07-25-2017 02:18 AM
Hi everyone,
Do you know if it's possible to block the download of the globalprotect agent via the direct URL ?
The goal here is to force users to authenticate in the portal web page to be able to download the agent.
Ex. for the 64bit agent :
https://<my-portal-address>/global-protect/getmsi.esp?version=64&platform=windows
If yes, could you please share the steps to solve it ?
Thanks a lot !
Fabien.
07-25-2017 07:30 AM
There are couple of steps to achieve this depending on the configuration that already exist on your appliance.
1. Go to device > Certificate mgt > ssl/tls service profile > add. It should look like the image (2) below when you are done.
2. Network > GlobalProtect > Portal > Add >On the General Tab > Add > name> external interface > IP Address
3. Then on the authentication Tab confiigure your PA appliance as shown below in Image 1. This forces the portal to request user credentials before they can access the portal to download the agent. FYI, my environment uses the Local User database for authentication, yours may be different.
07-25-2017 07:42 AM
You will also need to Generate a certificate or upload the certificate for Global protect using the public IP address of your untrust interface. see below
07-25-2017 08:38 AM
I'm not positive of a way to actually do this and still allow the download to accomplish on the portal. It's kind of like the ASAs in the point where if you know where to direct it for the file itself you can get the download without authentication. You could put the link itself behind a captive portal if this is a big enough issue for you, but the user experiance if they go through the portal would be pretty bad.
The authentication to the portal itself I'm sure is working perfectly fine, the file however can still be downloaded even if you don't authenticate by going directly to the download link.
07-25-2017 08:39 AM - edited 07-25-2017 08:41 AM
I think @FabienJ has already done the steps you describe ... what he wants is to FORCE users to authenticate so nobody should be able to download the GP agent without log in
You probably want to ask your SE for a feature request.
I can think of a possibility to achieve this, but at the moment I don't know if this works and it also contains something that's normally not recommended ... I will first do a little test before I write some sensless stuff here
... and once again @BPry was faster 😉 ...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!