GlobalProtect Certificate Best Practices
The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use:
Issuing Process/Best Practices
Used to sign certificates issued to the GlobalProtect components.
If you plan to use self-signed certificates, a best practice is to generate a CA certificate on the portal and then use that certificate to issue the required GlobalProtect certificates.
Portal server certificate
Enables GlobalProtect agents and apps to establish an HTTPS connection with the portal.
Gateway server certificate
Enables GlobalProtect agents and apps to establish an HTTPS connection with the gateway.
Optional) Client certificate
Used to enable mutual authentication in establishing an HTTPS session between the GlobalProtect agents and the gateways/portal. This ensures that only devices with valid client certificates are able to authenticate and connect to the network.
Optional) Machine certificates
A machine certificate is a client certificate that is issued to a device. Each machine certificate identifies the device in the subject field (for example, CN=laptop1.example.com) instead of a user. The certificate ensures that only trusted endpoints can connect to gateways or the portal.
Machine certificates are required for users whose connect method is pre-logon, which enables GlobalProtect to establish a VPN tunnel before the user logs in.
Table: GlobalProtect Certificate Requirements
For details about the types of keys for secure communication between the GlobalProtect endpoint and the portals and gateways, see Reference: GlobalProtect Agent Cryptographic Functions.
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...
Deploy Server Certificates to the GlobalProtect LSVPN Compo...
Deploy Server Certificates to the GlobalProtect LSVPN Components The GlobalProtect LSVPN components use SSL/TLS to mutually authenticate. Before deploying the LSVPN, you must assign an ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
GlobalProtect Portals Authentication Configuration Tab
GlobalProtect Portals Authentication Configuration Tab Select Network GlobalProtect Portals Authentication to configure several different types of GlobalProtect portal settings: An SSL/TLS service profile that the ...
How Does the Agent Know Which Certificate to Supply?
How Does the Agent Know Which Certificate to Supply? When you configure GlobalProtect to use client certificates for authentication on Mac or Windows endpoints, GlobalProtect ...
Client Certificate Authentication
Client Certificate Authentication For enhanced security, you can configure the portal or gateway to use a client certificate to obtain the username and authenticate the ...
About Certificate Deployment
About Certificate Deployment There are two basic approaches to deploying certificates for GlobalProtect LSVPN: Enterprise Certificate Authority —If you already have your own enterprise certificate ...
Define the GlobalProtect Agent Configurations
Define the GlobalProtect Agent Configurations After a GlobalProtect user connects to the portal and is authenticated by the GlobalProtect portal, the portal sends the agent ...