Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

151

152

153

154

155

156

157

158

159

160

GlobalProtect Administrator’s Guide 151

GlobalProtect Quick Configs Remote Access VPN with Two-Factor Authentication

Quick Config: VPN Remote Access with Two-Factor Authentication

Step 1 Create Interfaces and Zones for

GlobalProtect.

Use the

default virtual router for all

interface configurations to avoid

having to create inter-zone routing.

• Select

Network > Interfaces > Ethernet and configure

ethernet1/2 as a Layer 3 Ethernet interface with IP address

199.21.7.42 and assign it to the l3-untrust security zone and the

default virtual router.

• Create a DNS “A” record that maps IP address 199.21.7.42 to

gp.acme.com.

• Select

Network > Interfaces > Tunnel and add the tunnel.2

interface and add it to a new zone called corp-vpn. Assign it to the

default virtual router.

• Enable User Identification on the corp-vpn zone.

Step 2 Create security policy to enable traffic

flow between the corp-vpn zone and the

l3-trust zone to enable access to your

internal resources.

1. Select

Policies > Security and then click Add to add a new rule.

2. For this example, you would define the rule with the following

settings:

•

Name—VPN Access

•

Source Zone—corp-vpn

•

Destination Zone—l3-trust

Step 3 Obtain a server certificate for the

interface hosting the GlobalProtect portal

and gateway using one of the following

methods:

• (Recommended) Import a server

certificate from a well-known,

third-party CA.

• Generate a self-signed server

certificate.

Select

Device > Certificate Management > Certificates to manage

certificates as follows:

• Obtain a server certificate. Because the portal and gateway are on

the same interface, the same server certificate can be used for both

components.

• The CN of the certificate must match the FQDN, gp.acme.com.

• To enable clients to connect to the portal without receiving

certificate errors, use a server certificate from a public CA.

Step 4 Issue client certificates to GlobalProtect

users/machines.

1. Use your enterprise PKI or a public CA to issue a unique client

certificate to each GlobalProtect user.

2. Install certificates in the personal certificate store on the client

systems.