GlobalProtect Clientless VPN provides secure remote access to common enterprise web applications. Users have the advantage of secure access from SSL-enabled web browsers without installing the GlobalProtect software. This is useful when you need to enable partner or contractor access to applications, and safely enable unmanaged assets, including personal endpoints. You can configure the GlobalProtect portal landing page to provide access to web applications based on users and user groups and also allow single-sign on to SAML-enabled applications.

Clientless VPN functions as a reverse proxy that modifies the web pages returned by published web applications. It presents a rewritten version of these pages to remote users. When users access these URLs, their requests are routed through the GlobalProtect portal. This leads to the following:

Consequently, if a user visits a compromised website or clicks on a phishing link, a remote attacker could potentially obtain VPN session tokens and read or modify content (including cookies, scripts, or HTML) from any site accessed through the Clientless SSL VPN. This effectively bypasses Same Origin Policy restrictions in all browsers.

Therefore, the Clientless VPN feature only ensures secure remote access to a single trusted application. Since the Same Origin Policy is not enforced, we strongly recommend configuring access to only a trusted page through Clientless VPN. Clientless VPN should never be used to access multiple different websites on the internet or the intranet. If you need to access untrusted websites, use Prisma Access Browser instead.

The following topics provide information on how to configure and troubleshoot Clientless VPN.