Configure GlobalProtect to Retrieve Host Information

Follow these instructions to configure GlobalProtect to retrieve host information from devices managed by AirWatch.
  1. Install and configure the Windows-based User-ID agent. The User-ID agent must be in a location that enables secure connections to the VMware AirWatch Mobile Device Management (MDM) system.
    For more information, see Install the User-ID Agent. The AirWatch MDM integration service is included with the PAN-OS Windows-based User-ID agent.
  2. Configure SSL authentication between the Windows-based User-ID agent and the GlobalProtect gateway.
    When you configure SSL authentication, make sure:
    • The server certificate configured on the Windows-based User-ID Agent has the same Common Name (CN) as the hostname/IP address of the User-ID Agent host.
    • The server certificate is trusted by the firewall (included in the trusted CA list in the MDM configuration on the firewall).
    • The root certificate authority (CA) certificate of the MDM client certificate configured on the firewall must be imported into Windows trust store of the Windows server.
    1. Obtain a server certificate and private key for authentication between the Windows-based User-ID agent and the GlobalProtect gateway. The certificate bundle must be in PEM format that contains a PEM certificate, full certificate chain, and private key.
    2. Open the Windows-based User-ID agent and select Server Certificate.
    3. Add the server certificate.
    • Browse to the certificate file and Open the file to upload the certificate to the Windows-based User-ID agent.
    • Enter a Private Key Password for the certificate.
    • Click OK.
    The agent verifies the certificate is valid and stores the encryption password of the private key in the host machine’s Windows credential store.
    If installation is successful, detailed information about the certificate (including common name, expiration date, and issuer) appears on the Server Certificate tab.
    1. Restart the Windows-based User-ID agent.
  3. Configure the MDM integration service on the Windows-based User-ID agent.
    1. Select MDM Integration in the Windows-based User-ID agent.
    2. In Gateway Connection TCP Port, specify a port for TCP communications. The Windows-based User-ID agent listens at this port for all MDM-related messages. The default port is 5008. To change the port, specify a number from 1 to 65535.
    3. On the Setup tab, click Edit.
    4. Choose AirWatch for the MDM Vendor.
  4. Specify the MDM Event Notification settings to monitor and collect AirWatch events (for example, device enrollment, device wipe, and compliance changes). When an event occurs, the MDM integration service fetches the updated device information from the AirWatch API and pushes this information to all configured GlobalProtect gateways.
    For MDM Event Notification, make sure the values you enter here are also configured in the AirWatch console under Groups & SettingsAll SettingsSystemAdvancedAPIEvent Notifications.
    airwatch-event-notification.png
    • Set the TCP Port for communicating with the event notification service. Use this format: http://<external_hostname>/<ip_address>:<port> where <ip-address> is the IP address for the MDM integration service. The default port is 5011. To change the port, specify a number from 1 to 65535.
    • For event notification, enter the Username and Password credentials needed to authenticate incoming requests.
    • Enter the Permitted IP addresses to access MDM events. This is a comma-separated list of IP addresses from where MDM events are posted. For example, the IP address of the AirWatch server. Contact your AirWatch Support team for guidance on which IP addresses to specify.
  5. Add MDM API Authentication settings to connect with the AirWatch API.
    • Enter the Server Address of the AirWatch MDM server to which the Windows-based User-ID agent will connect. For example, api.awmdm.com.
    • Enter the Username and Password credentials needed to access the AirWatch MDM API.
    • Enter the Tenant Code.This is a unique hexadecimal code number required to access the AirWatch MDM API. On the AirWatch console, you can find the tenant code at SystemAdvancedAPIREST APIAPI Key.
      airwatch-api-activation.png
    • Enter the Mobile Device State Retrieval Interval. This setting controls how often host information is retrieved from devices managed by AirWatch. The default is 30 minutes. To change the interval, specify a number from 1 to 600.
  6. Commit your changes.
  7. Click Test Connection to make sure the Windows-based User-ID agent can connect to the AirWatch API.
  8. Configure the GlobalProtect gateway to communicate with the MDM integration service to retrieve the HIP reports for the devices managed by AirWatch.
    1. In the PAN-OS web interface, select NetworkGlobalProtectMDM.
    2. Add the following information about the MDM integration service.
    • Name—Enter a name for the MDM integration service (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    • (Optional) Select the virtual system to which the gateway belongs.
    • Server—Enter the IP address or FQDN of the interface on the Airwatch MDM integration service where the gateway connects to retrieve HIP reports. Ensure that you have a service route to this interface.
    • Connection Port—Enter the connection port where the MDM integration service listens for HIP report requests. The default port is 5008. To change the port, specify a number from 1 to 65535.
    • Client Certificate—Choose the client certificate for the gateway to present to the MDM integration service when it establishes an HTTPS connection. You can choose a client certificate from the drop down, or import a new client certificate. The Certificate Purpose must indicate that it is a client authentication certificate.
    The root certificate authority (CA) certificate of the client certificate must be imported into the Windows trust store of the Windows server where the User-ID Agent is installed.
    1. Add the root CA certificate associated with the server certificate installed on the MDM integration service host. You need both the root CA certificate and the server certificate to establish a secure connection between the gateway and the MDM integration service. You can choose a root CA certificate from the drop down, or Import a new certificate.
    2. Click OK.
    3. Commit your changes.
  9. Check your connection to make sure AirWatch device data is transferred to GlobalProtect.
    1. Open the Windows-based User-ID agent and select MDM IntegrationMobile Devices. You should see a list of unique device IDs and user names for all the devices managed by AirWatch.
    2. (Optional) You can Filter the list to find a specific Mobile Device.
    3. (Optional). Select a device in the list of device IDs and click Retrieve Device State to extract the latest information about the device and see how it maps to host information profiles on the GlobalProtect gateway.

Related Documentation