How To Add Additional VPN Endpoints

How To Add Additional VPN Endpoints

Connect to the Netflix Global Login as this will ensure your VPN client is being geolocated to the closest gateway. Connecting directly to a specific gateway disallows redundancy in the event there's a failure on a given gateway.

These endpoints can be added to all supported VPN proxy clients. When adding an additional endpoint, choose the one closest to your physical location. Each endpoint’s path has a specific use:

• emp: Reserved for full-time employees and contractors with a Netflix email account.
  • Note: If you need full-tunnel access, add your account to the vpn-full-tunnel Google Group. For LAN access, request membership to the vpn-lla Google Group.
    • Full-tunnel access routes all of your web traffic through the VPN.
    • LAN access allows you to connect to other devices, like printers, that are using the same network.
• contractors: Reserved for contingent workers.
  • Note: For full-tunnel access, request membership to the vpn-full-tunnel Google Group. For LAN access, request membership to the vpn-lla Google Group.
• *-split: Indicates an endpoint using a split tunnel connection.
  • Split tunnels only route specific web traffic through the VPN. Choose which apps to secure via VPN, and which apps run on an open network.
• nas: Reserved for employees with a Netflix Animation email account.
  • The default endpoint for Netflix Animation is https://studio.pcs.flxvpn.net/anim
• hrc: Reserved for full-time employees and contingent workers with a Netflix email account connecting from a high-risk country. Netflix internal applications can’t be accessed while using this endpoint. For authentication, use your Active Directory credentials.

Endpoint Servers and Locations 

Animation 

Contingent Workers 

APAC (FTEs) 

EMEA (FTEs) 

UCAN (FTEs) 

Emergency Endpoints (FTEs) 

In case of emergency (ICE) endpoints are used when Meechum has a service interruption. Use them sparingly. Before adding an ICE endpoint, reach out to askntech@netflix.com or #ntech-help in Slack to be added to gssg-app-icevpn@netflix.com.

Add additional Endpoints 

1. Open Ivanti Secure Access.
2. Select the + icon next to Connections on Windows, Ubuntu, ChromeOS, and mobile or at the bottom-left corner on macOS.
3. In the Name field, enter a name for the connection.
4. In the Server URL, enter the URL for the endpoint.
5. Select Add.
6. Select Connect next to the newly added endpoint.

Troubleshoot VPN Connection or Access Issues

This guide provides a structured workflow to troubleshoot and resolve the most common issues with the Netflix VPN. Following these steps will help you quickly categorize a user's problem and apply the correct fix.

Quick Triage with the Decision Tree 

Start by obtaining information about the user’s hardware and network connections by using tools like go.netflix.com/oomnitza and VPN and Wi-Fi Metrics Installation for macOS and Windows to determine which troubleshooting path to follow.

1. What is the OS version? If not up-to-date, guide the user to update their operating system (found in Oomnitza).
2. What is the user’s location (home or public Wi-Fi)? (Potentially found in Oomnitza)
3. What is the Ivanti client version? (Use VPN Metrics.)
   1. In the Ivanti Secure Access Client, confirm the current endpoint and connection status.
4. Verify the time and date of the laptop is accurate.
   1. Navigate to Settings, Time & Language, Date & Time. 
   2. In the Date & Time window, verify Set Time Automatically is On.
5. What is the current uptime? (Ask user.)
6. If the status is Disconnected or it fails during connection with an error, go to the Fixing Connection and Authentication Failures section of this article.
7. If the status is Connected, but the user cannot access websites or internal tools, go to the Fixing “Connected but No Access” Errors section of this article.
8. If they report the client is crashing, or their computer becomes very slow when connected, go to the Investigating Performance and Client Issues section of this article.

Fixing Connection and Authentication  Failures 

Use these steps when the Ivanti client will not establish a successful connection.

Check Basic Internet Connectivity (Get Network Diagnostics Logs for Windows and macOS)#

The VPN requires a working internet connection. Ask them to open a web browser and navigate to a public site like netflix.com. If they cannot, they must resolve their local internet issue first.

