Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

161

162

163

164

165

166

167

168

169

170

GlobalProtect Administrator’s Guide 157

GlobalProtect Quick Configs Remote Access VPN with Pre-Logon

Step 5 Import the trusted root CA certificate

from the CA that issued the machine

certificates onto the portal and

gateway(s).

You do not have to import the

private key.

1. Download the CA certificate in Base64 format.

2. Import the certificate onto each firewall hosting a portal or

gateway as follows:

a. Select

Device > Certificate Management > Certificates >

Device Certificates

and click Import.

b. Enter a

Certificate Name that identifies the certificate as

your client CA certificate.

Browse to the Certificate File you downloaded from the

CA.

d. Select

Base64 Encoded Certificate (PEM) as the File Format

and then click

OK.

e. Select the certificate you just imported on the

Device

Certificates

tab to open it.

f. Select

Trusted Root CA and then click OK.

Step 6 On each firewall hosting a GlobalProtect

gateway, create a certificate profile to

identify which CA certificate to use to

validate the client machine certificates.

Optionally, if you plan to use client

certificate authentication to authenticate

users when they log in to the system,

make sure that the CA certificate that

issues the client certificates is referenced

in the certificate profile in addition to the

CA certificate that issued the machine

certificates if they are different.

1. Select

Device > Certificates > Certificate Management >

Certificate Profile

and click Add and enter a Name to uniquely

identify the profile, such as PreLogonCert.

2. Set

Username Field to None.

3. In the

CA Certificates field, click Add, select the Trusted Root

CA certificate you imported in Step 5 and then click

OK.

4. (Optional) If you will also use client certificate authentication to

authenticate users upon login, add the CA certificate that issued

the client certificates if it is different from the one that issued the

machine certificates.

5. Click

OK to save the profile.

Step 7 Configure a GlobalProtect Gateway.

See the topology diagram shown in

Figure: GlobalProtect VPN for Remote

Access.

Although you must create a certificate

profile for pre-logon access to the

gateway, you can use either client

certificate authentication or

authentication profile-based

authentication for logged in users. In this

example, the same LDAP profile is used

that is used to authenticate users to the

portal.

Select

Network > GlobalProtect > Gateways and add the following

configuration:

Interface—ethernet1/2

IP Address—199.21.7.42

Server Certificate—GP-server-cert.pem issued by Go Daddy

Certificate Profile—PreLogonCert

Authentication Profile—Corp-LDAP

Tunnel Interface—tunnel.2

IP Pool—10.31.32.3 - 10.31.32.118

Commit the gateway configuration.

Quick Config: Remote Access VPN with Pre-Logon (Continued)