Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

161

162

163

164

165

166

167

168

169

170

156 GlobalProtect Administrator’s Guide

Remote Access VPN with Pre-Logon GlobalProtect Quick Configs

This example uses the GlobalProtect topology shown in Figure: GlobalProtect VPN for Remote Access.

Quick Config: Remote Access VPN with Pre-Logon

Step 1 Create Interfaces and Zones for

GlobalProtect.

Use the

default virtual router for all

interface configurations to avoid

having to create inter-zone routing.

• Select

Network > Interfaces > Ethernet and configure

ethernet1/2 as a Layer 3 Ethernet interface with IP address

199.21.7.42 and assign it to the l3-untrust security zone and the

default virtual router.

• Create a DNS “A” record that maps IP address 199.21.7.42 to

gp.acme.com.

• Select

Network > Interfaces > Tunnel and add the tunnel.2

interface and add it to a new zone called corp-vpn. Assign it to the

default virtual router.

• Enable User Identification on the corp-vpn zone.

Step 2 Create the security policy rules. This configuration requires the following policies (

Policies >

Security

• First create a rule that enables the pre-logon user access to basic

services that are required for the computer to come up, such as

authentication services, DNS, DHCP, and Microsoft Updates.

• Second create a rule to enable access between the corp-vpn zone

and the l3-trust zone for any known user after the user

successfully logs in.

Step 3 Obtain a server certificate for the

interface hosting the GlobalProtect portal

and gateway using one of the following

methods:

• (Recommended) Import a server

certificate from a well-known,

third-party CA.

• Generate a self-signed server

certificate.

Select

Device > Certificate Management > Certificates to manage

certificates as follows:

• Obtain a server certificate. Because the portal and gateway are on

the same interface, the same server certificate can be used for both

components.

• The CN of the certificate must match the FQDN, gp.acme.com.

• To enable clients to connect to the portal without receiving

certificate errors, use a server certificate from a public CA.

Step 4 Generate a machine certificate for each

client system that will connect to

GlobalProtect and import them into the

personal certificate store on each

machine.

Although you could generate self-signed

certificates for each client system, as a

best practice use your own public-key

infrastructure (PKI) to issue and

distribute certificates to your clients.

1. Issue client certificates to GlobalProtect users/machines.

2. Install certificates in the personal certificate store on the client

systems. (Local Computer store on Windows or System

Keychain on Mac OS)