The Cisco AnyConnect VPN Client is only for use on VA Government Furnished Equipment (GFE) and is installed on all GFE laptops.
This is currently being tested and access is limited to a small group of internal users. Once this is available to the general VA workforce, an email from OIT will be sent out.
Using the yourIT Self Service, you can now initiate your own 24-hour PIV exemption!
Telework at VA
Telework is governed by VA Handbook 5011/26/31 Part II Chapter 4.
Employees working with their supervisor would need to determine telework suitability and eligibility to telework. Once determined telework eligible the employee would need to fill out VA Form 0740 Telework Agreement, the Telework Notification Letter – Employee Eligible to Telework, and you will need to complete Talent Management System (TMS) training as follows:
- All managers must complete TMS Course VA1366994 — Telework Training Module for Managers.
- All employees requesting telework must complete
- TMS Course VA1367006—Telework training module for employees
- TMS Course VA10176—VA Privacy and Information Security Awareness and Rules of Behavior
- TMS Course VA10203 Privacy and HIPAA Training
Additional information on telework can be found Office of Human Resources Management Telework webpage ( only available while on VA's internal network) and OPM’s Telework website.
VA Remote Access
VA Handbook 6500 identifies the compliance requirements for VA remote access users.
VA supports remote access with two different applications 1. Citrix Access Gateway (CAG) and 2. CISCO RESCUE VPN Client. The Citrix Access Gateway is designed for users that do not have VA Government Furnished Equipment (GFE) – CAG is a good option to allow users access to general applications such as email and chat. The CISCO RESCUE VPN Client is only for use on VA Government Furnished Equipment (GFE) and is installed on all GFE laptops. Users would still need to request remote access and have their remote access accounts enabled for use with either CAG or RESCUE.
You may request remote access by visiting the Remote Access Self Service Portal ( only available while on VA's internal network).
Please note the Self-Service Portal is only accessible from within the VA network, it is not externally accessible. If you require technical support, please reference the FAQs and other supporting documentation found at https://raportal.vpn.va.gov or contact the Enterprise Service Desk (855) 673-4357.
Software, supporting documentation, FAQs and general information are hosted at the VA’s Remote Access Information and Media Portal. Please ensure you have Transport Layer Security (TLS) 1.1 enabled on your web browser before attempting to access this site. To enable TLS within Internet Explorer: Select ‘Tools’, then ‘Internet Options’, then the ‘Advanced’ tab. Enable the checkbox for ‘Use TLS 1.1’ (found towards the end of the list).
How do users or facilities request equipment if they require VPN access?
- Click the “Your IT” Icon on your desktop or go to YourIT Services ( only available while on the VA’s internal network)
- Click “Make a Request”
- Click “Computer Services,” under categories
- Click on “OIT Equipment and Software”
- Complete all required fields.
- Tag request for COVID in “Justification,” field
If you do not require VPN, use the CAG process.
What is CAG?
CAG stands for Citrix Access Gateway and its purpose is to provide remote access from a personal PC (non-GFE equipment). The Citrix Access Gateway provides access to a virtual desktop and basic applications like email and Skype as well as the most used applications by VA end users. The current CAG URL is https://citrixaccess.va.gov.
How do I access CAG?
VA CAG Remote Access Connectivity Video Walkthrough
Additional software and instructions to connect to VA CAG are available on the Remote Access Portal. Once connected to CAG, if you do not see the applications you require to effectively perform your remote access duties, please contact the Enterprise Service Desk (ESD).
CAG requires 2 Factor Authentication (2FA) by default for all users. The methods supported include PIV, CAC, and MobilePASS. If you need a temporary exemption from using 2 Factor Authentication, please contact the Enterprise Service Desk.
Enterprise Service Desk (ESD)
What is Rescue GFE Virtual Private Network (VPN) and how do I get it?
This is designed and recommended to be the sole VPN solution for Government Furnished Equipment (GFE) devices. RESCUE GFE provides a security posture check and ensures VA data is encrypted from the end device into the VA trusted network. Prior to the device connecting and being allowed onto the VA trusted network the system is checked for multiple security baselines.
Once the system has been determined to have met the requirements an encrypted Security socket Layer (SSL) VPN tunnel from the endpoint to the VA network is established. The user has access to all allocated resources just the same as if they were sitting inside of the VA network. This software is installed on all GFE laptops prior to being provided to the user. Currently RESCUE GFE supports Windows 7, Windows 8, Windows 10 and MAC OSX.
Can I get a VA Router to support GFE VPN?
No, OIT does not have routers to issue to end users in support of end user’s remote access connections. You do not need a VA router in order to access the VA network. You will need Internet access and the Cisco RESCUE Client which is already installed on your GFE in order to access the VA Network.
How do I change the VPN gateway?
By default, Cisco AnyConnect automatically selects VPN servers available to it. There are occasions when that does not work. The instructions below display how users can address VPN disconnects, especially as more users connect remotely over the coming weeks.
