Configure the Portal and Customize the App
|
Before You Begin:
|
Configure one or more gateways to which the app can connect. See
Configure the Gateway to Support the GlobalProtect App for Chrome OS.
|
|
Configure the GlobalProtect portal.
|
Select
Network
>
GlobalProtect
>
Portals
and select the portal configuration for which you want to add a client configuration or
Add
a new one.
(
New portal configuration only
) On the
General
tab, provide a
Name
and
Interface
for the new GlobalProtect portal configuration.
|
|
Configure the method of authentication a GlobalProtect portal uses to authenticate Chrome OS users.
|
Select the
Authentication
tab.
(
New portal configuration only
) Select an
SSL/TLS Service Profile.
Add
a new Client Authentication configuration and configure the settings. To create a configuration specific to Chromebooks, specify Chrome as the OS as described in
Client Authentication Configuration by Operating System or Browser.
|
Add the trusted root CA certificate the app will use to perform certificate checks when connecting to the GlobalProtect gateway. The portal deploys the specified root CA certificate with the client configuration.
If the certificate is self-signed, the GlobalProtect app for Chrome OS will not use the certificate deployed by the portal. Therefore, to use a self-signed certificate, you must install the root CA in the client's local certificate store.
If GlobalProtect does not require the certificate, you must install it in the root CA of the client’s local certificate store.
|
Select the
Agent
tab and
Add
the trusted root CA in the Trusted Root CA section.
Install the root CA in the local certificate store of the Chromebook:
From the Chromebook, click the status area and then select
Settings
>
Show advanced settings
>
Manage certificates
>
Authorities
>
Import.
Browse to the certificate and then click
Open.
When prompted to edit trust settings, select all options and then click
OK.
Verify that the Chromebook lists the certificate on
Your Certificates
tab.
|
Add a new agent configuration for the app and configure the internal or external gateways to which users with this configuration can connect.
The GlobalProtect app for Chrome OS does not support manual gateway configurations.
|
Select
Network
>
GlobalProtect
>
Portals
and reselect the portal configuration you are configuring.
From the
Agent
tab, select the agent configuration you want to modify or
Add
a new one.
Select
Authentication
and provide a
Name
for the configuration.
Select
Gateways
and
Add
one or more internal or external gateway.
(
External gateways only
) Set the
Priority
of the gateway.
GlobalProtect excludes any external gateways that have
Manual only
priority.
|
|
Customize how your end users interact with the GlobalProtect app installed on their Chromebooks. The GlobalProtect app for Chrome OS supports only the configuration options listed here.
|
On the
App
tab, configure the
Connect Method
as
On-demand (Manual user initiated connection). This setting requires users to manually initiate a VPN connection using the GlobalProtect app. The GlobalProtect app for Chrome OS supports only this connect method and automatically uses this method for all connections even if you do not specify it as the
Connect Method.
Customize the behavior of the app for users that receive this configuration, including any of the following supported options:
Enable Advanced View
—Select
No
to restrict the user interface on the Chromebook to the basic minimum view. By default, the user can view advanced settings.
Allow User to Change Portal Address
—Select
No
to disable the
Portal
field on the GlobalProtect app.
Allow User to Continue with Invalid Portal Server Certificate
—Select
No
to prevent the app from establishing a connection with the portal if the portal certificate is not valid. By default, the app can establish a connection with the portal when the portal certificate is not valid.
Portal Connection Timeout
—Specify the amount of time, in seconds, after which the app cancels the portal connection (range is 1-600; default is 30).
TCP Connection Timeout
—Specify the amount of time, in seconds, after which the app cancels a TCP connection request (range is 1-600; default is 5).
TCP Receive Timeout
—Specify the permitted amount of time, in seconds, in which the app can receive a partial response to a request or read some data. If the response exceeds the timeout, the app cancels the request (range is 1-600; default is 30).
SCEP Cert Renewal Period
—Specify the number of days after which the app renews the Simple Certificate Enrollment Protocol (SCEP) certificate. A value of 0 means the certificate should not be renewed automatically during a configuration refresh.
Maximum Internal Gateway Connection Attempts
—Specify the maximum number of times the app tries to establish a connection to an internal gateway. The default is 0, which means the app does not reattempt a connection after an initial failure.
|
|
Save your configuration changes.
|
Click
OK
twice.
Commit
your changes.
|
Deploy the GlobalProtect app to end users.
The portal does not distribute the GlobalProtect app for Chrome OS.
|
An end user can download the GlobalProtect app directly from the
Chrome Web Store. You can also force-install the app on managed Chromebooks using the Chromebook Management Console. See
Configure the GlobalProtect App Using the Chromebook Management Console.
|
Specifying the client version without specifying the OS or hostname matches all endpoints regardless of OS version.