Remote Access VPN (Certificate Profile)
With certificate authentication, the client must present a valid client certificate that identifies the user to the GlobalProtect portal or gateway. In addition to the certificate itself, the portal or gateway can use a certificate profile to determine whether the client that sent the certificate is the client to which the certificate was issued.
When a client certificate is the only means of authentication, the certificate that the client presents must contain the username in one of the certificate fields; typically the username corresponds to the common name (CN) in the Subject field of the certificate.
Upon successful authentication, the GlobalProtect agent establishes a VPN tunnel with the gateway and is assigned an IP address from the IP pool in the gateway’s tunnel configuration. To support user-based policy enforcement on sessions from the corp-vpn zone, the username from the certificate is mapped to the IP address that the gateway assigned. Also, if a security policy requires a domain name in addition to user name, the specified domain value in the certificate profile is appended to the username.
This quick configuration uses the same topology as Figure: GlobalProtect VPN for Remote Access. The only configuration difference is that instead of authenticating users against an external authentication server, this configuration uses client certificate authentication only.
- Use thedefaultvirtual router for all interface configurations to avoid having to create inter-zone routing.
- Selectand configure ethernet1/2 as a Layer 3 Ethernet interface with IP addressNetworkInterfacesEthernet203.0.113.1and assign it to the l3-untrust security zone and the default virtual router.
- Create a DNS “A” record that maps IP address203.0.113.1togp.acme.com.
- Addtunnel.2interface to a new zone calledcorp-vpn. Assign the interface to the default virtual router.
- Enable User Identification on the corp-vpn zone.
- Create security policy to enable traffic flow between the corp-vpn zone and the l3-trust zone to enable access to your internal resources.
- Selectand thenPoliciesSecurityAdda new rule.
- For this example, you would define the rule with the following settings:
- Name—VPN Access
- Source Zone—corp-vpn
- Destination Zone—l3-trust
- Obtain a server certificate for the interface hosting the GlobalProtect portal and gateway using one of the following methods:Selectto manage certificates as follows:DeviceCertificate ManagementCertificates
- Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
- The CN of the certificate must match the FQDN,gp.acme.com.
- To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
- Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user.
- Select, clickDeviceCertificate ManagementCertificate ProfileAddand enter a profileNamesuch asGP-client-cert.
- SelectSubjectfrom theUsername Fielddrop-down.
- ClickAddin the CA Certificates section, select theCA Certificatethat issued the client certificates, and clickOKtwice.
- See the topology diagram shown in Figure: GlobalProtect VPN for Remote Access.Selectand add the following configuration:NetworkGlobalProtectGatewaysInterface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-certTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118
- Selectand add the following configuration:NetworkGlobalProtectPortals
- Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-cert
- Connect Method—On-demand(Manual user initiated connection)External Gateway Address—gp.acme.com
- (Optional) Enable use of the GlobalProtect mobile app.Purchase and install a GlobalProtect Gateway subscription () to enable use of the app.DeviceLicenses
- Save the GlobalProtect configuration.ClickCommit.
Recommended For You
Recommended videos not found.