This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect VPN with Windows-PKI (W2K8R2)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect VPN with Windows-PKI (W2K8R2)

ecirclegmbh
Not applicable

‎05-09-2012 08:59 AM

Hi

Currently we have a beta-environment for GlobalProtect-VPN on Windows7 (64bit).

Authentication with LDAP works fine.

But we want to use a client-certificate (user) from our internal Windows-PKI which is already rolled out to the endpoints.

Where can i find a complete step-by-step-guide?

Thanks for your help

Juergen

Labels:
6 REPLIES 6

zarina
L5 Sessionator

‎05-09-2012 10:54 AM

You can find a global protect guide on Support portal under technical documentation. I have attached the guide for your reference.

Preview file
1129 KB
0 Likes Likes

ecirclegmbh
Not applicable
In response to zarina

‎05-09-2012 11:02 PM

Hi

I am sorry. I know this guide but it doesn't cover my needs.

It starts on page 6 with "In this example the firewall is configured as CA server and this certificate to sign Gateway and Client certificates." - the guide is quiet good and it works with this configuration.

But we need it working together with our internal Windows-PKI and the depending client-certificates.

In the best case it works in the same way with iOS-devices (also with an already rolled out client-certificate).

Regards

Juergen

0 Likes Likes

mwalter
Palo Alto Networks Guru
In response to ecirclegmbh

‎05-14-2012 04:24 PM

The client certificate that is used internally in GlobalProtect is provided to the client through the GlobalProtect Portal. If you'd like to use a client certificate from your PKI here, you have to import into the Portal including the private key. The certificate is actually shared across all GlobalProtect clients in your deployment to ensure that only clients from your deployment can connect to your configured GlobalProtect Gateways. It doesn't provide true machine authentication and authorization as you are looking for.

ecirclegmbh
Not applicable
In response to mwalter

‎05-15-2012 01:24 AM

Hi

Thank you. This is a bit disappointing that there is no way to fully use the Windows-PKI.

Could it be possible to use RADIUS instead?

Jürgen

0 Likes Likes

sjamaluddin
L4 Transporter
In response to ecirclegmbh

‎05-15-2012 04:30 PM

Yes, you can use RADIUS (secure ID) as a secondary means of authentication. Ensure that the username for the RADIUS authentication is configured for the GP gateway stage and  is the same as that which is used at the portal stage as you will not be prompted to add the username at the Gateway level


You will however will allowed to enter the password and here is where you'd enter the RADIUS secure ID one time password  as the password

jorisVD
L1 Bithead
In response to mwalter

‎05-15-2013 04:39 AM

Hi Mwalter,

Will their be a working together with an  internal Windows-PKI in future PANOS versions?

We are looking at IOS and Android devices using an individual client certificate.

Thanks

Joris

0 Likes Likes
  • 6733 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks