GlobalProtect
Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
-
- 6.1
- 6.0
- 5.2
- 5.1
-
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Workspace
ONE
In an Always On VPN configuration, the secure
GlobalProtect connection is always on. Traffic that matches specific
filters (such as port and IP address) configured on the GlobalProtect
gateway is always routed through the VPN tunnel. For even tighter
security requirements, you can enable VPN lockdown, which forces
the secure connection to always be on and connected in addition
to disabling network access when the app is not connected. This
configuration is similar to the
Enforce GlobalProtect for
Network Access
option that you would typically configure
in a GlobalProtect portal configuration.Because Workspace ONE does not yet list GlobalProtect as an official connection provider for
Windows endpoints, you must select an alternate VPN provider, edit the settings
for the GlobalProtect app, and import the configuration back into the VPN
profile as described in the following workflow.
Use the following steps to configure an Always On VPN configuration for Windows 10 UWP endpoints
using Workspace ONE:
- Download the GlobalProtect app for Windows 10 UWP:
- Download the GlobalProtect app directly from the Microsoft Store.
- From the Workspace ONE console, modify an existing Windows 10 UWP profile add a new one.
- Select, and thenDevicesProfiles & ResourcesProfilesADDa new profile.
- SelectWindowsas the platform andWindows Phoneas the device type.
- Configure theGeneralsettings:
- Enter aNamefor the profile.
- (Optional) Enter a briefDescriptionof the profile that indicates its purpose.
- (Optional) Set theDeploymentmethod toManagedto enable the profile to be removed automatically upon unenrollment
- (Optional) Select anAssignment Typeto determine how the profile is deployed to endpoints. SelectAutoto deploy the profile to all endpoints automatically,Optionalto enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, orComplianceto deploy the profile when an end user violates a compliance policy applicable to the endpoint.
- (Optional) In theManaged Byfield, enter the Organization Group with administrative access to the profile.
- (Optional) In theAssigned Groupsfield, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
- (Optional) Indicate whether you want to include anyExclusionsto the assignment of this profile. If you selectYes, theExcluded Groupsfield displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
- (Optional) If youEnable Scheduling and install only during selected time periods, you can apply a time schedule () to the profile installation, which limits the periods of time during which the profile can be installed on endpoints. When prompted, enter the schedule name in theDevicesProfiles & ResourcesProfiles SettingsTime SchedulesAssigned Schedulesfield.
- (Optional) If your GlobalProtect deployment requires client certificate authentication, configure theCredentialssettings:
- To pull client certificates from Workspace ONE users:
- Set theCredential SourcetoUser Certificate.
- Select theS/MIME Signing Certificate(default).
- To upload a client certificate manually:
- Set theCredential SourcetoUpload.
- Enter aCredential Name.
- ClickUPLOADto locate and select the certificate that you want to upload.
- After you select a certificate, clickSAVE.
- Select theKey Locationwhere you want to store the certificate’s private key:
- TPM Required—Store the private key on a Trusted Platform Module. If a Trusted Platform Module is not available on the endpoint, the private key cannot be installed.
- TPM If Present—Store the private key on a Trusted Platform Module if one is available on the endpoint. If a Trusted Platform Module is not available on the endpoint, the private key is stored in the endpoint software.
- Software—Store the private key in the endpoint software.
- Passport—Save the private key to Microsoft Passport. To use this option, Workspace ONE Protection Agent must be installed on the endpoint.
- Set theCertificate StoretoPersonal.
- To use a predefined certificate authority and template:
- Set theCredential SourcetoDefined Certificate Authority.
- Select theCertificate Authorityfrom which you want obtain certificates.
- Select theCertificate Templatefor the certificate authority.
- Select theKey Locationwhere you want to store the certificate’s private key:
- TPM Required—Store the private key on a Trusted Platform Module. If a Trusted Platform Module is not available on the endpoint, the private key cannot be installed.
- TPM If Present—Store the private key on a Trusted Platform Module if one is available on the endpoint. If a Trusted Platform Module is not available on the endpoint, the private key is stored in the endpoint software.
- Software—Store the private key in the endpoint software.
- Passport—Save the private key to Microsoft Passport. To use this option, Workspace ONE Protection Agent must be installed on the endpoint.
- Set theCertificate StoretoPersonal.
- Configure theVPNsettings:
- Enter theConnection Namethat the endpoint displays.
- Select an alternateConnection Typeprovider (do not selectIKEv2,L2TP,PPTP, orAutomatic, as these do not have the associated vendor settings required for the GlobalProtect VPN profile).You must select an alternate vendor because Workspace ONE has not yet listed GlobalProtect as an official connection provider for Windows endpoints.
- In theServerfield, enter the hostname or IP address of the GlobalProtect portal to which users connect.
- In the Authentication area, select anAuthentication Typeto specify the method authenticate end users.
- (Optional) To permit GlobalProtect to save user credentials,ENABLEthe option toRemember Credentialsin the Policies area.
- (Optional) In the VPN Traffic Rules area,ADD NEW DEVICE WIDE VPN RULEto send traffic matching a specific route through the VPN tunnel. These rules are not bound by application but are evaluated across the endpoint. If the traffic matches the specified match criteria, it is routed through the VPN tunnel.Add match criteria by clickingADD NEW FILTERand then entering aFilter Typeand correspondingFilter Value.
- To maintain the GlobalProtect connection always, configure either of the following options in the Policies area:
- ENABLEAlways Onto force the secure connection to be always on.
- ENABLEVPN Lockdownto force the secure connection to be always on and connected, and to disable network access when the app is not connected. TheVPN Lockdownoption in Workspace ONE is similar to theEnforce GlobalProtect for Network Accessoption that you would configure in a GlobalProtect portal configuration.
- (Optional) SpecifyTrusted Networkaddresses if you want GlobalProtect to connect only when it detects a trusted network connection.
- SAVE & PUBLISHyour changes.
- To set the connection type provider to GlobalProtect, edit the VPN profile in XML.To minimize additional edits in the raw XML, review the settings in your VPN profile before you export the configuration. If you need to change a setting after you export the VPN profile, you can make the changes in the raw XML or, you can update the setting in the VPN profile and perform this step again.
- In the, select the radio button next to the new profile you added in the previous steps, and then selectDevicesProfilesList View</>XMLat the top of the table. Workspace ONE opens the XML view of the profile.
- Exportthe profile and then open it in a text editor of your choice.
- Edit the following settings for GlobalProtect:
- In theLoclURIelement that specifies thePluginPackageFamilyName, change the element to:<LocURI>./Vendor/MSFT/VPNv2/PaloAltoNetworks/PluginProfile/PluginPackageFamilyName</LocURI>
- In theDataelement that follows, change the value to:<Data>PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg</Data>
- Save your changes to the exported profile.
- Return to Workspace ONE and select.DevicesProfilesList View
- Create and name a new profile (select).ADDAdd ProfileWindowsWindows Phone
- Select, and then copy and paste the edited configuration.Custom SettingsConfigure
- SAVE & PUBLISHyour changes.
- Clean up the original profile by selecting the original profile from, and then selectingDevicesProfilesList View. Workspace ONE moves the profile to the Inactive list.More ActionsDeactivate
- Test the configuration.