Telework at VA
Telework is governed by VA Handbook 5011/26/31 Part II Chapter 4.
Employees working with their supervisor would need to determine telework suitability and eligibility to telework. Once determined telework eligible the employee would need to fill out VA Form 0740 Telework Agreement, the Telework Notification Letter – Employee Eligible to Telework, and you will need to complete Talent Management System (TMS) training as follows:
- All managers must complete TMS Course VA1366994 — Telework Training Module for Managers.
- All employees requesting telework must complete
- TMS Course VA1367006—Telework training module for employees
- TMS Course VA10176—VA Privacy and Information Security Awareness and Rules of Behavior
- TMS Course VA10203 Privacy and HIPAA Training
Additional information on telework can be found Office of Human Resources Management Telework webpage ( only available while on VA's internal network) and OPM’s Telework website.
VA Remote Access
VA Handbook 6500 identifies the compliance requirements for VA remote access users.
VA supports remote access with two different applications 1. Citrix Access Gateway (CAG) and 2. CISCO RESCUE VPN Client. The Citrix Access Gateway is designed for users that do not have VA Government Furnished Equipment (GFE) – CAG is a good option to allow users access to general applications such as email and chat. The CISCO RESCUE VPN Client is only for use on VA Government Furnished Equipment (GFE) and is installed on all GFE laptops. Users would still need to request remote access and have their remote access accounts enabled for use with either CAG or RESCUE.
You may request remote access by visiting the Remote Access Self Service Portal ( only available while on VA's internal network).
Please note the Self-Service Portal is only accessible from within the VA network, it is not externally accessible. If you require technical support, please reference the FAQs and other supporting documentation found at https://raportal.vpn.va.gov or contact the Enterprise Service Desk (855) 673-4357.
Software, supporting documentation, FAQs and general information are hosted at the VA’s Remote Access Information and Media Portal. Please ensure you have Transport Layer Security (TLS) 1.1 enabled on your web browser before attempting to access this site. To enable TLS within Internet Explorer: Select ‘Tools’, then ‘Internet Options’, then the ‘Advanced’ tab. Enable the checkbox for ‘Use TLS 1.1’ (found towards the end of the list).
How do users or facilities request equipment if they require VPN access?
- Click the “Your IT” Icon on your desktop or go to YourIT Services ( only available while on the VA’s internal network)
- Click “Make a Request”
- Click “Computer Services,” under categories
- Click on “OIT Equipment and Software”
- Complete all required fields.
- Tag request for COVID in “Justification,” field
If you do not require VPN, use the CAG process.
What is CAG?
CAG stands for Citrix Access Gateway and its purpose is to provide remote access from a personal PC (non-GFE equipment). The Citrix Access Gateway provides access to a virtual desktop and basic applications like email and Skype as well as the most used applications by VA end users. The current CAG URL is https://citrixaccess.va.gov.
How do I access CAG?
Quick Start: Windows | MacOS
VA CAG Remote Access Connectivity Video Walkthrough
Additional software and instructions to connect to VA CAG are available on the Remote Access Portal. Once connected to CAG, if you do not see the applications you require to effectively perform your remote access duties, please contact the Enterprise Service Desk (ESD).
CAG requires 2 Factor Authentication (2FA) by default for all users. The methods supported include PIV, CAC, and MobilePASS. If you need a temporary exemption from using 2 Factor Authentication, please contact the Enterprise Service Desk.
Enterprise Service Desk (ESD)
What is Rescue GFE Virtual Private Network (VPN) and how do I get it?
This is designed and recommended to be the sole VPN solution for Government Furnished Equipment (GFE) devices. RESCUE GFE provides a security posture check and ensures VA data is encrypted from the end device into the VA trusted network. Prior to the device connecting and being allowed onto the VA trusted network the system is checked for multiple security baselines.
Once the system has been determined to have met the requirements an encrypted Security socket Layer (SSL) VPN tunnel from the endpoint to the VA network is established. The user has access to all allocated resources just the same as if they were sitting inside of the VA network. This software is installed on all GFE laptops prior to being provided to the user. Currently RESCUE GFE supports Windows 7, Windows 8, Windows 10 and MAC OSX.
Can I get a VA Router to support GFE VPN?
No, OIT does not have routers to issue to end users in support of end user’s remote access connections. You do not need a VA router in order to access the VA network. You will need Internet access and the Cisco RESCUE Client which is already installed on your GFE in order to access the VA Network.
How do I change the VPN gateway?
By default, Cisco AnyConnect automatically selects VPN servers available to it. There are occasions when that does not work. The instructions below display how users can address VPN disconnects, especially as more users connect remotely over the coming weeks.
- Start Cisco AnyConnect VPN
- If Automatic is selected in the client, click on the gear in the lower left
- In the VPN tab of the setting screen, uncheck Enable automatic server selection. Clost the settings.
- You now should have the flexibility of secting the VPN gateway of your choice
- VPN will stay connected for 23 hours at which time you will be disconnected. Keep this in mind and reconnect to prevent work interuptions.
- VPN users should stay connected for continuous security patching and updates.
Where can I get a PIV card reader?
Your local IT support office may have these available. However, PIV card readers may be available from non-IT sources within your facility. Check with your local IT for guidance on the best way to obtain a card reader.
What if I cannot get a PIV Card Reader? What if it does not work on my PC?
If you need a temporary PIV exemption, please contact the Enterprise Service Desk:
- Contact: Enterprise Service Desk (ESD)
- Toll Free Phone Number: 855-673-4357 (TTY: 844-224-6186)
- Visit: YourIT Services ( only available while on VA's internal network)
How are PIV card readers distributed?
Today, the distribution of PIV card readers is site-specific. We are discussing the possibility of alternative distribution methods. If distribution processes or procedures change, we will provide updated instructions.
Card readers for personally owned equipment
If you are using CAG on a personally owned device and are not PIV exempt, you will need a reader for your PIV card. If you are buying a reader (available online: Amazon, Best Buy, etc.) it must be FIPS compliant, Class 2 type reader. Some common readers include:
- SCR3310 and SCR3500
- ACR39U, ACR39U-N1, ACR39U-UF, ACR39U-H1, and ACR39U-ND from ACS Corp are PocketMate series readers
- OMNIKEY 3021 and OMNIKEY 3021 with Base from HID Global
PIV will work on MacOS (OSX) 10.13 and greater. If you have an older version of the operating system, PIV will not work and you will require a PIV exemption.