Configuring Global Protect SSL VPN with a
user-defined port
Version 1.0
PAN-OS 5.0.1
Johan Loos
Configuring Global Protect SSL VPN with a user-defined port 2
Global Protect SSL VPN Overview
This document gives you an overview on how to configure Global Protect for SSL VPN access. I use a
customized port other than the default (443) and a little help from a loopback adapter.
You can also create a security group in Active Directory where the user must be a member of before
he can access the network via SSL VPN. Users will be authenticated via a Network Policy on the
Network Policy Server running on Windows Server 2012.
Global Protect Task List
Create a Loopback Adapter
Create a Tunnel Interface
Create a Server Certificate
Create a RADIUS Server Profile
Create a RADIUS Authentication Profile
Configure Global Protect Portal
Configure Global Protect Gateway
Configure the Internet zone for User Identification
Create an object for the public address
Create an object for the loopback adapter
Create a service object for a custom port
Create a NAT rule
Create a Security Policy rule
Create a group SSL VPN Users in Active Directory
Create a Connection Request Policy on Windows Server 2012 NPS
Create a Network Policy on Windows Server 2013 NPS
Install Global Protect SSLVPN Client
Configure Global Protect SSLVPN Client
Create a Loopback Adapter
Navigate to Network | Interfaces | Loopback and click Add
On the Loopback Interface | Config page, type a Interface number, add the interface into a
security zone, assign a virtual router
Configuring Global Protect SSL VPN with a user-defined port 3
On the Loopback Interface | IPv4 page, type the IP address of the interface
Click OK
Create a Tunnel Interface
Navigate to Network | Interfaces | Tunnel and click Add
On the Tunnel Interface | Config page, type a Interface number, add the interface into a
security zone, assign a virtual router
On the Tunnel Interface | IPv4 page, leave the IP address of the interface blank
Configuring Global Protect SSL VPN with a user-defined port 4
Click OK
Create a Server Certificate
Read the document on How to request a certificate
Create a RADIUS Server Profile
Navigate to Device | Server Profiles | RADIUS and click Add
On the RADIUS Server Profile page, type a name for your profile, specify a name for your
domain, click Add to add the IP Address of the RADIUS server, secret and port
Click OK
Create a RADIUS Authentication Profile
Navigate to Device | Authentication Profile and click Add
On the Authentication Profile page, type a name, from the Authentication list box select
your RADIUS server profile and select RADIUS as Authentication
Configuring Global Protect SSL VPN with a user-defined port 5
Click OK
Configure Global Protect Portal
Navigate to Network | GlobalProtect | Gateways and click Add
On the GlobalProtect Gateway | General page, type a name for your Gateway, select a
Server Certificate, select an Authentication Profile and select for Interface Address the
Loopback Interface
On the GlobalProtect Gateway | Client Configuration page, click Add
On the Configs | General page, type a name, clear use single sign-on, and select on-demand
as connection method
Configuring Global Protect SSL VPN with a user-defined port 6
On the Configs | Gateways page, click Add
Type the external IP address of your portal (Internet faced IP address) and specify also the
port number where the portal is listening on
Click OK
On GlobalProtect Portal| Client Configuration page, under Trusted Root CA, click Add and
select the certificate of your trusted Root CA
Configuring Global Protect SSL VPN with a user-defined port 7
Click OK
Configure GlobalProtect Gateway
Navigate to Network | GlobalProtect | Gateways and click Add
On the GlobalProtect Gateway | General page, type a name for your Gateway, specify the
Interface and IP Address. Select your Server Certificate and select an Authentication Profile
On the GlobalProtect Gateway | Client Configuration | Tunnel Settings page, enable Tunnel
Mode and select your Tunnel Interface
Configuring Global Protect SSL VPN with a user-defined port 8
On the GlobalProtect Gateway | Client Configuration | Network Settings page, type the IP
Address of your internal DNS server, type a DNS suffix and specify the IP Pool address range
(IP Address range which your SSL VPN clients receive an IP address from)
Click OK
Configure the Internet zone for User Identification
Navigate to Network | Zones, select your internet zone and check Enable User Identification
Configuring Global Protect SSL VPN with a user-defined port 9
Click OK
Create an object for the Public Address
Select Object | Addresses and click Add
On the Address page, type a new for the object you want to create and type the IP
address
Click OK
Create an object for your Loopback Adapter
Navigate to Objects | Address and click Add
On the Address page, type a name and IP address
Configuring Global Protect SSL VPN with a user-defined port 10
Click OK
Create a Service Object for TCP-3210
Navigate to Objects | Services, and click Add
On the Service page, specify a name and specify the Destination Port
Click OK
Create a NAT rule
Select Policies | NAT, and click Add
