End-of-Life (EoL)
GlobalProtect Certificate Best Practices
The following table summarizes the SSL/TLS certificates
you will need, depending on which features you plan to use:
Certificate | Usage | Issuing Process/Best
Practices |
---|---|---|
CA certificate | Used to sign certificates issued to the
GlobalProtect components. | If you plan to use self-signed certificates,
a best practice is to generate a CA certificate on the portal and
then use that certificate to issue the required GlobalProtect certificates. |
Portal server certificate | Enables GlobalProtect agents and apps to
establish an HTTPS connection with the portal. |
|
Gateway server certificate | Enables GlobalProtect agents and apps to
establish an HTTPS connection with the gateway. |
|
( Optional ) Client certificate | Used to enable mutual authentication in
establishing an HTTPS session between the GlobalProtect agents and
the gateways/portal. This ensures that only devices with valid client
certificates are able to authenticate and connect to the network. |
|
( Optional ) Machine certificates | A machine certificate is a client certificate
that is issued to a device. Each machine certificate identifies
the device in the subject field (for example, CN=laptop1.example.com)
instead of a user. The certificate ensures that only trusted endpoints
can connect to gateways or the portal. Machine certificates
are required for users whose connect method is pre-logon, which enables
GlobalProtect to establish a VPN tunnel before the user logs in. |
|
Table: GlobalProtect Certificate Requirements
For details about the types of keys for secure communication
between the GlobalProtect endpoint and the portals and gateways,
see Reference:
GlobalProtect Agent Cryptographic Functions.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.