GlobalProtect Clientless VPN
GlobalProtect Clientless VPN provides secure remote access to common enterprise web applications.
Users have the advantage of secure access from SSL-enabled web browsers without
installing the GlobalProtect software. This is useful when you need to enable partner or
contractor access to applications, and safely enable unmanaged assets, including
personal endpoints. You can configure the GlobalProtect portal landing page to provide
access to web applications based on users and user groups and also allow single-sign on
to SAML-enabled applications.
Clientless VPN functions as a reverse proxy that modifies the web pages
returned by published web applications. It presents a rewritten version of these pages
to remote users. When users access these URLs, their requests are routed through the
GlobalProtect portal. This leads to the following:
The protection typically provided by the Same Origin Policy does not
apply to pages accessed via Clientless VPN, as the browser treats all pages as
if they come from the same origin, regardless of their actual origin.
The page rewriting process may cause JavaScript to behave differently
than intended.
Consequently, if a user visits a compromised website or clicks on a phishing link, a
remote attacker could potentially obtain VPN session tokens and read or modify content
(including cookies, scripts, or HTML) from any site accessed through the Clientless SSL
VPN. This effectively bypasses Same Origin Policy restrictions in all browsers.
Therefore, the Clientless VPN feature only ensures secure remote access to a
single trusted application. Since the Same Origin Policy is not enforced, we strongly
recommend configuring access to only a trusted page through Clientless VPN. Clientless
VPN should never be used to access multiple different websites on the internet or the
intranet. If you need to access untrusted websites, use
Prisma Access Browser instead.
The following topics provide information on how to configure and troubleshoot Clientless
VPN.