Manualshelf

Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H
151152153154155156157158159160
GlobalProtect Administrator’s Guide 147
GlobalProtect Quick Configs Remote Access VPN (Certificate Profile)
Remote Access VPN (Certificate Profile)
When authenticating users with certificate authentication, the client must present a unique client certificate that
identifies the end user in order to connect to GlobalProtect. When used as the only means of authentication,
the certificate the client presents must contain the username in one of the certificate fields; typically the
username corresponds to the common name (CN) in the Subject field of the certificate. Upon successful
authentication, the GlobalProtect agent establishes a VPN tunnel with the gateway and is assigned an IP address
from the IP pool in the gateway’s tunnel configuration. To enable user-based policy enforcement on sessions
from the corp-vpn zone, the username from the certificate is mapped to the IP address assigned by the gateway.
If a domain name is required for policy enforcement, the domain value specified in the certificate profile is
appended to the username.
Figure: GlobalProtect Client Certificate Authentication Configuration
This quick configuration uses the same topology as Figure: GlobalProtect VPN for Remote Access. The only
configuration difference is that instead of authenticating users against an external authentication server, this
configuration uses client certificate authentication only.
Quick Config: VPN Remote Access with Client Certificate Authentication
Step 1 Create Interfaces and Zones for
GlobalProtect.
Use the
default virtual router for all
interface configurations to avoid
having to create inter-zone routing.
Select
Network > Interfaces > Ethernet and configure
ethernet1/2 as a Layer 3 Ethernet interface with IP address
199.21.7.42 and assign it to the l3-untrust security zone and the
default virtual router.
Create a DNS “A” record that maps IP address 199.21.7.42 to
gp.acme.com.
Select
Network > Interfaces > Tunnel and add the tunnel.2
interface and add it to a new zone called corp-vpn. Assign it to the
default virtual router.
Enable User Identification on the corp-vpn zone.