How To Configure GlobalProtect SSO

With Pre-Logon Access Using Self-Signed

Certificates
Overview
This document describes how to configure GlobalProtect SSO with the Pre-Logon access method using selfsigned certificates.

Steps
The example configuration below is for one portal and one gateway residing on the same Palo Alto Networks
device but can be expanded to reflect multiple gateways. Local Database authentication is used for this
example but other authentication methods (LDAP, Kerberos, Radius, etc.) can be applied.
1. Generate the root Certificate Authority (CA) certificate on the Palo Alto Networks device. This will be
used to sign the server certificates for for both GlobalProtect Portal and Gateway, as well as the machine
certificate that will be deployed to the client machines.

Generated on 2014-11-07-08:00
1

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

2. Generate the server and machine certificates. Each certificate should be signed by the CA certificate
created in Step 1.

Generated on 2014-11-07-08:00
2

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

Generated on 2014-11-07-08:00
3

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

3. Device certificates associated with GlobalProtect should appear as follows:

4. Create a Certificate Profile. This will be used to confirm machine certificate validity when cross-checking
with the CA Certificate. Make sure to select the CA Certificate when adding 'CA Certificates'.

Generated on 2014-11-07-08:00
4

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

5. Create your GP Portal as follows:

1. Under Portal Configuration, configure the network and authentication settings. Select the server
certificate generated in Step 3 above. For Certificate Profile, select the profile created in Step 4.

2. Under Client Configuration, create a config file. This will be pushed to GlobalProtect clients during
initial connection and rediscover network attempts.
Configure the pre-logon client config with pre-logon access method. Configure another config with
'any' user so that all users including pre-logon will get the same config. In the Trusted Root CA
section, add the root CA created in Step 1. This certificate will be pushed out to the connecting
agents.

Generated on 2014-11-07-08:00
5

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

6. A sample GlobalProtect Gateway configuration is shown below. Make sure to use the same server
certificate and certificate profile used in the GlobalProtect Portal configuration.

7. The image below shows a GlobalProtect Gateway configuration that terminates users to tunnel.1 (L3Trust Zone) and uses the 192.168.200.0/24 scope with access route only to the Internal Trust Network
(192.168.144.0/24)

8. Next step is to export the machine certificate which will then be added to the trusted certificate store on
the local computer. Use the PKCS12 file format and provide a passphrase.

Generated on 2014-11-07-08:00
6

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

9. On the client machine, import the previously exported machine certificate. The image below
demonstrates the use of the MMC certificate snap in for the local computer.

10.This will execute the Certificate Import Wizard. Follow the steps to complete the import. The certificate
for this example was exported in pkcs12 file format. Make sure to confirm the correct cert is detected.

Generated on 2014-11-07-08:00
7

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

11.Install the certificate into the local computer personal certificate store and then confirm the installation.

Generated on 2014-11-07-08:00
8

How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates

12.Here, syslog indicates the initial connection with the agent using the user credentials to successfully
connect. Subsequently, log off the machine and verify that the machine is still able to make a successful
connection to both GlobalProtect Portal and Gateway as a 'pre-logon' user with the machine certificate
validated by the CA certificate.

owner: rkalugdan

Generated on 2014-11-07-08:00
9