Hardware reference guide
100 GlobalProtect Administrator’s Guide
Define Deployment Policies Set Up the GlobalProtect Mobile Security Manager
Step 2 Specify the type of challenge to use. The
challenge is the one-time password (OTP)
that is shared between the Mobile Security
Manager and the SCEP server. The
Mobile Security Manager includes the
OTP in the SCEP configuration it sends
to the mobile device, and the device uses
it to authenticate itself to the SCEP
server.
Select one of the following
SCEP Challenge options:
•
None—The SCEP server issues the certificate without an OTP.
•
Fixed—The Mobile Security Manager will provide a static OTP
that is used for all mobile devices. Get the OTP from the SCEP
server and enter it in the text box. You will also need to set the
UseSinglePassword registry value on the SCEP server to force it
to use a single password for all client certificate enrollments.
•
Dynamic—The Mobile Security Manager will get a unique OTP
from the SCEP server for each mobile device during enrollment
using an NTLM challenge-response exchange between the two
servers. If you select this option, you must configure the
Server
Path
where the Mobile Security Manager can connect to the
SCEP server and enter the credentials that it should use to log in.
In addition, you can select the
SSL check box to require an
HTTPS connection for the challenge request. If you enable SSL,
you must select the SCEP server’s root
CA Certificate. Optionally
enable mutual SSL authentication between the SCEP server and
the Mobile Security Manager by selecting a
Client Certificate.
Step 3 Specify how to connect to the SCEP
server.
1. Specify the
Server URL that the mobile device should use to
reach the SCEP server. For example,
http://<hostname>/certsrv/mscep_admin/mscep.dll
2. Enter a string (up to 255 characters in length) to identify the
SCEP server in the
CA-IDENT Name field.
Set Up a SCEP Configuration (Continued)