What is the difference between MFA and VPN?
Multi-factor authentication (MFA) is a security mechanism that verifies a user's identity by requiring multiple credentials. A virtual private network (VPN) establishes an encrypted tunnel for data to be securely transmitted so that remote users can communicate confidentially over a public network (the internet).
In other words, MFA verifies the identity of the user, and VPN sets up a secure way for the user to talk to the Commonwealth network.
What is Multi-factor Authentication (MFA)?
Multi-factor authentication (MFA) is a security mechanism that verifies a user's identity by requiring multiple credentials (something the user knows or has (password), and something the user doesn’t know or have (code sent via email/text/call/application/security token).
Typical examples of multi-factor authentication:
- A user enters a password and a code received via text message
- A user types in a code on their phone after receiving a phone call for authentication
- A user enters a password and a code from an authenticator application
Why do I need MFA?
Passwords are becoming increasingly vulnerable to hacking. In addition, new technology and recycled passwords for multiple accounts means information online can easily be compromised. MFA is an important part of our efforts to keep the Commonwealth’s information and assets safe and secure, by making it more difficult for attackers to access our systems with login credentials obtained by phishing, guessing, or theft. You must be enrolled in MFA in order to use VPN.
What are my options for setting up MFA?
There are three options available for MFA: text message, smart phone application (Google or Microsoft authenticator), and phone call.
How long should it take me to set up MFA?
It should take approximately 5-10 minutes from start to finish.
Is MFA required in order to use the Commonwealth VPN?
Yes. Click here for more information on MFA, including how to enroll and install.
What is a Virtual Private Network (VPN)?
A Virtual Private Network (VPN) enables remote users to communicate securely and confidentially over a public network (i.e. internet) to protected resources within the Commonwealth of Massachusetts and its Wide-Area-Network (MAGNET). Remote Access VPN establishes an encrypted tunnel for all data to be securely transmitted so that remote users can communicate confidentially over a public network—i.e., the Internet.
What Commonwealth tools can be accessed without a VPN connection?
Why would I need a VPN connection?
A VPN connection is required in order to access certain Commonwealth applications and services while you are not connected to the Commonwealth network. Users may require a VPN connection in order to access the MMARS application, network or group shares, or other Commonwealth applications or services that are not publicly accessible. IT application support staff, developers, and/or other IT personnel/administrators may require a VPN connection to access services that reside in the Commonwealth datacenter.
How do I know if I am using a VPN to connect to Commonwealth applications and services?
Anyone who needs a VPN connection to access Commonwealth applications and services will already have a version of the Pulse Secure client installed on their laptop. Those users need to initiate the Pulse Secure VPN client before they are able to access Commonwealth applications and services.
How do I know if I am using the Verizon VPN client or the Commonwealth VPN client?
Section 2 of the instructions provided below describes how you can tell if the Verizon VPN client is installed on your PC. Basically, if the Verizon VPN client is installed on your PC, you will see “Pulse Secure 5.1” in the list of Apps and Features. The Commonwealth VPN client is version 9.1.xxx.
Instructions can be found here.
What do I do if I am still using the Verizon VPN client?
If you are currently using the Verizon VPN client, you must set up the Commonwealth VPN client by June 30, 2020. After June 30, 2020, you will no longer be able to connect to Commonwealth applications and services using the Verizon VPN platform.
If you are already using the Commonwealth VPN client, no action needs to be taken.
If you are currently using the Verizon VPN platform, your account has already been migrated and you must complete the process by installing the Commonwealth VPN client.
If you are using a Commonwealth-issued device, you will complete the installation via Software Center. Instructions can be found here.
If you are using a Commonwealth-issued device but you do NOT have/are unable to find Software Center, please reach out to the EOTSS End User Service Desk for assistance.
All other devices:
If you are using a personal or “BYOD” device, please follow the instructions found in the Mass Telework Knowledge Base:
How do I use the Commonwealth VPN client?
First time using Commonwealth VPN? Click here for more information on how to use the Commonwealth VPN platform, including how to log in, best practices and limitations.
Is the Commonwealth VPN client available for Windows 7 PCs?
Only if the device is Commonwealth-issued. Personal and “BYOD” devices must be running either Windows 10 or Mac OS 10.14 (Mojave) or 10.15 (Catalina). Click the link above for more information on personal and “BYOD” device requirements.
I’m a non-Commonwealth employee. Why does my wifi disconnect when I am using the Commonwealth VPN?
It doesn’t – it just looks that way! For security reasons, non-Commonwealth employees using the Commonwealth VPN are not allowed to access the internet while connected to the Commonwealth VPN – this is why your PC shows as disconnected while using VPN. However, your PC is still connected to wifi – your PC needs an internet connection in order to initiate and maintain a VPN tunnel back to the Commonwealth network. You should disconnect from the Commonwealth VPN if you need to access internet-based applications and services; you may reconnect once you are ready to access the Commonwealth network.
I do not see a designated employee group for my Secretariat/Agency. Do I need one?
Not necessarily. Unless you have a user or group of users whose needs are not met through the general employee group, your users should be added to the general employee VPN group.
The error "Unable to launch application..." pops up when trying to open Pulse. What does this mean?
"Unable to launch application – You do not have access to this application or this application has been removed."
This means one of two things: either Pulse is attempting to log in with bad stored credentials (when this happens, you are NOT prompted to enter log in information), or you do not have the correct VPN Role assigned to your account in the iDaptive/Centrify admin portal.
The section “COMMON ERRORS and how to troubleshoot” of the instructions provided below describes how you can troubleshoot. Basically, open Internet Explorer, navigate to the “General” tab under Tools -> Internet options. Click Delete” under browser history, uncheck “Preserve Favorites website data”, then click “Delete”. Close all internet browsers and the Pulse Secure client. You should now be prompted to log in when you open Pulse Secure.
If clearing your browsing history does not work, please reach out to the EOTSS End User Service Desk to resolve this issue.
Instructions can be found here.