Setting up GlobalProtect VPN on Windows

There are several steps to setting up GlobalProtect at Aber, and they need to be done in different locations (i.e. some steps can only be done from on the campus network and some can only be done from off it. While the IS pages give all the information needed, they’re not laid out in a particularly friendly way and it’s all too easy to miss essential steps in the setup. This page tries to give the basics. Don’t fret about how long the page is - it doesn’t take too long to work through!

• Step 1: Two Factor Authentication
• Step 2: GlobalProtect VPN
  • Connecting to the VPN from outside the campus network

Step 1: Two Factor Authentication

The VPN requires not just your username and password, but also a one time passcode (OTP) - a six digit number that changes every 30 seconds. You need to set this up from on campus - it can’t be done from home.

While you might think you’ve already done this for Office365 a couple of months back, the VPN uses a different OTP code. The numbers generated for one are incompatible with the other.

The relevant IS FAQ page for this step is here, but I’ll describe the basics below.

You need an app on your phone, tablet or computer in order to generate the codes.

Since you need to setup your OTP codes whilst on campus, using the Windows application pretty much means you will have to bring your home machine into work and connect it to eduroam (there are hacky ways around this, but they make things much more difficult).

For this reason, if you have an Android or Apple phone/tablet, I’d strongly recommend using the phone/tablet app rather than the Windows software.

• On phone/tablet, install either Google Authenticator or Microsoft Authenticator. Either will work - personally, I prefer Google Authenticator as it’s simpler.
  N.B. The links are for the Android apps - on Apple, please search the app store.

• If you don’t have/want to use a phone/tablet, you’ll need the Windows application instead. You need to install WinAuth. Download the Zip file, double click to open it and drag the program onto your desktop on the computer you intend to use at home.

The next step, which must be done from on campus, is to visit https://mfa.aber.ac.uk/ to create an OTP token for use in the app. Log into the website and click “Enroll Token” in the left hand box. On the next page, enter “VPN” (or whatever you like) into the description and click the “Enroll Token” button underneath the description. The next page will show you a QR Code. What you do next will depend on the app you installed above:

• Google Authenticator
  Open the app on your phone. If you’ve never run it before, you might get presented with some introductory questions. You can skip all of those. When you get to the “Add an account” page, click on “Scan a barcode”. You may then be asked to allow the app to take pictures. Click “Allow”. Point your phone camera at the QR code on the screen until the app has managed to read it. Once that’s done, Google Authenticator will start showing you six digit OTP codes.

• Microsoft Authenticator
  Open the app on your phone. If you’ve never run it before, you might get presented with some introductory questions. You can skip all of those. When you get to the “Accounts” page, click on Add Account. Then click on “Other account”. You may then be asked to allow the app to take pictures. Click “Allow”. Point your phone camera at the QR code on the screen until the app has managed to read it. Once that’s done, Microsoft Authenticator will start showing you six digit OTP codes.

• WinAuth
  Right click on the QR code and select “Copy Image Location” or “Copy image address” (Firefox or Chrome respectively. I can’t see an option for this in Microsoft Edge!). Open the WinAuth application (you previously saved it to your desktop) and click “Add”, then select “Authenticator” from the dropdown. Right click on the text box next to the “Decode” button and select “paste”. Enter a descriptive name (e.g. Aber VPN) into the “Name” box. Then click “Verify Authenticator”. The app should then show you a six digit code. Press “OK”. After a short pause, WinAuth will then give you the option of protecting the code. It’s up to you whether you password protect it. If you don’t feel the need, untick the “Protect with my own password” box and click “OK”. WinAuth will then show you your current OTP code in a small window. You can close WinAuth for now.

Don’t note your OTP code down or try to remember it - it changes every 30 seconds!

Step 2: GlobalProtect VPN

You should install the VPN software on the computer you’re intending to use at home.

The relevant IS FAQ page for this step is here, but, again, here’s my version of it!

While you can install the software while your home computer is on campus, you cannot use the VPN from within the Aber network (eduroam wireless or the wired network) and, if you try, you’ll get connection errors. If you have a phone with “hotspot” capabilities, you could connect your computer to that to test via the mobile network, but I’ll leave it to you to figure that one out!

The software is very easy to install. Download and run it from here. Click “Yes” or “Next” at every prompt and “Close” once it says it’s installed.

Connecting to the VPN from outside the campus network

You should now have a small, grey circular icon in your system tray area:

Click on it. The first time you do this, you will be asked for your “portal address”. Enter pa-vpn.aber.ac.uk and click “Connect”. If you get an error at this stage, check that you are connected to a working WiFi/wired/4G network. Note again that this will not work from Aber’s eduroam network.

You should then be prompted for your username and password. These should be your Aber username and password. The username should not contain the “@aber.ac.uk” part (e.g. use auj rather than auj@aber.ac.uk).

The next prompt will ask you for your OTP code. This is the six digit number from the Authenticator app or the WinAuth software that you used earlier. Start whichever app you chose and enter the number it shows. The number is nominally valid for 30 seconds, but you’re given a bit of leeway, so don’t worry if you overrun the time a bit.

Once you’ve entered the code, the VPN should connect and the grey icon in the system tray should turn blue & green, at which point you’ll realise it’s supposed to be an icon of the Earth!

Congratulations, you should now have a working VPN connection and should be able to access ABW and other Aber-only web pages!

If you now want to enable remote access to Windows on your work PC, please see this page.