This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Using Purchased Certificate for SSL-VPN Portal/Gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using Purchased Certificate for SSL-VPN Portal/Gateway

cmateam
L3 Networker

‎07-13-2012 09:37 AM

We have our GP portal/gateway externally facing. We’ve designated a host name for people to access the portal so they don’t have to remember the IP address - from both Untrust and Trust Networks. Currently the portal throws a certificate warning in it's setup. I purchased a certificate from a public CA for that host name, and uploaded the cert, intermediate cert, and key to the firewall, and set the server cert in both the portal and gateway to that specific certificate, which works great and does not give an error. When navigating to the host name I get a valid certificate and all works well with logging in and downloading the GP agent. However, when the agent/client connects I get a failure because it can’t connect and it shows that it’s trying to connect to the IP address on port 443, but is unable to. The logs say  there is a Protocol error and that I should check the server certificate. I’ve tried a combination of Trusted Forward, Untrust Forward, Root CA Certificate in the cert options, but have not had any luck.  The things I am reading and the documentation on the PAN support site seems either really unclear or inconsistently documented. Any help with that would be great. Is this even a reasonable expectation or am I out the money for a certificate?

0 Likes Likes
2 REPLIES 2

siebi
Not applicable

‎07-14-2012 04:37 AM

I have a similar setup but I used the public certificate only for the portal. The gateway and the client certificate must be signed from the same certificate authority. So I decided to use a self generated CA on the PAN to sign the gateway and client certificate. I use this CA only for signing this two certificates because global protect does verify the client certificate only by the issuing CA which must be in the list of trusted CAs in the GP portal configuration. If this CA is used for signing other certificates (like a public CA does it) everybody with a certificate from this same CA could authenticate and login to your VPN.

0 Likes Likes

cmateam
L3 Networker
In response to siebi

‎07-16-2012 10:18 AM

Siebi,

I tried this.  I even followed this document with no luck. Setting the option in the portal does not work, but it does in the gateway.  If I set it for the gateway, the vpn client doesn't work. Could it be an issue with the intermediate cert, perhaps?  Are you able to provide any screen shots of your config? I am running 4.1.6 for the GP portal.  I am also using GP lite (no additional licensing). Thanks.

0 Likes Likes
  • 2527 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks