limited internal resources and does not provide the same full functionality and access as the locally installed GlobalProtect VPN client. We recommend installing local remote VPN client via software.ucsf.edu on non-public computers you use for UCSF work whenever possible. This is a one-time installation.
Remote VPN client connection is not meant to be use for frequent large file transfer. You may experience slowness or incomplete file transactions. Please reach out to Network team if you have a specific workflow that require frequent large size file transfer.

GlobalProtect VPN IP range assignment:

Below are the current IP and ranges assigned to Remote VPN. For departmental IT who require specific firewall policy or access-list update to allow access, please refer to list below and reach out to IT Service Desk to create an inquiry request to Network Operations if you have further questions regarding VPN IP assignment. Thank you!

GlobalProtect VPN desktop client and web portal IP ranges as as follow:

Remote client IP ranges:

10.48.0.0/17

Web Portal IPs:

128.218.0.102/32

128.218.0.222/32

169.230.0.106/32

169.230.0.102/32

10.72.35.91/32

10.72.35.92/32

Day-to-day Contact: Tom Chen
Service Manager: Steve Young
Service Owner Team: IT Infra Network Operations
Service Support Team: HCL Network Data
Audience: Technical Partner
Service Category: Network & Wireless