Hello everyone, one of my customers wants to connect using their Android smartphone. I read the doc, seems like the only gotcha is it requires client certs. If I do this, then all SSLVPN users will be required to have client certs. I did not see a way to allow android/ios devices to use client certs while allowing PC's to simply connect in.
Has anyone else been faced by this?
Also - there is the question of licensing. I have received different answers so I am asking once again,. If I understand correctly:
1. The PA comes with a portal and SINGLE gw (no license required)
2. I wanted to have a 2nd sslvpn on a second WAN interface, then I would need to purchase a "gateway License."
This is in a HA pair- so will I need a 2nd license\for the Passive PA firewall?
Any verification of this woudl be much appreciated,
Solved! Go to Solution.
License requirements ::
GlobalProtect portal license is one time permanent license. The gateway license is a one or three year
1. No license is required for single portal/ gateway deployment without Host checks
2. Only a portal license is required for multiple gateway deployment without Host check
3. Portal license and gateway subscription license is required when Host check is implemented, either
with single or multiple gateways
2nd sslvpn on a second WAN interface would be a Multiple Gateway with Single Portal which would need a portal license.
This is in a HA pair- so will I need a 2nd license\for the Passive PA firewall? :Yes
We came across a similar requirement as we operate in a mixed device environment and as such use android/ios devices with Xauth-psk (using the native OS client) as opposed to certificates and accept the tradeoff between risk/functionality.
Just in case it gives you ideas on how to solve your second interface issue, we use the single portal instance configured with multiple gateways (bound to loopbacks) such that a windows/mac device wishing to run the globalprotect client can point at the portal and receive its configuration, whilst other devices can point at the address of their gateway to establish the IPSec tunnel and obtain appropriate IP addressing/policies etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!