I have two questions regarding the Global Protect Gateway / Portal (SAN the GP Licensing)
- I am wanting to setup two factor authentication for users to authenticate to Global Protect Gateway/Portal with a (common) client certificate installed on their machine that our IT department installs. I currently have just AD authentication integrated but want to prevent personal computers from logging into the portal and downloading the software and connecting into our network (even though we place VPN traffic into another subnet seperate from our Trust and Untrust network). It also provides additional security if a user account is compromised. My question is, do I specify this at the Gateway, and then export the client cert to be installed on each individual machine. Is this a correct understanding?
-My second question is about allowing a contractor VPN into our network. Since we want to provide a common cert to our staff, I don't want to provide the same cert to a contractor. Must I create another Gateway and Portal to allow this guest to access what is needed inside our network with a completely different certificate. When this contractor is done, I can just expire the cert? Is this even possible under the GP san additional licensing? How would one accomplish this, can I create simply another portal, and certificate?
For certificate authentication you need only create a certificate certificate profile for each use case and add it to the portal config as well as the gateway. If you use AD integrated CA, this is a breeze using auto enrollment.
We had this same conundrum for external parties. The solution was to create another issuing/policy CA to our 3 tier architecture. Our information security department also is in charge of the root CA so this was an easy decision. Then we created a vendor portal where external users can access and request a certificate using a customized certsrv page and template. When an external party is done, we just revoke the cert and update the crl/ocsp and they are no longer able to connect. A separate portal is not entirely necessary unless you want complete segmentation. I just use AD groups and portal config to push the appropriate user to the correct gateway, as well as enable "on demand" mode.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!