Navigation auf uzh.ch

Suche

Central IT

FAQ

1.) Download VPN client


Q: Where can I download the VPN client manually (separately)?


A: You can download the VPN client from our Sharepoint page.

Hints:

  • For managed laptops, the application is updated automatically by the Central IT (ZI) software distribution.
  • If you receive a prompt to update the client when you log in to Ivanti on your BYOD device (bring your own device), please follow this prompt..
  • The update for mobile devices (iOS, Android) is carried out via the manufacturer's app store.

2.) macOS: «Please enter valid ICS URL.»


Q:  What does the message «Please enter valid ICS URL» mean?


A: Depending on the internet provider, there may be problems with IPv6 in the home office. The following error message appears in the open 'Ivanti Secure Access Client': «… Please enter valid ICS URL.»

Solution for devices managed by Central IT (Software Center available):

macOS: Install the 'IPv6 deaktivieren' app via the Software Center. You can undo this adjustment with the 'IPv6 aktivieren' app.

Solution for all other devices (private devices):

macOS: In the OSX system settings, please change the IPv6 setting value for the corresponding connection type (i.e Wi-Fi) from 'Automatic' to 'Manual' or 'Link local only'.

  • 'Network' > 'Wi-Fi' > 'Details' (for the corresponding connection) > 'TCP/IP' > 'Configure IPv6'.

Depending on the operating system version, the button names may be different. See also ...
Change TCP/IP settings on the Mac.

3.) macOS: Access to certain websites (e.g. journals) does not work.


Q: Why do I get a message on certain websites that my IP address is not authorized for use?


A: The browser-based and platform-independent solutionEZproxy  can be used as an immediate solution / alternative (instructions  (in german) (PDF, 1 MB)). This enables access to e-resources as well as a connection via VPN / from the UZH network.

Generally, Apple devices (macOS) have a function for hiding IP addresses when surfing via the Safari browser. This 'Private Relay' function must be deactivated for website access.

  •  'Settings' > [your name] (profile) > 'iCloud' > 'Private relay' switch

To prevent visited websites from viewing user data (operating system, location, websites visited), Apple has invented the iCloud Private Relay data protection service. All iCloud+ subscribers can use it to encrypt data traffic via Safari and hide their IP address. In countries where Private Relay is (not) available, it is automatically (de)activated. See also ...

Protect your web browsing with iCloud Private Relay on iPhone

For those interested:

About iCloud Private Relay

Manage iCloud Private Relay for specific websites, networks, or system settings

Notes:

  • Private Relay is a service for Apple devices only.
  • It only works with the Safari browser.
  • If you accept cookies, you can still be tracked.

4.) Students: Access to e-resources (databases, e-journals) not possible with iPhones/iPads (iOS/iPadOS).


F:  Why can't I access e-resources via my iPhone/iPad?


A: Due to a limitation within these Apple operationg systems, the routing for URLs (Internet addresses) does not work correctly in combination with Ivanti VPN. This has the following consequences for access to e-resources:

  • Access with iOS/iPadOS devices via Ivanti VPN is not possible for students. As an alternative, the browser-based and platform-independent solution EZproxy can be used (instructions (german) (PDF, 1 MB) ). This enables access to e-resources as well as a connection via VPN / from the UZH network.
  • For UZH employees, access via iOS/iPadOS is normally possible, as different VPN profiles are used for this group of people. If a person is both enrolled and employed at UZH, the employment is weighted more heavily in terms of information technology, so that the person falls under "UZH employees".

5.) Access to e-resources (journals, databases) not possible due to 'privacy' browser settings.


Q:  Why am I NOT on the network required for access?


A: If you receive a message when accessing an e-resource, despite an active VPN connection, that you are not in the network required for access, check in your browser settings whether you have deactivated the setting for "DNS via HTTPS":

  • Firefox: Settings > 'General' tab > 'Network Settings' section > 'Settings' button > 'Enable DNS over HTTPS' checkbox.
    (For certain versions and operating systems it can be found under: Preferences > 'Privacy & Security' tab > 'DNS over HTTPS' section > 'Off' option.)
  • Edge: Settings > 'Privacy, search and services' tab > 'Security' section > 'Use secure DNS to specify how to lookup the network address for websites' switch.
  • Chrome: Settings > 'Privacy and security' tab > Security > 'Advanced' section > 'Encrypt the names of sites you visit' switch.

