ITS has been in the process of transitioning our VPN service from our legacy Pulse Secure to our new Cisco AnyConnect. We elected to move to industry-leading AnyConnect because its infrastructure would better scale to meet the University’s growing needs. A key difference between our old service and the new service is that we configured AnyConnect as split-tunnel, which directs only traffic destined for UConn through the encrypted VPN and all other to the Internet. This configuration gives our community full access to protected university resources while allowing optimal performance for externally hosted streaming and videoconferencing services. While beneficial in most cases and consistent with industry best practice, the split-tunnel configuration did affect applications that were reliant upon a full tunnel configuration. The most prevalent example was bookmarked access to journal articles from offsite locations by those accustomed to using the VPN and not the Library’s EZProxy service.
While we worked through these issues, we continued to offer Pulse Secure to our community, but the equipment associated with it must ultimately be retired. We will be providing a full tunnel on AnyConnect on an individual basis where needed. With a full tunnel, all traffic passes through the encrypted tunnel and appears to come from UConn to external providers. The trade-off with any full tunnel use is that performance is degraded on network sensitive applications, like Teams and Webex, because traffic must traverse through UConn to get to and from these externally hosted sites. Also, because all Internet connectivity and data is transferred through UConn, it is subject to institutional practices and policies regarding use, analysis, and retention. Additional details will be provided in follow-up communications.
With this solution established, we are now tentatively planning to decommission Pulse Secure by the end of October.