Configure Remote Access with Pre-logon then On-demand
Create interfaces and zones for GlobalProtect.
|
Configure a Layer 3 interface for each portal and/or gateway you plan to deploy.
On the firewall(s) hosting GlobalProtect gateway(s), configure the logical tunnel interface that will terminate VPN tunnels established by the GlobalProtect agents.
If you created a separate zone for tunnel termination of VPN connections, create a security policy to enable traffic flow between the VPN zone and your trust zone.
Save the configuration.
|
Create security policy rules.
A pre-logon VPN tunnel has no username association because the user has not logged in. Therefore, to enable access to resources in the trust zone, you must create security policies that match the pre-logon user.
|
Create a rule that enables the pre-logon user access to basic services that are required for the computer to come up, such as authentication services, DNS, DHCP, and Microsoft Updates.
Create a rule to enable access between the corp-vpn zone and the l3-trust zone for any known user after the user successfully logs in.
|
Obtain a server certificate for the interface that hosts the GlobalProtect portal and gateway:
(
Recommended
)
Import a server certificate from a well-known, third-party CA.
Use the root CA on the portal to generate a self-signed server certificate.
|
Select
Device
>
Certificate Management
>
Certificates
to manage certificates with the following criteria:
Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
The CN of the certificate must match the FQDN, gp.acme.com.
To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
|
On each firewall that hosts a GlobalProtect gateway, create a certificate profile to identify the CA certificate for validating the machine certificates.
Optionally, if you plan to use client certificate authentication to authenticate users when they log in to the system, make sure that the CA certificate that issues the client certificates is referenced in the certificate profile in addition to the CA certificate that issued the machine certificates if they are different.
|
Select
Device
>
Certificates
>
Certificate Management
>
Certificate Profile.
Click
Add
and enter a
Name
to uniquely identify the profile, such as
PreLogonCert
.
Set
Username
Field
to
None.
(
Optional
) If you will also use client certificate authentication to authenticate users upon login, add the CA certificate that issued the client certificates if it is different from the one that issued the machine certificates.
In the
CA Certificates
field, click
Add, select the Trusted Root CA certificate you imported in
Step 5
and then click
OK.
Click
OK
to save the profile.
|
Generate and deploy machine certificates.
During pre-logon, the firewall sees the user as pre-logon for user-IP address mapping, logging and security policies.
|
Generate a machine certificate for each client system that will connect to GlobalProtect and import it into the personal certificate store on each machine.
Although you could generate self-signed certificates for each client system, as a best practice, use your own public-key infrastructure (PKI) to issue and distribute certificates to your clients.
Import the trusted root CA certificate from the CA that issued the certificates onto the portal and gateways.
Click
OK
twice to save the configuration.
|
Configure GlobalProtect Gateways
Although you must create a certificate profile for access to the gateway using the pre-logon then on-demand connect method, you can use either client certificate authentication or authentication profile-based authentication for logged in users.
|
Select
Network
>
GlobalProtect
>
Gateways
and select and existing gateway configuration or add a new one.
After configuring the gateway,
Commit
your changes.
|
Configure the GlobalProtect portal.
First, configure the device details (networking parameters, the authentication service profile, and the certificate for the authentication server).
Next, create two agent configuration profiles. With these two types of agent configurations, you can limit gateway access to one gateway for the pre-logon users and provide access to multiple gateways for the logged in users.
As a best practice, enable SSO in the second agent configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent settings panel is used.
|
Select
Network
>
GlobalProtect
>
Portals.
Select the portal configuration or
Add
one.
Set Up Access to the GlobalProtect Portal
by configuring the
General
network settings and portal
Authentication
settings, for example:
Interface—ethernet1/2
IP Address
—203.0.113.1
SSL/TLS Service Profile
—GP-server-cert-profile (issued by GoDaddy)
Certificate Profile
—None
Authentication Profile
—Corp-LDAP
Define the GlobalProtect Agent Configurations for pre-logon users and for logged in users, for example:
First Agent Configuration:
Connect Method
—Pre-logon then on-demand
External Gateway Address
—gp.example.com
User/User Group
—pre-logon
Authentication Override
—Cookie authentication for transparently authenticating users and for configuration refresh
Second Agent Configuration:
Use single sign-on
—enabled
Connect Method—Pre-logon then on-demand
External Gateway Address
—gp.example.com
User/User Group
—any
Authentication Override
—Cookie authentication for transparently authenticating users and for configuration refresh
Make sure the pre-logon then on-demand client configuration is first in the list of configurations. If it is not, select it and click
Move Up.
|
Save the GlobalProtect configuration.
|
Click
Commit.
|
(
Optional
) If users will never log into a device (for example, a headless device) or a pre-logon connection is required on a system that a user has not previously logged into, create the Prelogon registry entry on the client system.
You must also pre-deploy additional agent settings such as the default portal IP address and connect method.
For more information about registry settings, see
Deploy Agent Settings Transparently.
|
Locate the GlobalProtect settings in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
Create a
String Value
named
Prelogon
with a value of
1
. This setting enables GlobalProtect to initiate a connection before the user logs in to the endpoint.
Create a
String Value
named
Portal
that specifies the IP address or hostname of the default portal for the GlobalProtect client.
|