Global Protect Certificate

Reply
Highlighted
L2 Linker

Global Protect Certificate

Hi

 

I configured global protect, but when clients try to connect through the agent, they got "Gateway "name":The server certificate is invalid, please contact your IT administrator".

 

For the configured certificates, I configured self-signed certificate as a certificate authority, and then configured Global-protect certificate signed by the created self-signed certificate, but the common name for the self-signed cert was the firewall private IP and the common name for the global-protect certicate was the firewall public IP

 

Is there any wrong certificate settings?

 

 

 

Thanks

Highlighted
L7 Applicator

Re: Global Protect Certificate

i have never used self signed for portal address but i'm sure you need to copy the self signed root cert to the devices, it will be placed with all your other trusted cert authorities.

 

from PA

 

Self-Signed Certificates —You can generate a self-signed CA certificate on the portal and use it to issue certificates for all of the GlobalProtect components. However, this solution is less secure than the other options and is therefore not recommended. If you do choose this option, end users will see a certificate error the first time they connect to the portal. To prevent this, you can deploy the self-signed root CA certificate to all end user systems manually or using some sort of centralized deployment, such as an Active Directory Group Policy Object (GPO).

Highlighted
Cyber Elite

Re: Global Protect Certificate

@MickBall is correct. If you are using a self-signed cert or a cert signed by an internal CA the device needs to trust this cert. 

 

Alternatively you could modify the Agent configuration within the App tab to set "Allow User to Continue with Invalid Portal Server Certificate" to yes instead of the default No. This will trigger an alert but still allow the user to connect. 

Highlighted
L1 Bithead

Re: Global Protect Certificate

Hi There,

I'm having the same issue but not on self signed certificate and on linux ( Fedora 29) 

Global Protect is configured with the certificate signed by the Authorized CA.

The Chain is:

DigiCert Global Root CA
DigiCert SHA2 Secure Server CA

Server certificate.

 

It works perfect on Windows.

 

On Linux, Fedora.

I get the error 

Error: Gateway exgw: The server certificate is invalid. Please contact your IT administrator.

 

I checked if certificate is trusted 

 

xxx\Downloads]$ trust list | grep Digi
label: DigiCert Global Root CA
label: DigiCert SHA2 Secure Server CA

The first two are the exactly the ones that are trusted.


I am puzzled. Did anybody have issues with Global Protect on linux ? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!