App portal for mobile devices

Reply
Highlighted
L1 Bithead

App portal for mobile devices

Hi !

 

I was wandering if there is a way to set up some sort of webproxy, so the connections to services behind firewall would be secure (https). We have some services that runs via http an would like to publish them to internet but we would like to make it more secure.

 

One solution would be (if Palo Alto has it) to have a mobile application with a portal (a proxy), where you have some icons of those serivces, let say web services, a webpage for example. When user opens it, the secure connection is established to it.

 

The problem is that one of the vendors for a web service we have, only allows HTTP connection and discourages the opening it to the internet. Thats why we are looking to still use this web service but make it more secure.

 

Thank you and best regards,

Jani


Accepted Solutions
Highlighted
L3 Networker

Hi Jani

 

Sounds to me like Palo Alto's Clientless VPN feature (introduced in PANOS-8.0.4) is what you need:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/globalprotect-features/cli...

 

There are a few caveats:

1. This is a licensed feature - you need GlobalProtect License for your PAN Firewall. You can request a trial license on the support portal if one was never issued in the past for this Firewall.

2. It's support of web technologies, see this link for what is supported:

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

The user browses to Global Protect Portal and the links the user sees are behind the GlobalProtect Portal on the firewall so it is secure when leaving your network.

 

Hope this helps.

View solution in original post


All Replies
Highlighted
L7 Applicator

hi Jani

 

The PA firewall does not support proxy services, but you can set up GlobalProtect VPN, this allows you to build vpn tunnels into your application servers

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L1 Bithead

Thank you for your response,

 

is there any way (except for Globa Protect) to secure http connections ?

 

Best regards,

Jani

Highlighted
L3 Networker

Hi Jani

 

Sounds to me like Palo Alto's Clientless VPN feature (introduced in PANOS-8.0.4) is what you need:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/globalprotect-features/cli...

 

There are a few caveats:

1. This is a licensed feature - you need GlobalProtect License for your PAN Firewall. You can request a trial license on the support portal if one was never issued in the past for this Firewall.

2. It's support of web technologies, see this link for what is supported:

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

The user browses to Global Protect Portal and the links the user sees are behind the GlobalProtect Portal on the firewall so it is secure when leaving your network.

 

Hope this helps.

View solution in original post

Highlighted
Cyber Elite

@ShaiW,

That option works to encrypt traffic to the PA; the actual session to the HTTP service however still isn't going to be encrypted. If you wish to secure HTTP, you'll have to setup the service for HTTPS connections. 

Highlighted
L1 Bithead

@ShaiWClientless VPN seems realy good solution for what i was looking for. Thank you for leting me know about the feature !

 

@BPryAs i understand wan connection will be encripted, because of the VPN, that is basically what we need. Or am i missing somethig ?

 

Thank you for your replies

Highlighted
Cyber Elite

So to be clear here, the only connection that is encrypted is going to be from the device to your firewall. The actual connection to the http server is still completely in the clear. If that works in your situation then you have a secure way of providing access back to your environment. Make no mistake though, that site is no more secure then it is currently.
Highlighted
L1 Bithead

Thanks for help, i set up the portal and looks promising. I set up a zone for clientless traffic which has only few rules to acces servers to specific port.

 

This should be more secure way to access the servers from outside, but just to the entry point of firewall. Inside traffic is still secure as it was before, not less not more.

 

Thank you guys !

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!