VPN (virtual private network) replacement

Updating the University’s VPN service to improve security and functionality

Overview

The University’s VPN service is being upgraded in order to:

  • ensure hardware support
  • improve security and make sure the University’s network is protected 
  • improve the service through delivery of additional features

Note

Some colleges and academic departments provide a local VPN which may be used as an alternative to the centrally provided VPN service. Local VPN services will not be affected by this upgrade. If you are unsure, please contact your local IT support

 

What do I need to use the VPN for?

You currently need to log on to the VPN to enable you to open some centrally provided services or systems when out of reach of the University network (for example, when working from home or away from Oxford). These include:

  • HR self-service
  • HR reporting
  • Oracle Financials (R12)
  • X5 research costing and pricing
  • Restricted University web pages (like the IT Services online shop)
  • Accessing past exam papers

Further information is available on the IT Services website. You might also require the VPN to access locally managed services within your department or college.

What will be different?

  • You will have to use Cisco software, known as the Cisco AnyConnect Secure Mobility Client (or Cisco AnyConnect Client), to connect to the VPN
  • You will need the required minimum version of the Cisco AnyConnect Client installed on your device
  • Your device will need to run a supported operating system (OS) to host the required minimum version of the Cisco AnyConnect Client
    • https://web.microsoftstream.com/embed/video/eca670bf-b96c-4ff3-9f50-c4601eb5e98d?autoplay=false&showinfo=true
  • You will log in to the VPN using your SSO (Single Sign-On) username and password and MFA (multi-factor authentication) will work in the the usual way, so you will no longer use your Remote Access login.  (You will still need to use your Remote Access login for eduroam Wi-Fi access).  The video below demonstrates how the new login will work.  NOTE: the url displayed in the video will not be what you see when you log in.  

In addition, through the introduction of a feature called split-tunnelling, you will be able to configure the VPN to allow local network access during VPN sessions.  This will deliver improved speed of access and enable you to do things like print directly to your home printer without disconnecting from the VPN.

When will the new service be introduced?

The University VPN service will be upgraded on 26 April.  From that date:

  • if you try to access the VPN using software other than the Cisco AnyConnect client (this will mostly affect Mac and Linux users), the connection will fail
  • if you try to access the VPN using the Cisco AnyConnect Client but do not have the required minimum version installed, the connection will fail
  • if you are using the required minimum version of the Cisco AnyConnect Client, you will need to log in using SSO, instead of your Remote Access login 

In preparation, between 14 March and go-live, if you currently use the Cisco AnyConnect Client to connect to the VPN via a desktop or lap top:

  • you are very likely to receive prompts to update your Cisco AnyConnect Client, which we strongly recommend you accept
  • you might see your Cisco AnyConnect Client automatically update when you try to connect to the VPN if you are using an older version, or if you have not accepted the previous prompts to update

What do I need to do?

The level of impact of this change will depend on how you currently access the University's VPN service. The information below describes this in more detail.

Tip

We strongly recommend that you connect to the VPN regularly before go-live and accept any prompts to update, to ensure your Cisco AnyConnect Client is updated and continues to work after go-live on 26 April

 

Expand All

Managed staff desktop service (CONNECT) users

If you are using a managed staff desktop or laptop (also known as a CONNECT machine) there will be some changes to how you log in to the VPN when the upgraded service goes live on 26 April.  Further information will be available before then but we do know that you will need to make the following change:

  • Log in using your SSO (Single Sign-On), instead of your Remote Access login (you will still need to use your Remote Access login for eduroam Wi-Fi access). See the IT Help website for further information about SSO and Remote Access

Self-managed or using your own device

If you are using your own Windows device, or self-managing your University machine there are several elements you need to be aware of:

  1. You will need to run a supported OS (operating system) on your device to host the required minimum version of the Cisco AnyConnect Client.  This should also bring you in-line with the University’s security policy, see the Information Security website. See the minimum OS required in the table below:
     
    OS (operating system) Versions supported by the new Cisco AnyConnect Secure Client (4.10.06090)
    Windows Windows 11 (64-bit)  
    Windows 10 x86 (32-bit) and x64 (64-bit): current Microsoft supported versions   
     

    Technical detail is available in the Cisco release notes.
     

  2. If you are currently accessing the VPN via an alternative to the Cisco AnyConnect Client, you will need to switch to using the Cisco AnyConnect Client in order to connect to the VPN from 26 April.  See how to download the latest version on the IT Help website. You should download from the Software Registration and Download webpage, not directly from Cisco 
  3. If you currently use the Cisco AnyConnect Client, you will need to be using the required minimum version in order to access the new VPN service.  The project team is facilitating this via a staged introduction of client auto-updating.  This means from 14 March, users of older versions of the Cisco AnyConnect Client will have their client automatically updated or will be prompted to update it. We strongly recommend that you connect to the VPN before go-live and accept any prompts to update, to ensure your Cisco AnyConnect Client is updated and continues to work after go-live
  4. Once the new service is live on 26 April, you will need to log in using your SSO, rather than your Remote Access login (you will still need to use your Remote Access login for eduroam Wi-Fi access). The Cisco AnyConnect Client will not store your credentials so you will have to enter your SSO username and password every time to you connect to the VPN.  (See the IT Help website for further information about SSO and Remote Access)

Managed Mac (Orchard) service users

If you have a Mac managed by the central IT Services Managed Desktops & Devices Service team, you will receive instructions from them on what to do.

