Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

GlobalProtect Administrator’s Guide 33

Set Up the GlobalProtect Infrastructure Configure GlobalProtect Gateways

Step 2 Specify the network information to

enable agents to connect to the gateway.

If you have not yet created the network

interface for the gateway, see Create

Interfaces and Zones for

GlobalProtectfor instructions. If you

haven’t yet created a server certificate for

the gateway, see Deploy Server

Certificates to the GlobalProtect

Components.

1. Select the

Interface that agents will use for ingress access to the

gateway.

2. Select the

IP Address for the gateway web service.

3. Select the

Server Certificate for the gateway from the

drop-down.

Note The Common Name (CN) and, if applicable, the Subject

Alternative Name (SAN) fields of the certificate must

match the IP address or fully qualified domain name

(FQDN) of the interface where you configure the gateway.

Step 3 Specify how the gateway will authenticate

end users.

If you have not yet set up the

authentication profiles and/or certificate

profiles, see Set Up GlobalProtect User

Authentication for instructions.

• To authenticate users using a local user database or an external

authentication service such as LDAP, Kerberos, or RADIUS

(including OTP), select the corresponding

Authentication Profile.

• To provide help to users as to what login credentials to supply,

enter an

Authentication Message.

• To authenticate users based on a client certificate or smart card,

select the corresponding

Certificate Profile.

• To use two-factor authentication, select both an authentication

profile and an certificate profile. Keep in mind that the user must

successfully authenticate using both methods to be granted access.

Step 4 Configure the tunnel parameters and

enable tunneling.

The tunnel parameters are required if you

are setting up an external gateway. If you

are configuring an internal gateway, they

are optional.

If you want to force use of

SSL-VPN tunnel mode, clear the

Enable IPSec check box. By

default, SSL-VPN will only be used if the

client fails to establish an IPSec tunnel.

Extended authentication (X-Auth) is only

supported on IPSec tunnels.

1. On the GlobalProtect Gateway dialog, select

Client

Configuration > Tunnel Settings

2. Select the

Tunnel Mode check box to enable tunneling.

3. Select the

Tunnel Interface you defined in Step 2 in Create

Interfaces and Zones for GlobalProtect.

4. (Optional) Select

Enable X-Auth Support if you have end

clients that need to connect to the gateway using a third-party

VPN client, such as a VPNC client running on Linux. If you

enable X-Auth you also must provide the

Group name and

Group Password if required by the client.

Although X-Auth access is supported on iOS and

Android devices, it provides limited GlobalProtect

functionality. Instead use the GlobalProtect app for

simplified access to the full security feature set

GlobalProtect provides on iOS and Android devices. The

GlobalProtect app for iOS is available from the AppStore

and the GlobalProtect app for Android is available from

Google Play.

Configure the Gateway (Continued)