Privileged Access VPN

Secure remote access to restricted UNSW resources

Overview

The Privileged Access VPN service lets you establish a secure network connection over the Internet from your computer/mobile device to a Security Gateway that provides privileged access to restricted UNSW resources. It is a tool that provides privileged access to UNSW resources where there is a need for additional cyber security access controls. These controls could include ensuring that access is restricted to a particular group within UNSW, or that the resource is being accessed from a trusted device.

Examples of applications or systems that may require access via the Privileged Access VPN are listed below:

                          •  Systems that are critical to UNSW's safety and security

                          •  Research systems that are subject to regulatory controls, or include sensitive personal data

                          •  Medical systems that contain patient medical data

                          •  Finance applications that contain banking or credit card details

                          •  Applications that contain staff and student HR data

The list of applications and systems accessible via the Privileged Access VPN service will grow as the some of the group-based access from the Legacy Remote Access VPN is migrated to the new Privileged Access VPN service, and as additional applications and systems get onboarded. Please note that most administrator access to UNSW resources has not yet been migrated to the Privileged Access VPN service. Most system and application administrators should continue to use the "IT Admin VPN" or the "Hosting VPN" services, that are managed by Cyber Security Operations team within UNSW IT. 

The Privileged Access VPN service is implemented using Global Protect and Prisma Access technology from Palo Alto Networks. It partially replaces the Cisco AnyConnect technology used in the Legacy Remote Access VPN service, which has been deprecated and will be decommissioned in late 2024.

The Privileged Access VPN service is available to only those UNSW staff and students that require it for their work. UNSW staff and students that are working remotely and require access to UNSW resources that don't require privileged access are encouraged to use the Remote Access VPN service instead.

Warning

Some countries restrict or regulate use of encryption and VPN technologies.  Be aware of, and respect local laws that apply at your location, prior to using the Remote Access VPN Service.

Please note that the number of applications and systems the you can access while connected to the Privileged Access VPN service is limited and is provided on an as-needed basis subject to business need. General network access is blocked while connected to the Privileged Access VPN, so you may need to disconnect from the Privileged Access VPN to access the Internet or other UNSW resources.

How to Connect to the Privileged Access VPN Service

UNSW staff and students wishing to connect to the Privilege Access VPN service must first download and install the GlobalProtect app on their device. Once installed, Global Protect can then be configured to connect to the Privileged Access VPN portal (pa.vpn.unsw.edu.au) using zID credentials and multi-factor authentication.

For Windows and MAC users, please download the GlobalProtect client software by accessing https://pa.vpn.unsw.edu.au/

For iPhone and iPad users, please download the GlobalProtect client software from Apple App Store.

For Android users, please download the GlobalProtect client software from Google Play Store.

For Linux users, please raise a ticket via UNSW IT Service Desk (https://servicedesk.unsw.edu.au/) to obtain the GlobalProtect client software.

The Privileged Access VPN uses the same GlobalProtect app as the Remote Access VPN service. Detailed installation and configuration guides can be found on the Remote Access VPN service webpage.

See below for detailed installation on how to connect to thea Privileged Access VPN service using the GlobalProtect App.

Download and Install the GlobalProtect App for Windows

Step 1 - Log in to the GlobalProtect portal.

Launch a web browser and go to the following URL:
https://pa.vpn.unsw.edu.au/

On the portal login page, enter your Name (zID@ad.unsw.edu.au) and Password, and then click LOG IN. You will also need to complete multi-factor authentication using the Authenticator app on your mobile device

A screenshot of a sign in

Description automatically generated

 

Step 2 - Navigate to the app download page.

In most instances, the app download page appears immediately after you log in to the portal. Use this page to download the latest app software package.

A screenshot of a computer

Description automatically generated

Step 3: Download the app.

  1. To begin the download, click the software link that corresponds to the operating system running on your computer. Most Windows users should download the 64-bit version.
  2. Open the software installation file.

  3. When prompted, Run the software.
  4. When prompted again, Run the GlobalProtect Setup Wizard.

Step 4: Complete the GlobalProtect app setup.

  1. In the GlobalProtect Setup Wizard, click Next
  2. Click Next to accept the default installation folder (C:\Program Files\Palo Alto Networks\GlobalProtect) and then click Next twice.
  3. After installation is complete, Close the wizard.

Use the GlobalProtect App for Windows

After you install the GlobalProtect app, you may need to run manually the first time. There are many ways to get to the GlobalProtect App; the easiest is to search 'GlobalProtect' in your Windows start button.

Step 1: Log in to GlobalProtect.

  1. If you are logging in to the endpoint for the first time, the GlobalProtect app displays a friendly, welcome page upon successful login. Click Get Started.
    A screenshot of a cellphone

Description automatically generated
  2. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
  3. Enter pa.vpn.unsw.edu.au as the Portal, and then click Connect.


