Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

GlobalProtect Administrator’s Guide 11

Set Up the GlobalProtect Infrastructure Enable SSL Between GlobalProtect Components

Table: GlobalProtect Certificate Requirements

Certificate Usage Issuing Process/Best Practices

CA certificate

Used to sign certificates issued

to the GlobalProtect

components.

If you plan to use self-signed certificates, it is a best practice to

generate a CA certificate on the portal and then use that

certificate to issue the required GlobalProtect certificates.

Portal server certificate

Enables GlobalProtect

agents/apps to establish an

HTTPS connection with the

portal.

The Common Name (CN) and,

if applicable, the Subject

Alternative Name (SAN) fields

of the certificate must exactly

match the IP address or fully

qualified domain name (FQDN)

of the interface hosting the

portal.

• As a best practice, use a certificate issued by a well-known,

third-party CA. This is the most secure option and it ensures

that the end clients will be able to establish a trust relationship

with the portal without requiring you to deploy the root CA

certificate.

• If you do not use a well-known, public CA, you should export

the root CA certificate used to generate the portal server

certificate to all client systems that will run GlobalProtect to

prevent the end users from seeing certificate warnings during

the initial portal connection.

• If you are deploying a single gateway and portal on the same

interface/IP address for basic VPN access, you must use a

single server certificate for both components.

Gateway server

certificate

Enables GlobalProtect

agents/apps to establish an

HTTPS connection with the

gateway.

The Common Name (CN) and,

if applicable, the Subject

Alternative Name (SAN) fields

of the certificate must exactly

match the FQDN or IP address

of the interface where you plan

to configure the gateway.

• Each gateway must have its own server certificate.

• As a best practice, generate a CA certificate on the portal and

use that CA certificate to generate all gateway certificates.

• The portal can distribute the gateway root CA certificate to

agents in the client configuration, so the gateway certificates

do not need to be issued by a public CA.

• If you are deploying a single gateway and portal on the same

interface/IP address for basic VPN access, you must use a

single server certificate for both components. As a best

practice, use a certificate from a public CA.

(Optional) Client

certificate

Used to enable mutual

authentication between the

GlobalProtect agents and the

gateways/portal.

In addition to enabling mutual

authentication in establishing an

HTTPS session between the

client and the portal/gateway,

you can also use client

certificates to authenticate end

users.

• For simplified deployment of client certificates, configure the

portal to deploy the client certificate to the agents upon

successful login. In this configuration, a single client

certificate is shared across all GlobalProtect agents using the

same configuration; the purpose of this certificate is to ensure

that only clients from your organization are allowed to

connect.

• You can use other mechanisms to deploy unique client

certificates to each client system for use in authenticating the

end user.

• Consider testing your configuration without the client

certificate first, and then add the client certificate after you are

sure that all other configuration settings are correct.