Configure Clientless VPN

  1. Before you begin:
    • Install a GlobalProtect subscription on the firewall that hosts the Clientless VPN from the GlobalProtect portal. Refer to Active Licenses and Subscriptions.
    • Install the GlobalProtect Clientless VPN dynamic update (see Install Content and Software Updates) and set a schedule for installing new dynamic content updates. As a best practice, it is recommended to always install the latest content updates for GlobalProtect Clientless VPN.
      dynamic-updates.png
    • As a best practice, configure a separate FQDN for the GlobalProtect portal that hosts Clientless VPN. Do not use the same FQDN as the PAN-OS Web Interface.
    • Host the GlobalProtect portal on the standard SSL port (TCP port 443). Non-standard ports are not supported.
  2. Configure the applications that are available using GlobalProtect Clientless VPN. The GlobalProtect portal displays these applications on the landing page that users see when they log in (the applications landing page).
    1. Select
      Network
      GlobalProtect
      Clientless Apps
      and
      Add
      one or more applications. For each application, specify the following:
      • Name
        —A descriptive name for the application (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
      • Location
        (for a firewall that is in multiple virtual system mode)—the virtual system (vsys) where the Clientless VPN applications are available. For a firewall that is not in multi-vsys mode, the
        Location
        field does not appear.
      • Application Home URL
        —The URL where the web application is located (up to 4095 characters).
      • Application Description
        (
        Optional
        )—A brief description of the application (up to 255 characters).
      • Application Icon
        (
        Optional
        )—An icon to identify the application on the published application page. You can browse to upload the icon.
    2. Click
      OK
      .
  3. (
    Optional
    ) Create groups to manage sets of web applications.
    Clientless App Groups are useful if you want to manage multiple collections of applications and provide access based on user groups. For example, financial applications for the G&A team or developer applications for the Engineering team.
    1. Select
      Network
      GlobalProtect
      Clientless App Groups
      .
      Add
      a new Clientless VPN application group and specify the following:
      • Name
        —A descriptive name for the application group (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
      • Location
        (for a firewall that is in multiple virtual system mode)—the virtual system (vsys) where the Clientless VPN application group is available. For a firewall that is not in multi-vsys mode, the
        Location
        field does not appear.
    2. In the
      Applications
      area,
      Add
      applications to the group. You can select from the list of existing Clientless VPN applications or define a
      New Clientless App
      .
    3. Click
      OK
      .
  4. Configure the GlobalProtect portal to provide the Clientless VPN service.
    1. Select
      Network
      GlobalProtect
      Portal
      and select an existing portal configuration or
      Add
      a new one Refer to Set Up Access to the GlobalProtect Portal.
    2. In the
      Authentication
      tab, you can:
      • (
        Optional
        ) Create a new client authentication specifically for Clientless VPN. In this case, choose
        Browser
        as the
        OS
        for
        Client Authentication
        .
      • Use an existing client authentication.
    3. In
      Clientless
      General
      , select
      Clientless VPN
      to enable the portal service and configure the following:
      • Specify a
        Hostname
        (IP address or fully-qualified domain name) for the GlobalProtect portal that hosts the applications landing page. This hostname is used for rewriting application URLs. (For more information on URL rewriting, refer to step 8).
      If you use Network Address Translation (NAT) to provide access to the GlobalProtect portal, the IP address or FQDN you enter must match (or resolve to) the NAT IP address for the GlobalProtect portal (the public IP address). Because users cannot access the GlobalProtect portal on a custom port, the pre-NAT port must also be TCP port 443.
      • Specify a
        Security Zone
        . This zone is used as a source zone for the traffic between the firewall and the applications. Security rules defined from this zone to the application zone determine which applications can be accessed.
      • Select a
        DNS Proxy
        server or configure a
        New DNS Proxy
        . GlobalProtect will use this proxy to resolve application names. Refer to DNS Proxy Object.
      • Login Lifetime
        —Specify the maximum hours or minutes that a Clientless VPN session is valid. The typical session time is 3 hours. The range for hours is 1-24; the range for minutes is 60-1440. After the session expires, users must re-authenticate and start a new Clientless VPN session.
      • Inactivity Timeout
        —Specify the number of hours or minutes that a Clientless VPN session can remain idle. The typical inactivity timeout is 30 minutes. The range for hours is 1-24; the range for minutes is 5 to 1440. If there is no user activity during the specified amount of time, users must re-authenticate and start a new Clientless VPN session.
      • Max User
        —Specify the maximum number of users who can be logged into the portal at the same time. If no value is specified, then endpoint capacity is assumed. If the endpoint capacity is unknown, then a capacity of 50 users is assumed. When the maximum number of users is reached, additional Clientless VPN users cannot log in to the portal.
  5. Map users and user groups to applications.
    This mapping controls which applications users or user groups can launch from a GlobalProtect Clientless VPN session.
    The GlobalProtect portal uses the user/user group settings that you specify to determine which configuration to deliver to the GlobalProtect Clientless VPN user that connects. If you have multiple configurations, make sure they are ordered properly and map to all of the required applications, as the portal looks for a configuration match starting from the top of the list. As soon as the portal finds a match, it delivers the configuration to the GlobalProtect Clientless VPN user.
    clientless_app_mapping.png
    Publishing an application to a user/user group or allowing them to launch unpublished applications does not imply that they can access those applications. Controlling access to applications (published or not) is done using security policies.
    You must configure group mapping (
    Device
    User Identification
    Group Mapping Settings
    ) before you can select the groups.
