Hardware reference guide
38 GlobalProtect Administrator’s Guide
Configure the GlobalProtect Portal Set Up the GlobalProtect Infrastructure
The root CA certificate required to enable the agent/app to establish an SSL connection with the
GlobalProtect gateway(s) and/or the Mobile Security Manager.
The client certificate that agent should present to the gateway when it connects. This is only required if
mutual authentication is required between the agent and the gateway.
The settings the agent uses to determine whether it is connected to the local network or to an external
network.
Agent configuration settings, such as what agent views the end users can see, whether users can save their
GlobalProtect passwords, and whether users are prompted to upgrade the agent software.
Use the following procedure to create a client configuration.
If the portal is down or unreachable, the agent will use the cached version of its client
configuration from its last successful portal connection to obtain settings, including which
gateway(s) to connect to, what root CA certificate(s) to use to establish secure communication
with the gateway(s), and what connect method to use.
Create a GlobalProtect Client Configuration
Step 1 Add the Root CA certificates that will be
required for the agent/app to establish an
SSL connection with the GlobalProtect
gateway(s) and/or the Mobile Security
Manager. This step is only required if you
are not using certificates issued by a
trusted CA on your gateways and/or
Mobile Security Manager. The portal will
deploy the root CA certificates you add
here to all agents as part of the client
configuration so that they can establish
an SSL connection with the
gateways/Mobile Security Manager.
1. If you are still in the GlobalProtect gateway dialog, select the
Client Configuration tab. Otherwise, select Network >
GlobalProtect > Portals
and select the portal configuration for
which you want to add a client configuration and then select the
Client Configuration tab.
2. In the
Trusted Root CA field, click Add and then select the CA
certificate that was used to issue the gateway server certificates.
As a best practice, all of your gateways should use the same
issuer.
3. (Optional) If your Mobile Security Manager server certificate
was not issued by a well-known CA (that is, it is not trusted by
the devices that will need to connect to it to enroll), click
Add in
the
Trusted Root CA field and then select the CA certificate that
was used to issue the Mobile Security Manager server certificate.
If the root CA certificate used to issue your gateway
and/or Mobile Security Manager server certificates is not
on the portal, you can
Import it now. See Enable SSL
Between GlobalProtect Components for SSL best
practices.
Step 2 Add a client configuration.
The client configuration specifies the
GlobalProtect configuration settings to
deploy to the connecting agents/apps.
You must define at least one client
configuration.
In the Client Configuration section, click
Add and enter a Name for
the configuration.
If you plan to create multiple configurations, make sure the name you
define for each is descriptive enough to allow you to distinguish
them.