Configuring Global Protect SSL VPN with a user-defined port GlobalProtect... · Create a RADIUS...

Configuring Global Protect SSL VPN with a

user-defined port

Version 1.0

PAN-OS 5.0.1

Johan Loos

[email protected]

Configuring Global Protect SSL VPN with a user-defined port 2

Global Protect SSL VPN Overview

This document gives you an overview on how to configure Global Protect for SSL VPN access. I use a

customized port other than the default (443) and a little help from a loopback adapter.

You can also create a security group in Active Directory where the user must be a member of before

he can access the network via SSL VPN. Users will be authenticated via a Network Policy on the

Network Policy Server running on Windows Server 2012.

Global Protect Task List

Create a Loopback Adapter

Create a Tunnel Interface

Create a Server Certificate

Create a RADIUS Server Profile

Create a RADIUS Authentication Profile

Configure Global Protect Portal

Configure Global Protect Gateway

Configure the Internet zone for User Identification

Create an object for the public address

Create an object for the loopback adapter

Create a service object for a custom port

Create a NAT rule

Create a Security Policy rule

Create a group SSL VPN Users in Active Directory

Create a Connection Request Policy on Windows Server 2012 NPS

Create a Network Policy on Windows Server 2013 NPS

Install Global Protect SSLVPN Client

Configure Global Protect SSLVPN Client

Create a Loopback Adapter

Navigate to Network | Interfaces | Loopback and click Add

On the Loopback Interface | Config page, type a Interface number, add the interface into a

security zone, assign a virtual router


On the Loopback Interface | IPv4 page, type the IP address of the interface

Click OK

Create a Tunnel Interface

Navigate to Network | Interfaces | Tunnel and click Add

On the Tunnel Interface | Config page, type a Interface number, add the interface into a

security zone, assign a virtual router

On the Tunnel Interface | IPv4 page, leave the IP address of the interface blank


Click OK

Create a Server Certificate

Read the document on How to request a certificate

Create a RADIUS Server Profile

Navigate to Device | Server Profiles | RADIUS and click Add

On the RADIUS Server Profile page, type a name for your profile, specify a name for your

domain, click Add to add the IP Address of the RADIUS server, secret and port

Click OK

Create a RADIUS Authentication Profile

Navigate to Device | Authentication Profile and click Add

On the Authentication Profile page, type a name, from the Authentication list box select

your RADIUS server profile and select RADIUS as Authentication


Click OK

Configure Global Protect Portal

Navigate to Network | GlobalProtect | Gateways and click Add

On the GlobalProtect Gateway | General page, type a name for your Gateway, select a

Server Certificate, select an Authentication Profile and select for Interface Address the

Loopback Interface

On the GlobalProtect Gateway | Client Configuration page, click Add

On the Configs | General page, type a name, clear use single sign-on, and select on-demand

as connection method


On the Configs | Gateways page, click Add

Type the external IP address of your portal (Internet faced IP address) and specify also the

port number where the portal is listening on

Click OK

On GlobalProtect Portal| Client Configuration page, under Trusted Root CA, click Add and

select the certificate of your trusted Root CA


Click OK

Configure GlobalProtect Gateway

Navigate to Network | GlobalProtect | Gateways and click Add

On the GlobalProtect Gateway | General page, type a name for your Gateway, specify the

Interface and IP Address. Select your Server Certificate and select an Authentication Profile

On the GlobalProtect Gateway | Client Configuration | Tunnel Settings page, enable Tunnel

Mode and select your Tunnel Interface


On the GlobalProtect Gateway | Client Configuration | Network Settings page, type the IP

Address of your internal DNS server, type a DNS suffix and specify the IP Pool address range

(IP Address range which your SSL VPN clients receive an IP address from)

Click OK

Configure the Internet zone for User Identification

Navigate to Network | Zones, select your internet zone and check Enable User Identification