Self-managed or using your own device

If you are using your own macOS device, or self-managing your University machine there are several elements you need to be aware of:

  1. You will need to run a supported OS (operating system) on your device to host the required minimum version of the Cisco AnyConnect Client.  This should also bring you in-line with the University’s security policy, see the Information Security website. See the minimum OS required in the table below:
     
    OS (operating system) Versions supported by the new Cisco AnyConnect Secure Client 4.10.06090
    macOS macOS 13 (Ventura)  
    macOS 12 (Monterey)  
    macOS 11 (Big Sur)  
     

     
    Technical details are available in the Cisco release notes
     

  2. If you are currently accessing the VPN via an alternative to the Cisco AnyConnect Client, you will need to switch to using the Cisco AnyConnect Client in order to connect to the VPN from 26 April.  See how to download the latest version on the IT Help website. You should download from the Software Registration and Download webpage, not directly from Cisco
  3. If you currently use the Cisco AnyConnect Client, you will need to be using the required minimum version in order to access the new VPN service.  The project team is facilitating this via a staged introduction of client auto-updating.  This means from 14 March, users of older versions of the Cisco AnyConnect Client will have their client automatically updated or will be prompted to update it. We strongly recommend that you connect to the VPN before go-live and accept any prompts to update, to ensure your Cisco AnyConnect Client is updated and continues to work after go-live
  4. Once the new service is live on 26 April, you will need to log in using your SSO, rather than your Remote Access login (you will still need to use your Remote Access login for eduroam Wi-Fi access). The Cisco AnyConnect Client will not store your credentials so you will have to enter your SSO username and password every time to you connect to the VPN. (See the IT Help website for further information about SSO and Remote Access)

  1. You will need to run a supported OS (operating system) on your device to host the required minimum version of the Cisco AnyConnect Client.  This should also bring you in-line with the University’s security policy, see the Information Security website. See the minimum OS required in the table below: 
     
    OS (operating system) Versions supported by the new Cisco AnyConnect Secure Client 4.10.06090
    Linux Red Hat 9.x and 8.x  
    Ubuntu 22.04 and 20.04  

     
    Technical details are available in the Cisco release notes
     

  2. If you are currently accessing the VPN via an alternative to the Cisco AnyConnect Client, you will need to switch to using the Cisco AnyConnect Client in order to connect to the VPN from 26 April.  See how to download the latest version on the IT Help website. You should download from the Software Registration and Download webpage, not directly from Cisco
  3. If you currently use the Cisco AnyConnect Client, you will need to be using the required minimum version in order to access the new VPN service.  The project team is facilitating this via a staged introduction of client auto-updating.  This means from 14 March, users of older versions of the Cisco AnyConnect Client will have their client automatically updated or will be prompted to update it. We strongly recommend that you connect to the VPN before go-live and accept any prompts to update, to ensure your Cisco AnyConnect Client is updated and continues to work after go-live
  4. Once the new service is live on 26 April, you will need to log in using your SSO, rather than your Remote Access login. (you will still need to use your Remote Access login for eduroam Wi-Fi access). The Cisco AnyConnect Client will not store your credentials so you will have to enter your SSO username and password every time to you connect to the VPN. (See the IT Help website for further information about SSO and Remote Access)

 

 

  1. You will need to run a supported OS (operating system) on your device to host the required minimum version of the Cisco AnyConnect Client.  This should also bring you in-line with the University’s security policy, see the Information Security website. See the minimum OS required in the table below:
      
    Operating system/devices Versions supported by Cisco Secure Client 5.x
    iPadOS, iOS (iPad, iPhone, iPod Touch)  iOS 10.3 and above 
    Android (includes ChromeOS devices)  Android 4.0 and above 

     
    Technical details are available in the Cisco release notes for Cisco Secure Client for iOS and the Cisco release notes for Cisco Secure Client for Android.
     

  2. If you are currently accessing the VPN via an alternative to the Cisco AnyConnect Secure Client, you will need to switch to using the Cisco AnyConnect Secure Client in order to connect to the VPN from 26 April.  See how to download the latest version on the IT Help website. For mobile devices the Cisco AnyConnect Secure Mobility Client might appear as the 'Cisco Secure Client' which is the most up-to-date version and fine for you to download
  3. Because of the way updates work through the App Stores, the versions available to most devices via the relevant App Stores will be the most up-to-date Cisco Secure Client, rather than older versions, so there should be no need for you to check for updates
  4. Once the new service is live on 26 April, you will need to log in using your SSO, rather than your Remote Access login (you will still need to use your Remote Access login for eduroam Wi-Fi access). The Cisco AnyConnect Client will not store your credentials so you will have to enter your SSO username and password every time to you connect to the VPN. (See the IT Help website for further information about SSO and Remote Access)

 

Related links

Help