GlobalProtect VPN

What is GlobalProtect?

CSU provides secure off-campus access to on-campus resources via the GlobalProtect gateway, also known as a Virtual Private Network (VPN).  GlobalProtect VPN provides a secure and encrypted tunnel between your device and the CSU network that enforces the use of recent, more secure operating system versions.  The VPN is reachable via the GlobalProtect desktop client or via the web interface (Fort Collins: gateway.colostate.edu | Pueblo: pueblogateway.colostate.edu). 

GlobalProtect replaces Pulse Secure, which will be decommissioned in early Summer 2022. 

Option 1: Connecting Your Windows or Mac via Browser

1. From any browser on your PC or Mac type in gateway.colostate.edu into the address bar. We tested Chrome, Edge, Firefox, Safari, and Brave. All worked the same.

Screenshot of browser URL gateway.colostate.edu

2. You will be presented with a CSU eID log in screen. Enter your eName and eID password to authenticate.

eID Login Screenshot

3. You will be sent to the Duo authentication page. Should you not already have Duo installed, please find instructions here.

Duo Authentication Screenshot

4. Once authenticated you will be logged into the secure gateway and can begin conducting your business. (note: links and applications you see may be subject to change)

Gateway.colostate.edu Home Screenshot

5. Log out or close the screen to exit the gateway and close the session.

Gateway.colostate.edu Log-Out Screenshot

6. Your device is remembered for 24 hours, after that, you will need to reestablish and reauthenticate your VPN connection.

Option 2: Connecting to the GlobalProtect Gateway from your Desktop Application

Note: This option requires the GlobalProtect app to have been installed to your device by CSU IT Staff. If GlobalProtect is not already installed, which you can check by following Step 1 below, see the Install Desktop Agent – Personally Managed Devices section for instructions on installing GlobalProtect manually.

1. From the Start menu search bar, type in GlobalProtect. If the GlobalProtect icon does not display, see the Install Desktop Agent – Personally Managed Devices section to install it manually or contact your IT manager to have it added to your CSU managed device.

GlobalProtect Start Menu Search Screenshot

2. Enter gateway.colostate.edu for the portal address.

GlobalProtect Client Enter Portal Address Screenshot

Note: some screens or processes may look different depending on which version of GlobalProtect is in use. 

3. You will need to sign in with your eName and eID password.

eID Login Screenshot

4. You’ll need to authenticate with Duo.

Duo Authentication Screenshot

5. When the connection is successful, the GlobalProtect screen will display as “Connected”. Click “Disconnect” to end the session.

GlobalProtect Client Connected Screenshot

To Use:

PC:

Open the Global Protect application:

From the Start Search bar, search for GlobalProtect, click on the application.

GlobalProtect Start Menu Search Screenshot

Enter gateway.colostate.edu for the portal address.

GlobalProtect Client Enter Portal Address Screenshot

Note: some screens or processes may look different depending on which version of GlobalProtect is in use. 

You will need to sign in with your eName and eID password.

eID Login Screenshot

You’ll need to authenticate with Duo.

Duo Authentication Screenshot

When the connection is successful, the GlobalProtect screen will display as “Connected”.   Click “Disconnect” to end the session.

GlobalProtect Client Connected Screenshot

Mac:

Open the Global Protect application:

Click the Globe Icon at the top of the screen and enter gateway.colostate.edu for the portal address.  If the GlobalProtect icon does not display on your top bar, email help@colostate.edu.

GlobalProtect Mac Enter Portal Address Screenshot

Note: some screens or processes may look different depending on which version of GlobalProtect is in use. 

You will need to sign in with your eName and eID password.

GlobalProtect Mac Agent eID Login Screenshot

You’ll need to authenticate with Duo.

GlobalProtect Mac Agent Authenticate with Duo Screenshot

When the connection is successful, the GlobalProtect screen will display as “Connected”.   Click “Disconnect” to end the session.

GlobalProtect Mac Agent Connected Screenshot

Depending on version of macOS you may receive the following popup message “Filter Network Content”.  If you do, click on Allow to complete the GlobalProtect client/agent installation.

GlobalProtect Mac Agent Filter Network Content Pop-Up

1. From any browser on your PC or Mac type in gateway.colostate.edu into the address bar.

Screenshot of browser URL gateway.colostate.edu

2. You will be presented with a CSU eID log in screen. Enter your eName and eID password to authenticate.

eID Login Screenshot

3. You will be sent to the Duo authentication page. Should you not already have Duo installed, please find instructions here.

Duo Authentication Screenshot

4. Once authenticated you will be logged into the secure gateway

Gateway.colostate.edu Home Screenshot

5. Select Download the GlobalProtect Agent to be presented with the different software download options.
GlobalProtect Download Desktop Agent Screenshot

6. This step is specific to your operating system. Select the appropriate download for your device type. If you’re unsure of which agent file to select, contact your local IT support.

GlobalProtect Client Software Downloads Screenshot

7. Select the appropriate file to begin installation.

PC Installation:

The GlobalProtect Setup Wizard will open. Click Next to begin.

GlobalProtect PC Setup Wizard Welcome Screenshot

Click Next, it’s recommended to use the default download location.

GlobalProtect PC Setup Wizard Select Folder Screenshot

Click Next to confirm the installation.

GlobalProtect PC Setup Wizard Confirm Install Screenshot

Click Close to complete the installation on your PC.

GlobalProtect PC Setup Wizard Complete Screenshot

GlobalProtect is now installed on your PC device.

Launch the GlobalProtect app – from the Start menu search bar, type in GlobalProtect.

GlobalProtect Start Menu Search Screenshot

Enter gateway.colostate.edu for the portal address.

GlobalProtect Client Enter Portal Address Screenshot

Note: some screens or processes may look different depending on which version of GlobalProtect is in use. 

You will need to sign in with your eName and eID password.

eID Login Screenshot

You’ll need to authenticate with Duo.

Duo Authentication Screenshot

When the connection is successful, the GlobalProtect screen will display as “Connected”. Click “Disconnect” to end the session.

GlobalProtect Client Connected Screenshot

Mac Installation:

A pop-up will appear asking if you want to allow downloads on “gateway.colostate.edu”. Click Allow.

GlobalProtect Mac Allow Download Screenshot

The file will be in the download folder.

GlobalProtect Mac Download

Click on the GlobalProtect folder to open the files.

GlobalProtect Mac Install Downloads Folder Screenshot

Click Install to begin installing the files.

GlobalProtect Mac Install Start Screenshot

Click Continue to select the Global Protect package to download.

GlobalProtect Mac Install Package Selection Screenshot

Enter your MacOS/AppleID password.

GlobalProtect Mac Install Enter Password Screenshot

Click Install Software to continue to process.

GlobalProtect Mac Install Software Screenshot

Click OK to Enable the system extension.

GlobalProtect Mac Install Enable System Extension Screenshot

Click Close, the installation process for your Mac is complete.

GlobalProtect Mac Install Success Screenshot

GlobalProtect is now installed on your Mac device.

Launch the GlobalProtect app.

Enter gateway.colostate.edu for the portal address.

GlobalProtect Client Enter Portal Address Screenshot

Note: some screens or processes may look different depending on which version of GlobalProtect is in use. 

You will need to sign in with your eName and eID password.

eID Login Screenshot

You’ll need to authenticate with Duo.

Duo Authentication Screenshot

When the connection is successful, the GlobalProtect screen will display as “Connected”. Click “Disconnect” to end the session.

GlobalProtect Client Connected Screenshot

Watch Video:

Install and Use GlobalProtect on iOS devices (2 min.)

Or follow the text instructions below

To Install:

1. Select the Apple App Store from your device

iOS App Store Icon

2. Enter “GlobalProtect” in the search box

GlobalProtect App Store Search Screenshot

3. Select the GlobalProtect Icon and click the download icon.

GlobalProtect App Store Download Icon Screenshot

4. Select “Open” once downloaded

GlobalProtect App Store Open Button Screenshot

5. You want to Allow notifications.

GlobalProtect App Allow Notifications Pop-Up

6. Enter the portal address: gateway.colostate.edu

GlobalProtect App Enter Portal Address Screenshot

7. Allow VPN Configuration

GlobalProtect App VPN Configuration Pop-Up

8. Enter your CSU eName and eID password

eID Login Screenshot

9. You will be required to authenticate through DUO

Duo Prompt Mobile

10. You are now connected to the GlobalProtect VPN service.  Tap the green shield to disconnect.

GlobalProtect App iPhone Connected Screenshot

To Use:

Open the GlobalProtect application from your device

GlobalProtect App Icon

Tap to Connect

GlobalProtect App Tap to Connect Screenshot

Enter your eName and eID password (if prompted)

eID Login Screenshot

Authenticate with Duo (if prompted)

Duo Prompt Mobile

Tap the green shield icon to end session

GlobalProtect App iPad Connected Screenshot

The app will state the connection is successful and you may begin browsing. While GlobalProtect is enabled, any application you use or site you visit will be securely routed through the VPN service.

