In addition to using a non-https Global Protect Portal, you can access an associated Gateway on a configured loopback interface. If you only have one public-facing IP address, and you wish to host SSL-based applications, such as OWA on that IP, the following information provides the configuration steps for doing so.

Please follow Knowledge Base article How to Configure GlobalProtect Portal Page to be Accessed on any Port with one caveat. You'll need to create a second loopback interface in addition to the first loopback interface used for the Portal.

• Pan-OS
• GlobalProtect

Create additional loopback interface

Make sure the untrust interface can ping the loopback.

> ping source 99.7.172.157 host 10.1.1.

    PING 10.1.1.2 (10.1.1.2) from 99.7.172.157 : 56(84) bytes of data.

    64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.126 ms

    64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.068 ms

Assign loopback interface as the Portal address

Assign loopback.2 interface as the Gateway address

Create the following services and add them to a service group.

These services will be natted to our Gateway loopback interface. In this example, services were created destined for ports 500 (ike/ciscovpn), 4501 (ipsec-esp-udp).

The two custom services are added in addition to the predefined service-https to the gateway service group profile.

Create the services

Add the services to a service group object

Create the security policies as needed.

As noted in the prior KB article,  a rule is needed for the Portal page to redirect that traffic on a non-ssl standard port to our first loopback interface.

Here GP portal is accessed on port 7000 instead of port 443. Below this rule, another rule is created to the gateway allowing ike, ipsec, panos-global-protect, ssl and web-browsing respectively.

Create the NAT policy which will forward traffic to the second loopback (loopback.2) interface.

In this example, the gateway service group is utilized and used to forward traffic to 10.1.1.2, the loopback.2 interface previously configured.

Configure iPhone/iPad on the Gateway.

Enable 'X-Auth Support' on the gateway and create a Group Name and the Group Password respectively. This will be utilized when configuring the VPN profile on the mobile devices.

Create the VPN Profile on the iPhone/iPad using the shared secret configured in the previous step. The password in the profile will need to match with the authentication method chosen (ie ldap, kerberos,localdb, etc).

Confirm access via your Global Protect client as well as your mobile device.

> show global-protect-gateway current-user

        GlobalProtect Name : gp-gateway (2 users)

        Domain User Name      Computer        Client          Private IP      Public IP      ESP    SSL    Login Time      Logout/Expiration TTL     Inactivity TTL

        ------ ---------      ---------      ----------      ---------      ---    ---    ----------      ----------------- ---      ----------- ---

              \renato          PAN01347        Windows 7 (Version 6.1 Build 7601 Service Pack 1)10.10.10.2      64.124.57.5    exist  none    Oct.02 06:04:01 Nov.01 06:04:01  2589926  9641

              \renato          64.124.57.5    iPhone OS:6.0  10.10.10.1      64.124.57.5    exist  none    Oct.02 06:38:33 Oct.02 07:39:33  3657     10798

owner: rkalugdan