Click OK

Create an object for the Public Address

Select Object | Addresses and click Add

On the Address page, type a new for the object you want to create and type the IP

address

Click OK

Create an object for your Loopback Adapter

Navigate to Objects | Address and click Add

On the Address page, type a name and IP address


Click OK

Create a Service Object for TCP-3210

Navigate to Objects | Services, and click Add

On the Service page, specify a name and specify the Destination Port

Click OK

Create a NAT rule

Select Policies | NAT, and click Add

On the NAT Policy Rule page on General page type a name for the NAT rule

Click on Original Packet


As Source Zone, select LAN, as Destination Zone select Internet, as Service select your

service object you have created before, as destination address select the public

address of your outside interface

Select Translated Packet

As Translation Type select Destination Address Translation, for Translated Address

select your loopback adapter, type 443 as translated port

Click OK

Create a Security Policy rule

Navigate to Policies | Security, and click Add

On the General page, type a name for your policy

Click on Source

Select a Source Zone and a Source Address


Click on Destination

Select a Destination Zone

Click on Application

Add the applications you need for that server

Click on Service

Select the service you have created above

Click on Actions

Select the actions that you need


Click OK

Create a group SSL VPN Users in Active Directory

Open Active Directory Users and Computers from Administrative Tools

Navigate to an OU, right click and select New Group

On the New Object-Group dialog box, type the name of your group GlobalProtect

SSLVPN Users

On the Members tab add the required user accounts


Click OK

Configure your firewall as RADIUS client on Windows Server 2012 NPS

Open Network Policy Server from Administrative Tools

Expand RADIUS Clients and Servers, right click on RADIUS Clients and select New

RADIUS Client

On the New RADIUS Client dialog box, specify a friendly name and IP address


Click on Advanced, uncheck or check the required options


Click OK

Create a Connection Request Policy on Windows Server 2012 NPS

From the Network Policy Server Console, right click on Connection Request Policies

and select New

On the Specify Connection Request Policy Name and Connection Type page, type a

name for the policy and click Next


On the Specify Conditions page, click Add. Select NAS Port Type (Ethernet)

On the Select conditions dialog box, select Client IPv4 Address and click Add

On the Client IPv4 Address dialog box, type the management IP address of the

firewall

Click OK and click Next


On the Specify Connection Request Forwarding page, select Authenticate requests

on this server and click Next

On the Specify Authentication Methods page, click Next

On the Configure Settings page, click Next


On the Completing Connection Request Policy Wizard page, click Finish

Create a Network Policy on Windows Server 2012 NPS

From the Network Policy Server Console, right click on Network Policies and select

New

On the Specify Network Policy Name and Connection Type page, type a name for

your policy and click Next


On the Specify Conditions page, click Add

From the Select Condition dialog box, add the following Windows Groups

GlobalProtect SSLVPN Users, and click Next

On the Specify Access Permissions page, select Access Granted and click Next


On the Configure Authentication Methods page, clear all authentications methods

and select only Unencrypted Authentication (PAP,SPAP) and click Add

On the Configure Constraints page, click Next


On the Configure Settings page, click Next

On the Completing New Network Policy page, click Finish


Install Global Protect SSLVPN Client

Open your web browser and connect to your Global Protect Portal by using

https://192.168.10.25:3210/

On the login page, type your domain username and password and click on Login

On the GlobalProtect Portal select the required Agent

https://192.168.10.25:3210/


On the Welcome to the GlobalProtect Setup Wizard page, click Next

On the Select Installation Folder page, click Next


On the Confirm Installation page, click Next

On the Installation Complete page, click Close


Configure Global Protect SSLVPN Client

Navigate to Start | Programs | Palo Alto Networks | GlobalProtect and launch

GlobalProtect

On the GlobalProtect page, type your domain credentials, portal IP address and click Apply

If authentication is successful, the status displays Connected


On GlobalProtect dialog, select View | Advanced

Navigate to Logs | Monitor | System to verify authentication

Windows Event Log


Date post:	07-Mar-2018
Category:	Documents
Upload:	vanlien
View:	228 times
Download:	1 times

Configuring Global Protect SSL VPN with a user-defined port GlobalProtect... · Create a RADIUS...

Documents