Hardware reference guide

10 GlobalProtect Administrator’s Guide

Enable SSL Between GlobalProtect Components Set Up the GlobalProtect Infrastructure

Enable SSL Between GlobalProtect Components

All interaction between the GlobalProtect components occurs over an SSL connection. Therefore, you must

generate and/or install the required certificates before configuring each component so that you can reference

the appropriate certificate(s) in the configurations. The following sections describe the supported methods of

certificate deployment, descriptions and best practice guidelines for the various GlobalProtect certificates, and

provide instructions for generating and deploying the required certificates:

 About GlobalProtect Certificate Deployment

 GlobalProtect Certificate Best Practices

 Deploy Server Certificates to the GlobalProtect Components

About GlobalProtect Certificate Deployment

There are three basic approaches to Deploy Server Certificates to the GlobalProtect Components:

 (Recommended) Combination of third-party certificates and self-signed certificates—Because the

end clients will be accessing the portal prior to GlobalProtect configuration, the client must trust the

certificate to establish an HTTPS connection. Similarly, if you are using GlobalProtect Mobile Security

Manager, the same is true for mobile devices accessing the Mobile Security Manager for enrollment.

Therefore, the recommended approach is to purchase the portal server certificate and the server certificate

for the Mobile Security Manager device check-in interface from a trusted CA that most end clients will

already trust in order to prevent certificate errors. After successfully connecting, the portal can push any

other required certificates (for example, the root CA certificate for the gateway) to the end client.

 Enterprise Certificate Authority—If you already have your own enterprise certificate authority, you can

use this internal CA to issue certificates for each of the GlobalProtect components and then import them

onto the firewalls hosting your portal and gateway(s) and onto the Mobile Security Manager. In this case, you

must also ensure that the end user systems/mobile devices trust the root CA certificate used to issue the

certificates for the GlobalProtect services to which they must connect.

 Self-Signed Certificates—You can generate a self-signed CA certificate on the portal and use it to issue

certificates for all of the GlobalProtect components. However, this solution is less secure than the other

options and is therefore not recommended. If you do choose this option, end users will see a certificate error

the first time they connect to the portal. To prevent this, you can deploy the self-signed root CA certificate

to all end user systems manually or using some sort of centralized deployment, such as an Active Directory

Group Policy Object (GPO).

GlobalProtect Certificate Best Practices

The following table summarizes the SSL certificates you will need, depending on which features you plan to use: