Scribd
Upload
2K views28 pages

Configuring GlobalProtect SSL VPN Using A User-Defined Port

This document provides instructions for configuring Global Protect SSL VPN with a user-defined port on a Palo Alto Networks firewall. The key steps include: 1. Creating a loopback adapter and tunnel interface on the firewall. 2. Generating a server certificate and configuring RADIUS authentication. 3. Configuring the Global Protect portal and gateway on the specified port, and enabling user identification on the internet zone. 4. Creating firewall objects and rules for NAT, security policies, and a group for SSL VPN users in Active Directory. 5. Configuring the firewall as a RADIUS client and creating connection request and network policies on Windows Server 2012 NPS.

Uploaded by

Washington Cárdenas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views28 pages

Configuring GlobalProtect SSL VPN Using A User-Defined Port

This document provides instructions for configuring Global Protect SSL VPN with a user-defined port on a Palo Alto Networks firewall. The key steps include: 1. Creating a loopback adapter and tunnel interface on the firewall. 2. Generating a server certificate and configuring RADIUS authentication. 3. Configuring the Global Protect portal and gateway on the specified port, and enabling user identification on the internet zone. 4. Creating firewall objects and rules for NAT, security policies, and a group for SSL VPN users in Active Directory. 5. Configuring the firewall as a RADIUS client and creating connection request and network policies on Windows Server 2012 NPS.

Uploaded by

Washington Cárdenas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

Configuring Global Protect SSL VPN with a

user-defined port
Version 1.0

PAN-OS 5.0.1

Johan Loos

[email protected]
Global Protect SSL VPN Overview
This document gives you an overview on how to configure Global Protect for SSL VPN access. I use a
customized port other than the default (443) and a little help from a loopback adapter.

You can also create a security group in Active Directory where the user must be a member of before
he can access the network via SSL VPN. Users will be authenticated via a Network Policy on the
Network Policy Server running on Windows Server 2012.

Global Protect Task List


 Create a Loopback Adapter
 Create a Tunnel Interface
 Create a Server Certificate
 Create a RADIUS Server Profile
 Create a RADIUS Authentication Profile
 Configure Global Protect Portal
 Configure Global Protect Gateway
 Configure the Internet zone for User Identification
 Create an object for the public address
 Create an object for the loopback adapter
 Create a service object for a custom port
 Create a NAT rule
 Create a Security Policy rule
 Create a group SSL VPN Users in Active Directory
 Create a Connection Request Policy on Windows Server 2012 NPS
 Create a Network Policy on Windows Server 2013 NPS
 Install Global Protect SSLVPN Client
 Configure Global Protect SSLVPN Client

Create a Loopback Adapter


 Navigate to Network | Interfaces | Loopback and click Add
 On the Loopback Interface | Config page, type a Interface number, add the interface into a
security zone, assign a virtual router

Configuring Global Protect SSL VPN with a user-defined port 2


 On the Loopback Interface | IPv4 page, type the IP address of the interface

 Click OK

Create a Tunnel Interface


 Navigate to Network | Interfaces | Tunnel and click Add
 On the Tunnel Interface | Config page, type a Interface number, add the interface into a
security zone, assign a virtual router

 On the Tunnel Interface | IPv4 page, leave the IP address of the interface blank

Configuring Global Protect SSL VPN with a user-defined port 3


 Click OK

Create a Server Certificate


Read the document on How to request a certificate

Create a RADIUS Server Profile


 Navigate to Device | Server Profiles | RADIUS and click Add
 On the RADIUS Server Profile page, type a name for your profile, specify a name for your
domain, click Add to add the IP Address of the RADIUS server, secret and port

 Click OK

Create a RADIUS Authentication Profile


 Navigate to Device | Authentication Profile and click Add
 On the Authentication Profile page, type a name, from the Authentication list box select
your RADIUS server profile and select RADIUS as Authentication
Configuring Global Protect SSL VPN with a user-defined port 4
 Click OK

Configure Global Protect Portal


 Navigate to Network | GlobalProtect | Gateways and click Add
 On the GlobalProtect Gateway | General page, type a name for your Gateway, select a
Server Certificate, select an Authentication Profile and select for Interface Address the
Loopback Interface

 On the GlobalProtect Gateway | Client Configuration page, click Add


 On the Configs | General page, type a name, clear use single sign-on, and select on-demand
as connection method

Configuring Global Protect SSL VPN with a user-defined port 5


 On the Configs | Gateways page, click Add
 Type the external IP address of your portal (Internet faced IP address) and specify also the
port number where the portal is listening on

 Click OK
 On GlobalProtect Portal| Client Configuration page, under Trusted Root CA, click Add and
select the certificate of your trusted Root CA

Configuring Global Protect SSL VPN with a user-defined port 6


 Click OK

Configure GlobalProtect Gateway


 Navigate to Network | GlobalProtect | Gateways and click Add
 On the GlobalProtect Gateway | General page, type a name for your Gateway, specify the
Interface and IP Address. Select your Server Certificate and select an Authentication Profile

 On the GlobalProtect Gateway | Client Configuration | Tunnel Settings page, enable Tunnel
Mode and select your Tunnel Interface

Configuring Global Protect SSL VPN with a user-defined port 7


 On the GlobalProtect Gateway | Client Configuration | Network Settings page, type the IP
Address of your internal DNS server, type a DNS suffix and specify the IP Pool address range
(IP Address range which your SSL VPN clients receive an IP address from)

 Click OK

Configure the Internet zone for User Identification


 Navigate to Network | Zones, select your internet zone and check Enable User Identification

Configuring Global Protect SSL VPN with a user-defined port 8


 Click OK

Create an object for the Public Address


 Select Object | Addresses and click Add
 On the Address page, type a new for the object you want to create and type the IP
address

 Click OK

Create an object for your Loopback Adapter


 Navigate to Objects | Address and click Add
 On the Address page, type a name and IP address

Configuring Global Protect SSL VPN with a user-defined port 9


 Click OK

Create a Service Object for TCP-3210


 Navigate to Objects | Services, and click Add
 On the Service page, specify a name and specify the Destination Port

 Click OK

Create a NAT rule


 Select Policies | NAT, and click Add
 On the NAT Policy Rule page on General page type a name for the NAT rule

 Click on Original Packet

Configuring Global Protect SSL VPN with a user-defined port 10


 As Source Zone, select LAN, as Destination Zone select Internet, as Service select your
service object you have created before, as destination address select the public
address of your outside interface
 Select Translated Packet

 As Translation Type select Destination Address Translation, for Translated Address


select your loopback adapter, type 443 as translated port
 Click OK

Create a Security Policy rule


 Navigate to Policies | Security, and click Add
 On the General page, type a name for your policy

 Click on Source
 Select a Source Zone and a Source Address

Configuring Global Protect SSL VPN with a user-defined port 11


 Click on Destination
 Select a Destination Zone

 Click on Application
 Add the applications you need for that server
 Click on Service
 Select the service you have created above

 Click on Actions
 Select the actions that you need
Configuring Global Protect SSL VPN with a user-defined port 12
 Click OK

Create a group SSL VPN Users in Active Directory

 Open Active Directory Users and Computers from Administrative Tools


 Navigate to an OU, right click and select New Group
 On the New Object-Group dialog box, type the name of your group GlobalProtect
SSLVPN Users

 On the Members tab add the required user accounts

Configuring Global Protect SSL VPN with a user-defined port 13


 Click OK

Configure your firewall as RADIUS client on Windows Server 2012 NPS

 Open Network Policy Server from Administrative Tools


 Expand RADIUS Clients and Servers, right click on RADIUS Clients and select New
RADIUS Client
 On the New RADIUS Client dialog box, specify a friendly name and IP address

Configuring Global Protect SSL VPN with a user-defined port 14


 Click on Advanced, uncheck or check the required options

Configuring Global Protect SSL VPN with a user-defined port 15


 Click OK

Create a Connection Request Policy on Windows Server 2012 NPS

 From the Network Policy Server Console, right click on Connection Request Policies
and select New
 On the Specify Connection Request Policy Name and Connection Type page, type a
name for the policy and click Next

Configuring Global Protect SSL VPN with a user-defined port 16


 On the Specify Conditions page, click Add. Select NAS Port Type (Ethernet)
 On the Select conditions dialog box, select Client IPv4 Address and click Add
 On the Client IPv4 Address dialog box, type the management IP address of the
firewall
 Click OK and click Next

Configuring Global Protect SSL VPN with a user-defined port 17


 On the Specify Connection Request Forwarding page, select Authenticate requests
on this server and click Next

 On the Specify Authentication Methods page, click Next

 On the Configure Settings page, click Next

Configuring Global Protect SSL VPN with a user-defined port 18


 On the Completing Connection Request Policy Wizard page, click Finish

Create a Network Policy on Windows Server 2012 NPS

 From the Network Policy Server Console, right click on Network Policies and select
New
 On the Specify Network Policy Name and Connection Type page, type a name for
your policy and click Next

Configuring Global Protect SSL VPN with a user-defined port 19


 On the Specify Conditions page, click Add
 From the Select Condition dialog box, add the following Windows Groups
GlobalProtect SSLVPN Users, and click Next

 On the Specify Access Permissions page, select Access Granted and click Next

Configuring Global Protect SSL VPN with a user-defined port 20


 On the Configure Authentication Methods page, clear all authentications methods
and select only Unencrypted Authentication (PAP,SPAP) and click Add

 On the Configure Constraints page, click Next

Configuring Global Protect SSL VPN with a user-defined port 21


 On the Configure Settings page, click Next

 On the Completing New Network Policy page, click Finish

Configuring Global Protect SSL VPN with a user-defined port 22


Install Global Protect SSLVPN Client
 Open your web browser and connect to your Global Protect Portal by using
https://192.168.10.25:3210/
 On the login page, type your domain username and password and click on Login

 On the GlobalProtect Portal select the required Agent

Configuring Global Protect SSL VPN with a user-defined port 23


 On the Welcome to the GlobalProtect Setup Wizard page, click Next

 On the Select Installation Folder page, click Next

Configuring Global Protect SSL VPN with a user-defined port 24


 On the Confirm Installation page, click Next

 On the Installation Complete page, click Close

Configuring Global Protect SSL VPN with a user-defined port 25


Configure Global Protect SSLVPN Client
 Navigate to Start | Programs | Palo Alto Networks | GlobalProtect and launch
GlobalProtect
 On the GlobalProtect page, type your domain credentials, portal IP address and click Apply

 If authentication is successful, the status displays Connected

Configuring Global Protect SSL VPN with a user-defined port 26


 On GlobalProtect dialog, select View | Advanced

 Navigate to Logs | Monitor | System to verify authentication

 Windows Event Log

Configuring Global Protect SSL VPN with a user-defined port 27


Configuring Global Protect SSL VPN with a user-defined port 28

You might also like