Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

GlobalProtect Administrator’s Guide 39

Set Up the GlobalProtect Infrastructure Configure the GlobalProtect Portal

Step 3 If you do not require the GlobalProtect

agent to establish tunnel connections

when on the internal network, enable

internal host detection.

1. Select the

Internal Host Detection check box.

2. Enter the

IP Address of a host that can only be reached from

the internal network.

3. Enter the DNS

Hostname that corresponds to the IP address

you entered. Agents attempting to connect to GlobalProtect will

attempt to do a reverse DNS lookup on the specified address; if

the lookup fails, the agent will determine that it is on the

external network and begin trying to establish tunnel

connections with the external gateways on its list.

Step 4 Specify how the agent will connect to

GlobalProtect.

Best Practices:

•Only use the on-demand option if

you are using GlobalProtect for VPN

access to external gateways.

• Do not use the on-demand option if

you plan to run the GlobalProtect

agent in hidden mode. See Customize

the GlobalProtect Agent.

• For faster connection times, use

internal host detection in

configurations where you have enabled

SSO.

1. Select a

Connect Method:

•

on-demand—Users will have to manually launch the agent

to connect to GlobalProtect. Use this connect method for

external gateways only.

•

user-logon—GlobalProtect will automatically connect as

soon as the user logs in to the machine (or domain). When

used in conjunction with SSO (Windows users only),

GlobalProtect login is transparent to the end user.

•

pre-logon—Authenticates the user and establishes the VPN

tunnel to the GlobalProtect gateway using a pre-installed

machine certificate before the user has logged in to the

machine. This option requires that you deploy machine

certificates to each end user system using an external PKI

solution. See Remote Access VPN with Pre-Logon for more

details on setting up this option.

2. (Configurations for Windows users only) Select

Use single

sign-on

to enable GlobalProtect to use the Windows login

credentials to automatically authenticate the user upon login to

Active Directory.

Step 5 Set up access to the Mobile Security

Manager.

This step is required if the mobile devices

using this configuration will be managed

by the GlobalProtect Mobile Security

Manager. All devices will initially connect

to the portal and, if Mobile Security

Manager is configured on the

corresponding portal client configuration,

the device will be redirected to it for

enrollment. For more information, see

Set Up the GlobalProtect Mobile Security

Manager.

1. Enter the IP address or FQDN of the

Mobile Security

Manager

device check-in interface. The value you enter here

must exactly match the value in the CN field of Mobile Security

Manager server certificate associated with the device check-in

interface.

2. Specify the

Enrollment Port on which the Mobile Security

Manager will be listening for enrollment requests. This value

must match the value set on the Mobile Security Manager

(default=443). For more details, see Set Up the Mobile Security

Manager for Device Management.

Create a GlobalProtect Client Configuration (Continued)