Remote Access VPN (Certificate Profile)
With certificate authentication, the client
must present a valid client certificate that identifies the user to
the GlobalProtect portal or gateway. In addition to the certificate
itself, the portal or gateway can use a certificate profile to determine whether
the client that sent the certificate is the client to which the
certificate was issued.
When a client certificate is the only
means of authentication, the certificate that the client presents
must contain the username in one of the certificate fields; typically
the username corresponds to the common name (CN) in the Subject
field of the certificate.
Upon successful authentication,
the GlobalProtect agent establishes a VPN tunnel with the gateway
and is assigned an IP address from the IP pool in the gateway’s
tunnel configuration. To support user-based policy enforcement on
sessions from the corp-vpn zone, the username from the certificate
is mapped to the IP address that the gateway assigned. Also, if
a security policy requires a domain name in addition to user name,
the specified domain value in the certificate profile is appended
to the username.
GlobalProtect
Client Certificate Authentication Configuration
This quick configuration
uses the same topology as GlobalProtect
VPN for Remote Access. The only configuration difference
is that instead of authenticating users against an external authentication
server, this configuration uses client certificate authentication
only.
- Use thedefaultvirtual router for all interface configurations to avoid having to create inter-zone routing.
- Select and configure ethernet1/2 as a Layer 3 Ethernet interface with IP address203.0.113.1and assign it to the l3-untrust security zone and the default virtual router.
- Create a DNS “A” record that maps IP address203.0.113.1togp.acme.com.
- Select .
- Add tunnel.2 interface to a new zone calledcorp-vpn. Assign the interface to the default virtual router.
- Enable User Identification on the corp-vpn zone.
- Create security policy to enable traffic flow between the corp-vpn zone and the l3-trust zone to enable access to your internal resources.
- Select and thenAdda new rule.
- For this example, you would define the rule with the following settings:
- Name—VPN Access
- Source Zone—corp-vpn
- Destination Zone—l3-trust
- Obtain a server certificate for the interface hosting the GlobalProtect portal and gateway using one of the following methods:Select to manage certificates as follows:
- Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
- The CN of the certificate must match the FQDN,gp.acme.com.
- To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
- Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user.
- Select , clickAddand enter a profileNamesuch asGP-client-cert.
- SelectSubjectfrom theUsername Fielddrop-down.
- ClickAddin the CA Certificates section, select theCA Certificatethat issued the client certificates, and clickOKtwice.
- See the topology diagram shown in GlobalProtect VPN for Remote Access.Select and add the following configuration:Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-certTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118
- Configure the GlobalProtect Portals.Select and add the following configuration:
- Interface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—GP-client-cert
- Connect Method—On-demand(Manual user initiated connection)External Gateway Address—gp.acme.com
- Select .In this example, use the procedure to Host Agent Updates on the Portal.
- (Optional) Enable use of the GlobalProtect mobile app.Purchase and install a GlobalProtect subscription () to enable use of the app.
- Save the GlobalProtect configuration.ClickCommit.