Using Purchased Certificate for SSL-VPN Portal/Gateway

Reply
L3 Networker

Using Purchased Certificate for SSL-VPN Portal/Gateway

We have our GP portal/gateway externally facing. We’ve designated a host name for people to access the portal so they don’t have to remember the IP address - from both Untrust and Trust Networks. Currently the portal throws a certificate warning in it's setup. I purchased a certificate from a public CA for that host name, and uploaded the cert, intermediate cert, and key to the firewall, and set the server cert in both the portal and gateway to that specific certificate, which works great and does not give an error. When navigating to the host name I get a valid certificate and all works well with logging in and downloading the GP agent. However, when the agent/client connects I get a failure because it can’t connect and it shows that it’s trying to connect to the IP address on port 443, but is unable to. The logs say  there is a Protocol error and that I should check the server certificate. I’ve tried a combination of Trusted Forward, Untrust Forward, Root CA Certificate in the cert options, but have not had any luck.  The things I am reading and the documentation on the PAN support site seems either really unclear or inconsistently documented. Any help with that would be great. Is this even a reasonable expectation or am I out the money for a certificate?

Highlighted
Not applicable

Re: Using Purchased Certificate for SSL-VPN Portal/Gateway

I have a similar setup but I used the public certificate only for the portal. The gateway and the client certificate must be signed from the same certificate authority. So I decided to use a self generated CA on the PAN to sign the gateway and client certificate. I use this CA only for signing this two certificates because global protect does verify the client certificate only by the issuing CA which must be in the list of trusted CAs in the GP portal configuration. If this CA is used for signing other certificates (like a public CA does it) everybody with a certificate from this same CA could authenticate and login to your VPN.

Highlighted
L3 Networker

Re: Using Purchased Certificate for SSL-VPN Portal/Gateway

Siebi,

I tried this.  I even followed this document with no luck. Setting the option in the portal does not work, but it does in the gateway.  If I set it for the gateway, the vpn client doesn't work. Could it be an issue with the intermediate cert, perhaps?  Are you able to provide any screen shots of your config? I am running 4.1.6 for the GP portal.  I am also using GP lite (no additional licensing). Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!