- Start Cisco AnyConnect VPN
- If Automatic is selected in the client, click on the gear in the lower left
- In the VPN tab of the setting screen, uncheck Enable automatic server selection. Clost the settings.
- You now should have the flexibility of secting the VPN gateway of your choice
- VPN will stay connected for 23 hours at which time you will be disconnected. Keep this in mind and reconnect to prevent work interuptions.
- VPN users should stay connected for continuous security patching and updates.
Additional toubleshooting tips
- If you encounter a certificate error, verify that you have a valid PIV card by checking the expiration date
- Try restarting your computer
Where can I get a PIV card reader?
Your local IT support office may have these available. However, PIV card readers may be available from non-IT sources within your facility. Check with your local IT for guidance on the best way to obtain a card reader.
What if I cannot get a PIV Card Reader? What if it does not work on my PC?
If you need a temporary PIV exemption, please contact the Enterprise Service Desk:
- Contact: Enterprise Service Desk (ESD)
- Toll Free Phone Number: 855-673-4357 (TTY: 844-224-6186)
- Visit: YourIT Services ( only available while on VA's internal network)
How are PIV card readers distributed?
Today, the distribution of PIV card readers is site-specific. We are discussing the possibility of alternative distribution methods. If distribution processes or procedures change, we will provide updated instructions.
Card readers for personally owned equipment
If you are using CAG on a personally owned device and are not PIV exempt, you will need a reader for your PIV card. If you are buying a reader (available online: Amazon, Best Buy, etc.) it must be FIPS compliant, Class 2 type reader. Some common readers include:
- SCR3310 and SCR3500
- ACR39U, ACR39U-N1, ACR39U-UF, ACR39U-H1, and ACR39U-ND from ACS Corp are PocketMate series readers
- OMNIKEY 3021 and OMNIKEY 3021 with Base from HID Global
PIV will work on MacOS (OSX) 10.13 and greater. If you have an older version of the operating system, PIV will not work and you will require a PIV exemption.
Tips for Telework
- Place your router in a central area of your home and elevate it off the floor in an upright position.
- Make sure there are no obstructions around the router, and it’s not near items that may interfere with the WiFi signal, including walls, furniture, metal surfaces, Bluetooth devices, other electronic equipment (e.g., TVs and computers), appliances (e.g., refrigerators and microwaves).
- Check to see if different locations in your house offer better connectivity. If you are connecting via a wireless network and your preferred location has a poor connection, consider purchasing a wireless extender to increase the signal for that area.
- Avoid using unsecured WiFi networks
- Secure your home WiFi networks with a password.
- VA WiFi and hotspots (often provided by VA OIT as Verizon MiFi devices) are approved WiFi connections.
- Check to see what the highest-level security setting your router and devices will support. If they support WPA2, use that, since it is superior to the WEP protocol. If they do not support it, use WPA, not WEP, since WEP is less secure and can reduce internet speeds.
- If wireless connectivity continues to be problematic and your router provides the ability to connect an ethernet cable, you may want to consider this.
- Your internet company or cable provider allocates a finite block of capacity to each of its customers. As more and more people start to work from home in your neighborhood, overall speeds may decrease. Expect decreased speeds during peak usage times.
- There are various services available to test your internet speeds, and often your internet service provider or cable company will have these tools on their website. If you find that your speeds are slower than you expect, you need to contact your internet service provider.
- Check your provider’s website to see whether there are any local internet outages in your area. If there are, the problem is one beyond your device or connection.
- Maintain relationships with team members and managers through agency approved tools; such as Skype, Teams, or Slack. Share calendars with team members.
- Make sure your availability status in Skype, Teams, or Slack is accurate. If you can't be disturbed, change your status, but don't use it to be avoided.
- Be mindful of different time zones and working time. Respect free and busy times, even if you are working when others are not.
- When participating in meetings, find a quiet space and join the meeting from somewhere free of loud background noise. When not speaking, remember to mute your phone to minimize background noise.
- Avoid using video features while connected.
- Communicate often. Email, instant messages, and phone are all available to you to communicate. Without being face-to-face, a lot can get lost in translation, so reach out often.
- Make sure you get enough sleep. It’s tempting to stay up late when you’re working from home. Getting enough rest is essential for your health and for your productivity at work.
- Take regular breaks throughout the day. Teleworking can tempt you to work through breaks and lunch, but this isn’t a good practice long term. Your mind and your body need to take breaks to stay productive
- Web browsers store data from websites that you visit to make revisiting them quicker in the future, and if it gets too large, it can slow your computer down. To clear the cache or change the caching behavior, go to settings or use the help system. Note: If using a GFE or CAG, some browser settings are not available.
- You should have antivirus software installed on your personal computers. Most internet service providers make it available for free to help protect their networks.
- Back up your files and data regularly.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, and shall not be used for advertising or product endorsement purposes.