    1. On the
      Applications
      tab,
      Add
      an
      Applications to User Mapping
      to match users with published applications.
      • Name
        —Enter a name for the mapping (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
      • Display application URL address bar
        —Select this option to display an application URL address bar from which users can launch applications that are not published on the applications landing page. When enabled, users can click the
        Application URL
        link on the page and specify a URL.
    2. Specify the
      Source Users
      . You can
      Add
      individual users or user groups to which the current application configuration applies. These users have permission to launch the configured applications using a GlobalProtect Clientless VPN. In addition to users and groups, you can specify when these settings apply to the users or groups:
      • any
        —The application configuration applies to all users (no need to
        Add
        users or user groups).
      • select
        —The application configuration applies only to users and user groups you
        Add
        to this list.
    3. Add
      individual applications or application groups to the mapping. The
      Source Users
      you included in the configuration can use GlobalProtect Clientless VPN to link to the applications you add.
  6. Specify the security settings for a Clientless VPN session.
    1. On the
      Crypto Settings
      tab, specify the authentication and encryption algorithms for the SSL sessions between the firewall and the published applications.
      • Protocol Versions
        —Select the required minimum and maximum TLS/SSL versions. The higher the TLS version, the more secure the connection. Choices include
        SSLv3
        ,
        TLSv1.0
        ,
        TLSv1.1
        , or
        TLSv1.2
        .
      • Key Exchange Algorithms
        —Select the supported algorithm types for key exchange. Choices are:
        RSA
        , Diffie-Hellman (
        DHE
        ), or Elliptic Curve Ephemeral Diffie-Hellman (
        ECDHE
        ).
      • Encryption Algorithms
        —Select the supported encryption algorithms.
        AES128
        or higher is recommended.
      • Authentication Algorithms
        —Select the supported authentication algorithms. Choices are:
        MD5
        ,
        SHA1
        ,
        SHA256
        , or
        SHA384
        .
        SHA256
        or higher is recommended.
    2. Select the action to take when the following issues occur with a server certificate presented by an application:
      • Block sessions with expired certificate
        —If the server certificate has expired, block access to the application.
      • Block sessions with untrusted issuers
        —If the server certificate is issued from an untrusted certificate authority, block access to the application.
      • Block sessions with unknown certificate status
        —If the OCSP or CRL service returns a certificate revocation status of
        unknown
        , block access to the application.
      • Block sessions on certificate status check timeout
        —If the certificate status check times out before receiving a response from any certificate status service, block access to the application.
  7. (
    Optional
    ) Specify one or more proxy server configurations to access the applications.
    Only basic authentication to the proxy is supported (username and password).
    If users need to reach the applications through a proxy server, specify a
    Proxy Server
    . You can add multiple proxy server configurations, one for each set of domains.
    • Name
      —A label (up to 31 characters) to identify the proxy server configuration. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    • Domains
      —Add the domains served by the proxy server. You can use a wild card character (*) at the beginning of the domain name to indicate multiple domains.
    • Use Proxy
      —Select to assign a proxy server to provide access to the domains.
    • Server
      —Specify the IP address or host name of the proxy server.
    • Port
      —Specify a port for communication with the proxy server.
    • User
      and
      Password
      —Specify the
      User
      and
      Password
      credentials needed to log in to the proxy server. Specify the password again for verification.
  8. (
    Optional
    ) Specify any special treatment for application domains.
    The Clientless VPN acts as a reverse proxy and modifies web pages returned by the published web applications. It rewrites all URLs and presents a rewritten page to remote users such that when they access any of those URLs, the requests go through GlobalProtect portal.
    In some cases, the application may have pages that do not need to be accessed through the portal (for example, the application may include a stock ticker from yahoo.finance.com). You can exclude these pages.
    On the
    Advanced Settings
    tab,
    Add
    domain names, host names, or IP addresses to the
    Rewrite Exclude Domain List.
    These domains are excluded from rewrite rules and cannot be rewritten.
    Paths are not supported in host and domain names. The wildcard character (*) for host names and domain names can only appear at the beginning of the name (for example, *.etrade.com).
  9. Save the portal configuration.
    1. Click
      OK
      twice.
    2. Commit
      your changes.
  10. Configure a Security policy rule to enable users to access the published applications.
    You need security policies for the following:
    • Make the GlobalProtect portal that hosts Clientless VPN reachable from the Internet. This is traffic from the Untrust or Internet Zone to the zone where you host the Clientless VPN portal.
    • Allow Clientless VPN users to reach the Internet. This is traffic from the Clientless VPN zone to the Untrust or Internet Zone.
      clientless-vpn-zones.png
    • Allow Clientless VPN users to reach corporate resources. This is traffic from the Clientless VPN zone to the Trust or Corp Zone. The security policies you define control which users have permission to use each published application. For the security zone where the published application servers are hosted, make sure
      Enable User Identification
      is set in order to create user-based rules for accessing published applications.
      By default
      Service/URL
      in
      Security Policy Rule
      is set
      application-default
      . Clientless VPN will not work for HTTPS sites with this default setting. Change
      Service/URL
      to include both
      service-http
      and
      service-https
      .
      security-policy-serviceURL.png
    • When you configure a proxy server to access Clientless VPN applications, make sure you include the proxy IP address and port in the security policy definition. When applications are accessed through a proxy server, only security policies defined for the proxy IP address and port are applied.
The source IP address of Clientless VPN traffic (as seen by the application) will either be the IP address of the egress interface through which the portal can reach the application or the translated IP address when source NAT is in use.

Recommended For You