On the NAT Policy Rule page on General page type a name for the NAT rule
Click on Original Packet
Configuring Global Protect SSL VPN with a user-defined port 11
As Source Zone, select LAN, as Destination Zone select Internet, as Service select your
service object you have created before, as destination address select the public
address of your outside interface
Select Translated Packet
As Translation Type select Destination Address Translation, for Translated Address
select your loopback adapter, type 443 as translated port
Click OK
Create a Security Policy rule
Navigate to Policies | Security, and click Add
On the General page, type a name for your policy
Click on Source
Select a Source Zone and a Source Address
Configuring Global Protect SSL VPN with a user-defined port 12
Click on Destination
Select a Destination Zone
Click on Application
Add the applications you need for that server
Click on Service
Select the service you have created above
Click on Actions
Select the actions that you need
Configuring Global Protect SSL VPN with a user-defined port 13
Click OK
Create a group SSL VPN Users in Active Directory
Open Active Directory Users and Computers from Administrative Tools
Navigate to an OU, right click and select New Group
On the New Object-Group dialog box, type the name of your group GlobalProtect
SSLVPN Users
On the Members tab add the required user accounts
Configuring Global Protect SSL VPN with a user-defined port 14
Click OK
Configure your firewall as RADIUS client on Windows Server 2012 NPS
Open Network Policy Server from Administrative Tools
Expand RADIUS Clients and Servers, right click on RADIUS Clients and select New
RADIUS Client
On the New RADIUS Client dialog box, specify a friendly name and IP address
Configuring Global Protect SSL VPN with a user-defined port 15
Click on Advanced, uncheck or check the required options
Configuring Global Protect SSL VPN with a user-defined port 16
Click OK
Create a Connection Request Policy on Windows Server 2012 NPS
From the Network Policy Server Console, right click on Connection Request Policies
and select New
On the Specify Connection Request Policy Name and Connection Type page, type a
name for the policy and click Next
Configuring Global Protect SSL VPN with a user-defined port 17
On the Specify Conditions page, click Add. Select NAS Port Type (Ethernet)
On the Select conditions dialog box, select Client IPv4 Address and click Add
On the Client IPv4 Address dialog box, type the management IP address of the
firewall
Click OK and click Next
Configuring Global Protect SSL VPN with a user-defined port 18
On the Specify Connection Request Forwarding page, select Authenticate requests
on this server and click Next
On the Specify Authentication Methods page, click Next
On the Configure Settings page, click Next
Configuring Global Protect SSL VPN with a user-defined port 19
On the Completing Connection Request Policy Wizard page, click Finish
Create a Network Policy on Windows Server 2012 NPS
From the Network Policy Server Console, right click on Network Policies and select
New
On the Specify Network Policy Name and Connection Type page, type a name for
your policy and click Next
Configuring Global Protect SSL VPN with a user-defined port 20
On the Specify Conditions page, click Add
From the Select Condition dialog box, add the following Windows Groups
GlobalProtect SSLVPN Users, and click Next
On the Specify Access Permissions page, select Access Granted and click Next
Configuring Global Protect SSL VPN with a user-defined port 21
On the Configure Authentication Methods page, clear all authentications methods
and select only Unencrypted Authentication (PAP,SPAP) and click Add
On the Configure Constraints page, click Next
Configuring Global Protect SSL VPN with a user-defined port 22
On the Configure Settings page, click Next
On the Completing New Network Policy page, click Finish
Configuring Global Protect SSL VPN with a user-defined port 23
Install Global Protect SSLVPN Client
Open your web browser and connect to your Global Protect Portal by using
https://192.168.10.25:3210/
On the login page, type your domain username and password and click on Login
On the GlobalProtect Portal select the required Agent
Configuring Global Protect SSL VPN with a user-defined port 24
On the Welcome to the GlobalProtect Setup Wizard page, click Next
On the Select Installation Folder page, click Next
Configuring Global Protect SSL VPN with a user-defined port 25
On the Confirm Installation page, click Next
On the Installation Complete page, click Close
Configuring Global Protect SSL VPN with a user-defined port 26
Configure Global Protect SSLVPN Client
Navigate to Start | Programs | Palo Alto Networks | GlobalProtect and launch
GlobalProtect
On the GlobalProtect page, type your domain credentials, portal IP address and click Apply
If authentication is successful, the status displays Connected
Configuring Global Protect SSL VPN with a user-defined port 27
On GlobalProtect dialog, select View | Advanced
Navigate to Logs | Monitor | System to verify authentication
Windows Event Log
Configuring Global Protect SSL VPN with a user-defined port 28
Top Related