Overview
As part of the Secure Connect project, enforced users must comply with the new security requirements for the VPN. These security requirements mandate that devices connecting to the VPN must have Qualys, Trellix/FireEye Helper for campus users or CrowdStrike for health users, and a device certificate in order to connect to the secure-connect VPN tunnel groups. Currently, devices can only receive a device certificate by being enrolled in one of the following MDMs: Jamf, MECM, or Intune.
Critical Concepts
- If you experience any issues with using the VPN while enforced under Secure Connect, do NOT uninstall your VPN client.
- Uninstallation of the VPN client while it is undergoing compliance checks and background updates on your device can break the process and require manual recovery.
- If you are connecting to the VPN while under Secure Connect enforcement, your device may need to complete a security posture check.
- During this process, you may experience some delays in service.
Known Problems & Solutions
Below are the different errors you may encounter when connecting to the VPN while Secure Connect-enforced. Please do NOT contact your departmental IT team for the following unless you are unable to connect to the VPN after 1 day.
- Redirects or delays upon connecting to the VPN for the first time after Secure Connect enforcement.
- During your first connection to the VPN under Secure Connect enforcement, your device may undergo installation of necessary security components or may be undergoing security scans. You may be redirected to articles outlining how to get your device compliant with Secure Connect in order to access the VPN or you may see the VPN connection stall briefly.
- The secure-connect-split tunnel group provides access to the VPN, but the secure-connect-allthru tunnel group does not.
- Your device is still being compliance-checked, so you are provisioned internet-only access. Since secure-connect-split only routes campus traffic through the UCSD VPN and not all internet traffic, it is able to provision internet-only access for users, whereas secure-connect-allthru cannot.
- When connecting to the secure-connect-allthru tunnel group, the internet setting on your device says “No internet access”.
- This is expected behavior and occurs because using the secure-connect-allthru tunnel groups means that all internet traffic is routing through the VPN and not locally through the machine. This means that your device is not going to detect the internet being provided through the VPN.
Steps to Take: Checking the Status of Your VPN Connection
The following are steps you can take to check on the status of your VPN connection if you are having trouble getting connected to the VPN.
Mac
- Open the UCSD VPN client and connect to the VPN.
- Click on the statistics button in the bottom left corner of the VPN client.
- On the top right of the screen, click “ISE Posture” and then below that click “Message History”.
- The message history will provide you with details on what the VPN client is doing in the background.
Windows
- Open the UCSD VPN client and connect to the VPN.
- Click on the settings button in the bottom left corner of the VPN client.
- On the left of the screen, click “ISE Posture”. After doing so, along the right middle of the window that appears, click “Message History”
- The message history will provide you with details on what the VPN client is doing in the background.
Requesting Assistance
If you need assistance with the Secure Connect VPN, please be prepared to provide the following:
- a screenshot of the ISE Posture Message History
- the tunnel group you selected (secure-connect-split, secure-connect-allthru, etc.)
- whether this is your first time trying to connect since becoming enforced
- any error messages or redirection to any sites
If your device was issued by UC San Diego, please contact your departmental IT. Otherwise, please contact the ITS Service Desk. You can call us at (858) 246-4357, email us at support@ucsd.edu, or submit a ticket at support.ucsd.edu.