Sometimes we have cloud-hosted or vendor services (like ArchivesSpace) which restricts functionality to parts of the interface to certain IPs, and we'd like to allow access to VPN (to support our remote staff.) In those cases we need to provide our VPN endpoint IPs, along with any other IPs (like application VMs) that will require access.
Unfortunately the VPN IPs often change and most vendors don't accept FQDNs (fully qualified domain names, e.g. canada-west-princeto.gpogn2y5gg2j.gw.gpcloudservice.com) instead of IP numbers, so we have to resolve the FQDNs and provide them.
All of the VPN endpoints can be found here: https://princeton.service-now.com/service?id=kb_article&sys_id=KB0012390 under "Palo Alto GLobalProtect Cloud Gateways".
Currently, this process does not account for all the possible IPs we may get from Global Protect.
- Copy all the FQDNs from the article above into
services/vpn/ips.txt, deleting any empty lines or headers which aren't URLs. - Run
ruby services/vpn/resolve.rb - Copy the output (IP per line) into a local file.
- Add the entries from the article under the headings
Palo Alto GlobalProtectandPalo Alto GlobalProtect Clientless VPN (Portal). - Add the IPs for our application VMs. Find them in the lastpass in Shared-ITIMS-Passwords/PUL-VM-IP-ranges
- Add the IPs for any other applications.
- for pulfalight, add the libnova ip, found in lastpass in Shared-ITIMS-Passwords/libnova-IP
- Send the list to the appropriate people. This should be the complete list of machines that need access.