GlobalProtect Certificate Best Practices
The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use:
Issuing Process/Best Practices
Used to sign certificates issued to the GlobalProtect components.
If you plan to use self-signed certificates, a best practice is to generate a CA certificate on the portal and then use that certificate to issue the required GlobalProtect certificates.
Portal server certificate
Enables GlobalProtect agents and apps to establish an HTTPS connection with the portal.
Gateway server certificate
Enables GlobalProtect agents and apps to establish an HTTPS connection with the gateway.
Optional) Client certificate
Used to enable mutual authentication in establishing an HTTPS session between the GlobalProtect agents and the gateways/portal. This ensures that only devices with valid client certificates are able to authenticate and connect to the network.
Optional) Machine certificates
A machine certificate is a client certificate that is issued to a device. Each machine certificate identifies the device in the subject field (for example, CN=laptop1.example.com) instead of a user. The certificate ensures that only trusted endpoints can connect to gateways or the portal.
Machine certificates are required for users whose connect method is pre-logon, which enables GlobalProtect to establish a VPN tunnel before the user logs in.
Table: GlobalProtect Certificate Requirements
For details about the types of keys for secure communication between the GlobalProtect endpoint and the portals and gateways, see Reference: GlobalProtect Agent Cryptographic Functions.
Recommended For You
Recommended videos not found.