Hello all,
We're looking to implement GlobalProtect for our organization, and I'd like to make sure we follow best practices using certificates for authentication. The only endpoints we need to account for are Windows and a small number of MacOS, and all machines are owned and controlled by our company (no contractor or BYOD devices). To simplify things, we'll use the same interface/IP for Portal and Gateway unless there is a reason to separate it.
We'd like to use Machine Certs for prelogon. This will allow devices to get minimal connectivity to specific internal resources before the user logs on. This is what I'm thinking for the portal configuration:
- Server Auth: SSL/TLS Profile with Cert trusted by Clients
- Client Auth:
- LDAP Auth Profile
- Allow Authentication with User Credentials OR Client Certificate" set to YES - this will allow just the machine cert to authenticate the prelogon user
- Certificate Profile: Specify the cert profile that references the internal CA that signed the machine cert, Username Filed set to None
- Agent 1
- User: pre-logon
- OS: Windows, Mac
- External Gateway: External-GW
- App Config:
- Connect Method: Pre-logon (Always On)
- Client Certificate Store Lookup: Machine
- Agent 2
- User: any
- OS: Windows, Mac
- External Gateway: External-GW
- App Config:
- Connect Method: Pre-logon (Always On)
- Client Certificate Store Lookup: User
For the Gateway, we'd like to implement two factor authentication with User Certificate and LDAP. This is what I'm planning for the gateway auth configuration:
- Server Auth: Same SSL/TLS Profile as portal
- Client Auth:
- LDAP Auth Profile
- Allow Authentication with User Credentials OR Client Certificate" set to NO - force cert and LDAP credentials
- Certificate Profile: Any reason not to use the same certificate profile as the portal client auth if the same internal CA signed user and machine certs?
Is the above config fairly standard for GlobalProtect with machine and user certificates, or are we missing something?
One general question I have is how important is it to use both machine certs and user certs in this scenario? What if I used the machine cert for prelogon and then also used the machine cert for the Gateway Client Authentication rather than User cert? I know the Machine Cert wouldn't have the username in it, but if we're also requiring LDAP auth for Gateway, LDAP could get the username from SSO. So is there much security benefit to using Machine Cert and User Cert, or should we simplify and only use Machine Cert?
