The Fermilab VPN system has changed

We have completed making changes to the lab VPN system. Please read on for important information regarding these changes.

 

WHAT ARE WE DOING?

The lab VPN system has been changed to optimize network security beginning. With this initial change, anyone attempting to log in to VPN will see a new login prompt and new dropdown menu options as described further below.

This change also implements different security policies for groups of lab users, either disabling what is called VPN split tunneling for each user group or leaving it enabled.

When split tunneling is enabled, only traffic to Fermilab’s on-site resources is sent via the VPN tunnel. When split tunneling is disabled, all network traffic, including traffic to resources outside of the lab network, will be sent via the VPN tunnel. This means that traffic to external resources will pass through cybersecurity inspection, just as on-site traffic does.

This split tunneling change is being done in two phases.  In first, the split tunnel has been disabled only for Core Computing Division. However, the VPN login prompt and dropdown menu has changed  for all VPN users. In a second phase, split tunneling will be disabled for all other lab employees. Users and affiliates will continue to use the split tunneling option.

 

WHAT IS THE IMPACT TO YOU?

  • When logging in to the Fermilab VPN system, you must choose the appropriate VPN user profile as follows:

All VPN users who are not CCD employees should select either of the following user profiles from the dropdown menu on the new VPN login prompt:

  • YUBIKEY USERS who are NOT CCD employees, select 01_General-Users-YubiKey-Cert
  • RSA TOKEN users who are NOT CCD employees, select 02_General-Users-RSA

CCD employees must select either of the following user profiles from the dropdown menu on the new VPN login prompt:

  • CCD EMPLOYEES who use a YUBIKEY, select 03_CCD-Employees-YubiKey-Cert
  • CCD EMPLOYEES who use an RSA token, select 04_CCD_Employees-RSA

Any other options you might see should be used only if specifically instructed to by support staff.

 

WHAT DO YOU NEED TO DO?

When attempting to log in to VPN, select the appropriate VPN user profile as described above.

If you have any questions about this message, or if you have issues following the change, contact the Service Desk:

https://servicedesk.fnal.gov
servicedesk@fnal.gov
(630) 840-2345