Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

12 GlobalProtect Administrator’s Guide

Enable SSL Between GlobalProtect Components Set Up the GlobalProtect Infrastructure

For details about the types of keys used to establish secure communication between the GlobalProtect agent

and the portals and gateways, see Reference: GlobalProtect Agent Cryptographic Functions.

(Optional) Machine

certificates

Ensures that only trusted

machines can connect to

GlobalProtect. In addition,

machine certificates are required

for use of the pre-logon connect

method, which allows for

establishment of VPN tunnels

before the user logs in.

If you plan to use the pre-logon feature, you must use your own

PKI infrastructure to deploy machine certificates to each client

system prior to enabling GlobalProtect access. For more

information, see Remote Access VPN with Pre-Logon.

Mobile Security

Manager server

certificate(s)

• Enables mobile devices to

establish HTTPS sessions

with the Mobile Security

Manager, for enrollment and

check-in.

• Enables gateways to connect

to the Mobile Security

Manager to retrieve HIP

reports for managed mobile

devices.

• The Common Name (CN)

and, if applicable, the Subject

Alternative Name (SAN)

fields of the certificate must

exactly match the IP address

or fully qualified domain

name (FQDN) of the

interface.

• Because mobile devices must trust the Mobile Security

Manager in order to enroll, as a best practice purchase a

certificate for the Mobile Security Manager device check-in

interface from a well-known, trusted CA. If you do not use a

trusted CA to issue certificates for the Mobile Security

Manager device check-in interface, you will have to deploy the

Mobile Security Manager root CA certificate to the mobile

devices via the portal configuration (to enable the device to

establish an SSL connection with the Mobile Security

Manager for enrollment).

• If the device check-in interface is on a different interface than

the interface where gateways connect for HIP retrieval, you

will need separate server certificates for each interface.

For detailed instructions, see Set Up the GlobalProtect Mobile

Security Manager.

Apple Push Notification

service (APNs) Mobile

Security Manager

certificate

Allows the Mobile Security

Manager to send push

notifications to managed iOS

devices.

• You must generate the certificate signing request (CSR) for

this certificate on the Mobile Security Manager and then send

it to the Apple iOS Provisioning Portal (login required) for

signing.

• Apple only supports CSRs signed using the SHA 1 message

digest and 2048 bit keys.

See Configure the Mobile Security Manager for Device Check-in

for details on how to set this up.

Identity certificates

Enables the Mobile Security

Manager and optionally the

gateway to establish mutually

authenticated SSL sessions with

mobile devices.

The Mobile Security Manager manages the deployment of

identity certificates for the devices it manages. See Configure

the Mobile Security Manager for Enrollment for details on how

to set this up.

Certificate Usage Issuing Process/Best Practices