Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H

GlobalProtect Administrator’s Guide 77

Set Up the GlobalProtect Mobile Security Manager Enable Gateway Access to the Mobile Security Manager

Enable Gateway Access to the Mobile Security Manager

If you plan to Configure HIP-Based Policy Enforcement on your firewalls, you can configure the GlobalProtect

gateways to retrieve the HIP reports for the mobile devices managed by the Mobile Security Manager.

To enable the gateway to retrieve HIP reports from the Mobile Security Manager, you must enable an interface

for gateway access and then configure the gateways to connect to it as follows:

Enable Gateway Access to Mobile Security Manager

Step 1 Decide which Mobile Security Manager

interface to use for HIP retrieval and

enable the gateway service on the

interface.

Although you can configure the gateways

to connect to either the MGT interface or

the ethernet1 interface, as a best practice

consider using the ethernet1 interface to

ensure that your remote gateways have

access to the appliance.

• (Recommended) To use the ethernet1 interface for gateway access,

select

Setup > Network > ethernet1. Select the GlobalProtect

Gateways

check box and then click OK.

• To use the MGT interface for gateway access, select

Setup >

Settings > Management

and then click the Edit icon in the

Management Interface Settings section of the screen. Select the

GlobalProtect Gateways check box and then click OK.

If this interface is not yet configured, you must supply the

network settings (IP address, netmask, and default gateway)

and physically connect the Ethernet port to your network.

See Configure the Mobile Security Manager for Device

Check-in for details.

Step 2 (Optional) Import a server certificate for

the Mobile Security Manager MGT

interface to enable GlobalProtect

gateways to connect to this interface. This

certificate is required only if the gateways

will connect to the MGT interface instead

of ethernet1 for HIP retrieval.

The Common Name (CN) and, if

applicable, the Subject Alternative Name

(SAN) fields of the Mobile Security

Manager certificate must match the IP

address or fully qualified domain name

(FQDN) of the interface (wildcard

certificates are supported).

As a best practice, use the same CA certificate used to issue

self-signed certificates to the other GlobalProtect components. See

Deploy Server Certificates to the GlobalProtect Components for

details on the recommended workflow.

After generating a server certificate for the Mobile Security Manager,

import it as follows:

1. Select

Setup > Certificate Management > Certificates > Device

Certificates

and click Import.

2. Enter a

Certificate Name.

3. Enter the path and name to the

Certificate File, or Browse to

find the file.

4. Select

Encrypted Private Key and Certificate (PKCS12) as the

File Format.

5. Enter the path and name to the PKCS12 file in the

Key File field

Browse to find it.

6. Enter and re-enter the

Passphrase you used to encrypt the

private key when you exported it from the portal and then click

OK to import the certificate and key.