This setting is deactivated by default on managed devices. This function is not available everywhere (e.g. on mobile devices).

For those interested in (Firefox):

Connection settings in Firefox
Firefox DNS-over-HTTPS
Configure DNS over HTTPS protection levels in Firefox

6.) Windows: No Internet after activating the VPN connection


Q: Why does the message "No Internet, secured" appear on my Wi-Fi after activating the Ivanti VPN connection?

A: Please check the following three points:

  • If it is active, please deactivate the following checkbox in the Wi-Fi connection properties (you may need admin rights for this):
         -> 'Internet Protocol, Version 6 (TCP/IPv6)'
    (Windows settings > sections 'Network & Internet' > 'Wi-Fi' > 'Related settings' : 'Change adapter options' > select active Wi-Fi connection > context menu command 'Properties' > 'Network' tab')
  • Is it the same with other browsers?
  • Does the relevant Wi-Fi (SSID) appear in the Windows settings ('Network & Internet' > 'Wi-Fi') under 'Manage known networks'? If not, please add the network there again.

7.) Linux (Suse): Ivanti VPN client installation guide


Q: Does Ivanti Secure Access Client also run on Suse Linux / openSuse?


A: According to feedback from a user, it works. The following steps are required as a minimum (as 'root'):

  • > zypper in libgtkmm-3_0-1 libbsd0 mozilla-nss-tools libcurl4 libwebkit2gtk-4_0-37       (the package requirements don't match SuSE package names)
  • > rpm -Uhv --nodeps Ivanti_Secure_Access_x86_64.rpm       (--nodeps because the required package names are wrong)
  • > /opt/pulsesecure/bin/setup_cef.sh install -tmpDirPath /tmp       (to install chromium embedded browser, if installation by the GUI fails/hangs)
  • Then start pulseUI or the commandline equivalent       (default location is: /opt/pulsesecure/bin/pulseUI)
    > /opt/pulsesecure/bin/pulseUI &

8.) Linux (Ubuntu): «'cef' is not installed on this machine.»


Q: What means «Chromium embedded browser (cef) is not installed on this machine.»?

A: The Ivanti VPN client would like to open a website within its application (for user authentication) and requires the browser runtime environment (framework) 'Chromium embedded framework'. If the 'cef' installation fails, try to install the framework manually as described in the following links:

If you encounter problems, please try again and enter the path information in the Ivanti script in the 'absolute notation' used by Ubuntu (the absolute notation of a file path can be determined with the 'realpath' command.)

Example:

DF=/usr/bin/df   should be corrected with one of the following variants:

1.) DF=df ,  2.) DF=/bin/df  ,  3.) DF=$(which df)

The third variant is recommended because it is also suitable for other Linux distributions as long as the 'which' command is available.

This suggested solution with the fixed version of the script (see setup_cef.pdf (PDF, 270 KB) ) was kindly provided to us by a user and is without any guarantee.

9.) Linux (Ubuntu): Login to the VPN portal


Q: Why can't I log in to the VPN portal?

A: To log in to the VPN portal, please enter the server address remoteaccess.uzh.ch/vpn without the protocol name https://

10.) Linux (Debian): No Ivanti tunneling to NUZ


Q: Why does the traffic to the NUZ not go through the tunnel, despite the VPN connection?

A: If, on Debian-based Linux computers (e.g. version 12, codename 'bookworm'), the traffic to the network of the University of Zurich (NUZ) does not go through the tunnel despite an existing VPN connection, it is possible that the default route via the network interface card (NIC) enp0s3 has the better metric (connection quality) (metric '0') than the one via the Ivanti Tunnel Interface tun0 (metric '1'). (The higher the value, the worse the metric.)

Solution: Override metric by setting worse than 1.

See also Changing the Network Routing Metric Permanently

11.) Linux (MX): Pulse Secure only with 'systemd' as Init Manager


Q: Why can't I create a connection?

A: On the Linux distribution 'MX' please use the initialization process systemd.

See also ...

Supported Linux versions (Debian, Ubuntu, CentOS, Fedora, RHEL)
Debian user manual (systemd: set as default)
MX user manual (systemd: not default, Debian packages can be used)