  4. If prompted, enter your Username (zID@ad.unsw.edu.au) and Password, and then click Sign In. The process should be similar to other MFA logins where you enter your credentials into your default web browser
    A screenshot of a sign in

Description automatically generated
    and then approve MFA using the Authenticator app on your mobile device
    A screenshot of a sign in

Description automatically generated
  5. Click Open GlobalProtect when prompted.
    A screenshot of a computer

Description automatically generated
    After connecting successfully, the following should pop up 
    A screenshot of a phone

Description automatically generated

Step 2: Connect or reconnect to the GlobalProtect portal or gateway.

  1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.

  2. If you are logging in to the GlobalProtect app for the first time, enter pa.vpn.net.unsw.edu.au as the Portal, and then click Connect.

  3. If multiple portals are saved on your app, select pa.vpn.unsw.edu.au from the Change Portal drop-down. By default, the most recently connected portal is pre-selected from the Change Portal drop-down.

  4. Click Connect to initiate the connection.

  5. If prompted, sign-in again using your zID credentials and approve the MFA in the Authenticator app on your mobile device.

Disconnect the GlobalProtect App for Windows

After you have finished using the Privileged Access VPN service, you should disconnect from GlobalProtect.

Step 1:  Disconnect the GlobalProtect app.

  1. Launch the GlobalProtect app by clicking the GlobalProtect system tray icon. The status panel opens.
  2. Click the hamburger menu to open the settings menu.
  3. Select Disconnect.

Additional instructions on how to use the GlobalProtect App can be found on the Palo Alto Networks website. See; https://docs.paloaltonetworks.com/globalprotect/6-2/globalprotect-app-user-guide/globalprotect-app-for-windows

 

Download and Install the GlobalProtect App for macOS

When you install the GlobalProtect app for the first time on a macOS device running macOS Catalina 10.15.4, macOS Big Sur 11, or later or upgrade to GlobalProtect app 5.1.4, you must enable the system extensions that are used for specific GlobalProtect features. The System Extension Blocked notification message may be displays on the GlobalProtect app during the installation. The message prompts users to enable and allow the system extensions in macOS that are blocked from loading to use the split tunnel and Enforce GlobalProtect for Network Access features.

Step 1Log in to the GlobalProtect portal.

Launch a web browser and go to the following URL:
https://pa.vpn.unsw.edu.au/

On the portal login page, enter your Name (zID@ad.unsw.edu.au) and Password, and then click LOG IN. You will also need to complete multi-factor authentication using the Authenticator app on your mobile device

A screenshot of a sign in

Description automatically generated

 

Step 2Navigate to the app download page.

In most instances, the app download page appears immediately after you log in to the portal. Use this page to download the latest app software package.

A screenshot of a computer

Description automatically generated

Step 3: Download the app.

  1. To begin the download, click the software link that corresponds to the operating system running on your computer. Click Download Mac 32/64 bit GlobalProtect agent.
  2. Open the software installation file.

  3. When prompted, Run the software,

  4. When prompted again, Run the GlobalProtect Installer.

Step 4: Complete the GlobalProtect app setup using the GlobalProtect Installer.

  1. From the GlobalProtect Installer, click Continue.
  2. On the Destination Select screen, select the installation folder for the GlobalProtect app, and then click Continue.
     

  3. On the Installation Type screen, select the GlobalProtect installation package check box.

    Select the GlobalProtect System extensions check box (disabled by default). Click Continue.

  4. Click Install to confirm that you want to install GlobalProtect.
  5. When prompted, enter your User Name and Password, and then click Install Software to begin the installation.
  6. After installation is complete, Close the installer.
  7. If you enabled the GlobalProtect System Extensions, select Open Security Preferences to enable the system extensions in macOS that was blocked from loading from the following System Extension Blocked notification:

    If your administrator has suppressed this notification by using the supported mobile device management system (MDM), Jamf Pro, you can automatically load the system extensions without receiving this notification.

  8. On the Security & Privacy dialog, click the padlock icon to make changes, and then select App Store and identified developers in the Allow apps downloaded from area. Click Allow.

Use the GlobalProtect App for macOS

After you install the GlobalProtect app, you may need to run manually the first time. There are many ways to get to the GlobalProtect App; the easiest is to search 'GlobalProtect' in your Windows start button.

Step 1: Log in to GlobalProtect.

  1. If you are logging in to the endpoint for the first time, the GlobalProtect app displays a friendly, welcome page upon successful login. Click Get Started.
    A screenshot of a cellphone

Description automatically generated
  2. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
  3. Enter pa.vpn.unsw.edu.au as the Portal, and then click Connect.
  4. If prompted, enter your Username (zID@ad.unsw.edu.au) and Password, and then click Sign In. The process should be similar to other MFA logins where you enter your credentials into your default web browser
    A screenshot of a sign in

Description automatically generated
    and then approve MFA using the Authenticator app on your mobile device
    A screenshot of a sign in

Description automatically generated

  5. Click Open GlobalProtect when prompted.
    A screenshot of a computer

Description automatically generated
    After connecting successfully, the following should pop up