Watch Video:

Install and Use GlobalProtect on Android devices (2 min.)

Or follow the text instructions below.

To Install:

1. Select the Google Play store from your device

Google Play Store Icon

2. Enter GlobalProtect in the search bar

GlobalProtect Play Store Search Screenshot

3. Install the GlobalProtect App

GlobalProtect Play Store App Install Screenshot

4. Once installed, select Open

GlobalProtect Android App Play Store Open Screenshot

5. The GlobalProtect PaloAlto Networks blue install screen will appear

GlobalProtect Android App Loading Screen

6. Enter the address: gateway.colostate.edu and select Connect

GlobalProtect Android App Enter Portal Address screenshot

7. You will enter your eName and eID password

eID Login Screenshot

8. You will authenticate with Duo. Should you not already have Duo installed, please find instructions here.

Duo Prompt Mobile

9. If the login was successful, you will receive one of the following screens depending on your device brand.

GlobalProtect Android App Login Successful ScreenshotGlobalProtect App iPhone Connected Screenshot

To Use:

Tap GlobalProtect icon to open

GlobalProtect App Icon

Select Tap To Connect

GlobalProtect App Tap to Connect Screenshot

Enter your eName and eID password (if prompted)

eID Login Screenshot

Authenticate with Duo (if prompted)

Duo Prompt Mobile

The app will state the connection is successful and you may begin browsing. While GlobalProtect is enabled, any application you use or site you visit will be securely routed through the VPN service.

GlobalProtect FAQ

Is there a difference between using the GlobalProtect desktop client or accessing it via a browser?

The GlobalProtect web portal (browser) is set up to access a set of defined applications configured for application URLs.  It is a static configuration and cannot be modified by the user.  The web portal is recommended for users who only need to access resources such as TimeClock Plus or links from the aar.is.colostate.edu website. 

The GlobalProtect client/agent is a VPN tunnel configured to access all resources on campus.  When connecting via the client/agent, you will receive a CSU IP address and will be on the CSU network.  You will be able to perform functions such as accessing internal CSU websites, remote terminal or desktop sessions, and other resources not publicly available.  It is important to note that the VPN is configured as a split tunnel, so resources on the public internet are accessed through your ISP, not through CSU’s network. 

For these reasons, we recommend using the GlobalProtect desktop client/agent unless you are accessing TimeClock Plus or AAR.IS.colostate.edu and links from that site. 

How do I use GlobalProtect with a Linux device?

First, access the OneDrive folder that contains all current Linux installers supported by CSU’s VPN environment. Click “Download”.

Screenshot of OneDrive folder with Linux installer folder, open and download buttons.

Once you have downloaded this package, install GlobalProtect by following the instructions on Palo Alto’s website. Note: If you don’t want the GUI version, skip steps 2 and 3 of the GUI instructions, and go to step 2 of the CLI instructions.

For compatibility questions, users can consult the Palo Alto Compatibility Matrix.

What do I enter for the portal address?

When launching the GlobalProtect app for the first time on a new device, it will prompt you for the portal address. Enter gateway.colostate.edu and click Connect.

GlobalProtect Client Enter Portal Address Screenshot

What troubleshooting steps can I take for general issues?

  1. From the system tray, click GlobalProtect to open it.
  2. In the top right, click the GlobalProtect hamburger icon icon and select Settings > General.
  3. Under Portals, click gateway.colostate.edu to select it, then click Delete.
    GlobalProtect Settings Screenshot
  4. In the upper right, click the X to close the window.
  5. Go back to your system tray and click GlobalProtect to open it.
  6. When prompted for a portal address, enter gateway.colostate.edu, then click Connect.
    GlobalProtect Client Enter Portal Address Screenshot
  7. When prompted, enter your eName and password, then confirm your identity with Duo two-factor authentication. You will then be connected to GlobalProtect.

If you have questions about using GlobalProtect, please reach out to your college or department’s IT support.

If you are unsure of who your support contact is, contact the Central IT Help Desk at help@colostate.edu or (970) 491-7276. 

When does the GlobalProtect session timeout?

The session may timeout after 3 hours if the device goes idle, is locked, or goes to a low-power mode. The maximum session length is 24 hours with continued use.

Currently, there is no warning letting you know that you will be disconnected or option to extend the session.  A feature request has been submitted to the vendor to add this type of notification. 

How often will I have to authenticate?

You will have to authenticate each time you connect to GlobalProtect through the desktop agent/client.

Why does my VPN disconnect when my computer goes to sleep or is in power saving mode?

When you have a laptop configured to go to sleep after a period of inactivity or hibernate when the lid is closed, many systems will also put their network adapters into a power-saving mode. To address this, you may need to adjust your power and sleep settings. Under Control Panel / Power Options, select Edit Plan Settings, then Advanced Settings.  Find and expand the Wireless Adapter Settings, and ensure it is set to Maximum Performance for both On battery and Plugged in.  

How do I make the GlobalProtect icon always show on my Windows taskbar?

The GlobalProtect icon on Windows computers appears in the notifications (bottom right) area of the screen.  Windows computers sometimes hide the icon.  To make it always show, open the Start menu and type  “taskbar icons” to search then choose “Select which icons appear on the taskbar.”

Windows Search Start Menu - Taskbar Icons

Next, locate ” GlobalProtect client” and turn it On .

 

Screenshot Select which icons appear on the taskbar, turn on for GlobalProtect

The GlobalProtect icon will then appear in the bottom right area of the screen:

Windows Taskbar showing GlobalProtect icon

Does GlobalProtect have a remote file browsing feature in the web portal?

No, the GlobalProtect web portal is only for resources that can be accessed via an application URL. 

Does GlobalProtect have a remote terminal access in the web portal?

No, the GlobalProtect web portal is only for resources that can be accessed via an application URL.  At this time, use the GlobalProtect client/agent to access remote or terminal sessions. 

Can we customize the applications available in the web portal?

No, the applications are configured at a system level and users cannot add or remove applications or icons. 

I'm having trouble installing or using the client.

If you have questions about using GlobalProtect, please reach out to your college or department’s IT support.

If you are unsure of who your support contact is, contact the Central IT Help Desk at help@colostate.edu or (970) 491-7276. 

Technology

Microsoft Email Encryption:


Viruses, worms, Trojans, bots, rootkits, keystroke loggers… these are all maliciously written and distributed applications you don’t want running on your computer. This class of software is called malware — literally, bad software.

Virus Prevention tips:

  • Practice safe computing. Run antivirus software (like Microsoft’s System Center Endpoint Protection, or Microsoft Security Essentials for home users). Run periodic virus scans of external disks, your hard drive, and downloaded files. Keep your antivirus product up to date.
  • Treat all email attachments as potential virus threats. Never open an attachment by double-clicking it. Always save it to your hard drive and open it from within the corresponding application, such as Microsoft Word for .doc/.docx files.
  • If you’re not expecting an attachment, call or reply to the sender before opening it to make sure they intended to send it to you and know what it is. Delete any attachment you cannot verify with the sender. Many viruses can mail themselves using a person’s email address book.
  • If you have any doubts at all, delete the mail message and ask the sender to give you the attachment on disk or via the Web.
  • Back up regularly. Even the rules above cannot keep you completely safe. When a new virus appears it can take a day or more for antivirus manufacturers to respond to the threat and make a fix available.

Tools:
Colorado State University offers Microsoft System Center Endpoint Protection (SCEP) for use on University Computers.

  • For University Owned Computers: Microsoft’s SCEP is supported on domain-joined computers with the appropriate Client Access License (in the Enterprise or Core CAL bundle). Installation of this product is managed by departmental domain administrators. For individual CALs, please contact RamTech.
  • For Personally Owned Computers: CSU does not centrally support an antivirus client for faculty, staff or students to use on personal devices. Microsoft’s free version for Windows Vista and 7 is called Microsoft Security Essentials; Windows 8 and 10 have a built-in antivirus component called Defender. For Mac OS, there are good-quality free products such as ClamAV and Sophos.

Questions & Support:
If you have problems, questions, or concerns regarding any of these procedures, please contact the Help Desk at the Morgan Library.

Improving web site security with html response headers

So you’ve made sure that your web server has a good certificate, strong keys, is listening only with recent TLS versions (ideally just v1.2). What next?

HTML security headers!

When a browser requests an HTML page, the server can have some control over the conversation. Best practice has been evolving, and the W3C now specifies ways to help browsers make good decisions by having the server reply with a list of response headers. The categories required and optional are from the W3C. The CSU Security Technology Advisory Committee (STAC) recommends getting started by enabling four of the simplest headers, listed below with recommended defaults, caveats, and quick explanations of what they do.

