VPN, CISCO AnyConnect, About VPN Profiles
This page explains the distinctions between the Cisco AnyConnect VPN profiles available during the login process.
Normal use: "SplitTunnel" profile
Most people will ordinarily select the '1_SplitTunnel_(Default)' profile. This sends traffic meant for University computers to the University, and doesn't intervene in your non-University web browsing such as Facebook or Google.
The Office of Privacy and Information Assurance (OPIA) suggests the use of the split tunnel profile from secured networks that you trust, such as home and work networks.
Tunnel All (off-campus online resource use, traveling in countries with restricted network access)
The "3_TunnelAll" profile is used in cases where you need to present a University identity to a third party website, such as the Library's online resource collection. (See Library Resources and the VPN for more information about remote access to the Library's resources.) There are some other services provided to campus based on IP address in addition to those from the Library. Additionally, if you are traveling outside the US and want to reach US servers for services such as Google or Facebook then the Tunnel All profile will send all your data back to campus first, and then out to those services. Researchers accessing NIST data must use either "3_TunnelAll" or "4_TunnelAll_2FA_Duo" in order to be compliant with grant award restrictions.
The Office of Privacy and Information Assurance (OPIA) recommends the use of the Tunnel All profile from untrusted networks, such as unsecured wireless networks, coffee shops, hotels, and other potentially vulnerable networks. This way all of your network traffic is encrypted on the path between your computer and the campus network, helping to protect your data from snooping.
2FA_Duo (IT Pros and Secure Application Access)
See About UI Verify and 2FA for details on the University implementation of Two-factor authentication (2FA). Some campus IT Pros use Duo devices for two-factor authentication, as do some University Applications. If you want to use your Duo device along with the VPN authentication system, select one of the profiles that includes "_2FA" or "Duo" in the name before you start the VPN connection. In the line below your password enter "push", "phone", or "SMS" to tell the VPN how you want Duo to contact you.
Why does the program default to SplitTunnel and not TunnelAll?
Tunnel All is required for library use, but usually slows people’s network connection down for regular Internet use.
Split Tunnel sends traffic for campus IP addresses to campus, but also
lets all their traffic out to the Internet go straight to where it is
going without the overhead of first encrypting it, then sending it to
the university, having it unencrypted, then it
has to go back out to the Internet. Then the response comes back to the
University, get encrypted, and then sent back to their computer where it
has to be unencrypted. That adds time, and the encryption process uses
a lot of CPU power on their computer. It
also sends all the traffic in and out of the University’s Internet
connection (multiple times) that otherwise doesn’t need to be there,
using a moderately expensive resource shared by all of campus.
Because of all the extra steps the data has to take with Tunnel All,
most people have the best experience using the Internet and University
resources at the same time with Split Tunnel.
Split Tunnel does let people connect to classroom servers, just not
Library online resources. Classroom servers have University IP
addresses, so the VPN sends that traffic to campus in either Split
Tunnel or Tunnel All. The Library’s online resources are located
off-campus, and depend on checking your IP address to see if you are
allowed to use them. That means the traffic must come from campus, so
only Tunnel All works.