If they have an internet connection, run a quick network path test from their machine:

• On macOS: Open Terminal and run ping -c 10 pcs.flxvpn.net
• On Windows: Open Command Prompt and run ping pcs.flxvpn.net -n 10  If this test fails, run these commands to test the Domain Name System (DNS):
• On macOS: Open Terminal and run ping -c 10 8.8.8.8
• On Windows: Open Command Prompt and run ping 8.8.8.8 -n

If these steps fail here, go to the Troubleshoot DNS section of this article.

Check Authentication 

Authentication failures are common and often simple to fix.

1. Confirm the user is entering their intended Okta credentials.
   1. If user is still on Duo Mobile, ask them to select the option Send Duo Push.
2. Have them attempt a password reset if they are unsure.
3. Confirm their MFA method is working correctly and they are approving the prompt.
4. Check for any known Okta or SSO (Single Sign On) outages.

Fixing “Connected but No Access” Errors 

Use these steps when the client shows "Connected" but network resources are unreachable.

Troubleshoot DNS 

A Domain Name System (DNS) issue is the most common cause of this problem. Flushing the device's DNS cache forces it to get fresh records.

• On macOS:
  • Open Terminal.
  • Run the command: sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

• On Windows:
  • Open Command Prompt as an Administrator.
  • Run the command: ipconfig /flushdns

After flushing, test name resolution by running nslookup <internal_resource> (for example, nslookup jira.prod.netflix.net).

Troubleshoot Routing 

Verify the user’s computer is sending traffic through the VPN tunnel.

• On macOS: Open Terminal and run netstat -nr | grep utun
• On Windows: Open Command Prompt and run route print

The output should show routes for internal Netflix networks pointing to the VPN interface.

Disable Private Relay (macOS) 

A common issue on macOS is Apple's iCloud Private Relay feature, which can interfere with the VPN's split-tunneling configuration.

1. Open System Settings.
2. Select your Apple ID.
3. Select iCloud, then Private Relay.

Verify this feature is turned Off.

Investigating Performance and Client Issues 

Address issues like client crashes or severe system slowdowns.

• Check for High Resource Usage 
  • Guide the user to check if the VPN client is using an excessive amount of system resources.
    • On macOS: Open Activity Monitor and sort by % CPU and Memory.
    • On Windows: Open Task Manager and view the Processes tab.
  • If the Ivanti or Pulse Secure process consistently is at the top, note this trend for escalation.
• Perform a Client Reset 
  • The client software can enter a bad state. Using the reset tool can resolve this state without a full reinstall.
    • Instruct the client to run the Ivanti Reset Tool from their applications.
    • Alternatively, guide them to manually stop and restart the VPN service on their machine.
• Reinstall the Ivanti Client 
  • If the client is unstable or crashing, a clean reinstallation is the final troubleshooting step. Guide them to fully uninstall the Ivanti Secure Access Client, reboot their machine, and then install the latest version.

Log Capture and Escalation 

If you cannot resolve the issue after following all relevant steps, you must escalate to the Infrastructure Network Engineering (INE) team with a complete set of diagnostic logs.

Comprehensive Log Capture#

Provide the user with detailed, step-by-step instructions to use the Ivanti client's built-in diagnostic tool to collect and export the logs. On macOS, this process will involve using the get-networkdiaglogs tool that is found in the Managed Software Center if not installed. If installed, it can be found in the list of applications.

What to Attach When Escalating 

Your escalation ticket must be complete to receive a fast response. Include this information:

• Summary of issue: Categorize the problem (connection, authentication, access, or performance).
• Troubleshooting performed: A list of all the steps from this guide you have already taken
• Log bundle or command outputs: For Windows and macOS, run the Get Network Diagnostics tool and have the user share the log files. Any other OS, send the text output from any ping, traceroute, or nslookup commands you ran.
• Environment details: Visit go.netflix.com/oomnitza and provide the device operating system and the exact Ivanti client version number.