I configured global protect, but when clients try to connect through the agent, they got "Gateway "name":The server certificate is invalid, please contact your IT administrator".
For the configured certificates, I configured self-signed certificate as a certificate authority, and then configured Global-protect certificate signed by the created self-signed certificate, but the common name for the self-signed cert was the firewall private IP and the common name for the global-protect certicate was the firewall public IP
Is there any wrong certificate settings?
i have never used self signed for portal address but i'm sure you need to copy the self signed root cert to the devices, it will be placed with all your other trusted cert authorities.
Self-Signed Certificates —You can generate a self-signed CA certificate on the portal and use it to issue certificates for all of the GlobalProtect components. However, this solution is less secure than the other options and is therefore not recommended. If you do choose this option, end users will see a certificate error the first time they connect to the portal. To prevent this, you can deploy the self-signed root CA certificate to all end user systems manually or using some sort of centralized deployment, such as an Active Directory Group Policy Object (GPO).
@MickBall is correct. If you are using a self-signed cert or a cert signed by an internal CA the device needs to trust this cert.
Alternatively you could modify the Agent configuration within the App tab to set "Allow User to Continue with Invalid Portal Server Certificate" to yes instead of the default No. This will trigger an alert but still allow the user to connect.
I'm having the same issue but not on self signed certificate and on linux ( Fedora 29)
Global Protect is configured with the certificate signed by the Authorized CA.
The Chain is:
DigiCert Global Root CA
DigiCert SHA2 Secure Server CA
It works perfect on Windows.
On Linux, Fedora.
I get the error
Error: Gateway exgw: The server certificate is invalid. Please contact your IT administrator.
I checked if certificate is trusted
xxx\Downloads]$ trust list | grep Digi
label: DigiCert Global Root CA
label: DigiCert SHA2 Secure Server CA
The first two are the exactly the ones that are trusted.
I am puzzled. Did anybody have issues with Global Protect on linux ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!