Configure GlobalProtect to Retrieve Host Information
Follow these instructions to configure GlobalProtect to retrieve host information from devices managed by AirWatch.
- Install and configure the Windows-based User-ID agent. The User-ID agent must be in a location that enables secure connections to the VMware AirWatch Mobile Device Management (MDM) system.
- Configure SSL authentication between the Windows-based User-ID agent and the GlobalProtect gateway.When you configure SSL authentication, make sure:
- The server certificate configured on the Windows-based User-ID Agent has the same Common Name (CN) as the hostname/IP address of the User-ID Agent host.
- The server certificate is trusted by the firewall (included in the trusted CA list in the MDM configuration on the firewall).
- The root certificate authority (CA) certificate of the MDM client certificate configured on the firewall must be imported into Windows trust store of the Windows server.
- Obtain a server certificate and private key for authentication between the Windows-based User-ID agent and the GlobalProtect gateway. The certificate bundle must be in PEM format that contains a PEM certificate, full certificate chain, and private key.
- Open the Windows-based User-ID agent and selectServer Certificate.
- Addthe server certificate.
The agent verifies the certificate is valid and stores the encryption password of the private key in the host machine’s Windows credential store.If installation is successful, detailed information about the certificate (including common name, expiration date, and issuer) appears on theServer Certificatetab.
- Browseto the certificate file andOpenthe file to upload the certificate to the Windows-based User-ID agent.
- Enter aPrivate Key Passwordfor the certificate.
- Restart the Windows-based User-ID agent.
- Configure the MDM integration service on the Windows-based User-ID agent.
- SelectMDM Integrationin the Windows-based User-ID agent.
- InGateway Connection TCP Port, specify a port for TCP communications. The Windows-based User-ID agent listens at this port for all MDM-related messages. The default port is 5008. To change the port, specify a number from 1 to 65535.
- On theSetuptab, clickEdit.
- ChooseAirWatchfor theMDM Vendor.
- Specify theMDM Event Notificationsettings to monitor and collect AirWatch events (for example, device enrollment, device wipe, and compliance changes). When an event occurs, the MDM integration service fetches the updated device information from the AirWatch API and pushes this information to all configured GlobalProtect gateways.ForMDM Event Notification, make sure the values you enter here are also configured in the AirWatch console under.Groups & SettingsAll SettingsSystemAdvancedAPIEvent Notifications
- Set theTCP Portfor communicating with the event notification service. Use this format:http://<external_hostname>/<ip_address>:<port>where<ip-address>is the IP address for the MDM integration service. The default port is 5011. To change the port, specify a number from 1 to 65535.
- For event notification, enter theUsernameandPasswordcredentials needed to authenticate incoming requests.
- Enter thePermitted IPaddresses to access MDM events. This is a comma-separated list of IP addresses from where MDM events are posted. For example, the IP address of the AirWatch server. Contact your AirWatch Support team for guidance on which IP addresses to specify.
- AddMDM API Authenticationsettings to connect with the AirWatch API.
- Enter theServer Addressof the AirWatch MDM server to which the Windows-based User-ID agent will connect. For example,api.awmdm.com.
- Enter theUsernameandPasswordcredentials needed to access the AirWatch MDM API.
- Enter theTenant Code.This is a unique hexadecimal code number required to access the AirWatch MDM API. On the AirWatch console, you can find the tenant code at.SystemAdvancedAPIREST APIAPI Key
- Enter theMobile Device State Retrieval Interval. This setting controls how often host information is retrieved from devices managed by AirWatch. The default is 30 minutes. To change the interval, specify a number from 1 to 600.
- Commityour changes.
- ClickTest Connectionto make sure the Windows-based User-ID agent can connect to the AirWatch API.
- Configure the GlobalProtect gateway to communicate with the MDM integration service to retrieve the HIP reports for the devices managed by AirWatch.
- In the PAN-OS web interface, select.NetworkGlobalProtectMDM
- Addthe following information about the MDM integration service.
The root certificate authority (CA) certificate of the client certificate must be imported into the Windows trust store of the Windows server where the User-ID Agent is installed.
- Name—Enter a name for the MDM integration service (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
- (Optional) Select the virtual system to which the gateway belongs.
- Server—Enter the IP address or FQDN of the interface on the Airwatch MDM integration service where the gateway connects to retrieve HIP reports. Ensure that you have a service route to this interface.
- Connection Port—Enter the connection port where the MDM integration service listens for HIP report requests. The default port is 5008. To change the port, specify a number from 1 to 65535.
- Client Certificate—Choose the client certificate for the gateway to present to the MDM integration service when it establishes an HTTPS connection. You can choose a client certificate from the drop down, or import a new client certificate. TheCertificate Purposemust indicate that it is a client authentication certificate.
- Addthe root CA certificate associated with the server certificate installed on the MDM integration service host. You need both the root CA certificate and the server certificate to establish a secure connection between the gateway and the MDM integration service. You can choose a root CA certificate from the drop down, orImporta new certificate.
- Commityour changes.
- Check your connection to make sure AirWatch device data is transferred to GlobalProtect.
- Open the Windows-based User-ID agent and select. You should see a list of unique device IDs and user names for all the devices managed by AirWatch.MDM IntegrationMobile Devices
- (Optional) You canFilterthe list to find a specificMobile Device.
- (Optional). Select a device in the list of device IDs and clickRetrieve Device Stateto extract the latest information about the device and see how it maps to host information profiles on the GlobalProtect gateway.
Recommended For You
Recommended videos not found.