X-Content-Type-Options: nosniff
W3C: required for http and https
This header has only one valid value (nosniff). It tells the browser not to attempt to tell what kind of content is being served, but merely to believe what the server says it is serving. This gets around attacks in which the browser can be made to try opening downloaded content as something else (with a potentially compromised plugin).

Strict-Transport-Security: max-age=31536000
W3C: required for https
Tells the browser, once connected over https, to only connect to the server using https in the future, for as long as specified by the max-age setting. For servers that can potentially serve both http and https, this is particularly important in preventing a variety of attacks. Requires that elements like style sheets and graphics also be served over https, which is best security practice. The recommended time is 1 year (in seconds). While testing, max-age can be set very low.

X-XSS-Protection: 1; mode=block
W3C: optional for http and https
The values displayed are the simple recommended default. This enables browsers to use their built-in protection mechanisms against cross-site scripting.

X-Frame-Options: sameorigin
W3C: optional for http and https
Almost all sites should use the ‘sameorigin’ value, which tells the browser to only accept framing of the site’s content from the same site. This prevents attackers from creating a surreptitious web frame and displaying the page’s contents inside it, hiding the ultimate destination of any information submitted and potentially capturing credentials. If you need framing for a specific purpose, sourced from some server not on your domain, contact the ACNS security team for advice.

A good external source for more in-depth information on security response headers and configuration syntax for each major server platform is on the Mozilla developer site.

The CSU Secure Headers Chrome extension quickly checks a web page for these headers and others.

securityheaders.io provides a more complete scan and documentation, and can be used with a Chrome extension and Firefox add-on.

People

Being aware of risks and defenses is the first step in responding appropriately. Many of the risks to our computers, our networks, and the information that flows through our systems can be minimized by increasing the general awareness of security issues among the user population. The awareness effort begins as soon as a person joins the Colorado State University community, during New Employee Orientation or the variety of events welcoming students to campus. Further security awareness efforts include topic sessions during the annual Professional Development Institute, as well as periodic awareness campaign activities.

Some of the most effective awareness training is targeted at small groups. If you would like to have someone from ACNS come to speak to your class or group about IT security, please contact the security team at soc@colostate.edu.

Cybersecurity Internship Program

Meet the team!

Contact us: ACNS_Cybersecurity_Interns@colostate.edu


Instruction

Information security is a multidisciplinary topic, and that is reflected in the breadth of departments, research groups, and student interest groups looking at security issues.

DEPARTMENT OF COMPUTER SCIENCE:
Network security research group
Computer Science courses:

  • CS 356: Systems Security
  • CS 556: Computer Security
  • CS 656: Advanced Topics in Computer Security

COLLEGE OF BUSINESS:

  • CIS 413: Advanced Networking and Security

DEPARTMENT OF JOURNALISM AND MEDIA COMMUNICATION:

  • JTC 415: Communications Law

DEPARTMENT OF MATHEMATICS:

  • MATH 360: Mathematics of Information Security

STUDENT ORGANIZATIONS:

Additionally, a member of the ACNS security team would be happy to talk to any course instructor about how security issues fit into specific curricular areas.

Policies, Standards, Procedures

IT security practices are specified in policies approved by the ITEC Advisory Council (IAC), updated at least annually and posted at the Office of Policy and Compliance:

Standards and procedures are set and periodically reviewed in consultation with IT governance and advisory groups:

Passwords & Two-Factor Authentication

Authentication is the process of identifying yourself to an application. Credentials used for authentication include a username, which identifies you uniquely, and some sort of an authentication token to prove that you are the person the username refers to. This token is most commonly a password. At CSU, this set of credentials is normally your eID: a name and password.

Two-factor authentication (2FA) is the process of adding an additional piece of information, so that a password alone is not enough to access a protected resource. At CSU, Duo is used to provide a second piece of information via mobile app or hardware token. Duo is gradually being enabled on systems throughout CSU and is required to access the VPN (using both the GlobalProtect desktop agent/client and gateway.colostate.edu), Microsoft 365 applications and email (this includes university email accounts, OneDrive, Teams, Stream, etc.). For more information, please see our Duo: Two Factor Authentication Info and Duo FAQ pages.

Credit Card Security (PCI compliance)

Merchants at Colorado State University that take credit card payments for goods and services are required to comply with the Payment Card Industry Data Security Standard (PCI-DSS), whether conducting e-commerce, mail-order/telephone-order, mobile, or retail transactions.