GlobalProtect Portals Clientless VPN Tab
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
GlobalProtect Portals Clientless VPN Tab
- NetworkGlobalProtectPortals<portal-config>Clientless VPN
You can now configure the GlobalProtect portal
to provide secure remote access to common enterprise web
applications that use HTML, HTML5, and JavaScript technologies.
Users have the advantage of secure access from SSL-enabled web browsers without
installing GlobalProtect software. This is useful when you need
to enable partner or contractor access to applications, and to safely
enable unmanaged assets, including personal devices. This feature
requires you to install a GlobalProtect subscription on the firewall
that hosts the Clientless VPN from the GlobalProtect portal. Select
the Clientless VPN tab to configure the GlobalProtect
Clientless VPN settings on the portal as described in the following
table.
GlobalProtect Portal
Clientless Configuration Settings | Description |
---|---|
General tab | |
Clientless VPN | Select Clientless VPN to
specify general information about the Clientless VPN session: |
Hostname | The IP address or FQDN for the GlobalProtect
portal that hosts the web applications landing page. The GlobalProtect
Clientless VPN rewrites application URLs with this hostname. If
you use Network Address Translation (NAT) to provide access to the
GlobalProtect portal, the IP address or FQDN you enter must match
(or resolve to) the NAT IP address for the GlobalProtect portal
(the public IP address). |
Security Zone | The zone for the Clientless VPN configuration.
Security rules defined in this zone control which applications users
can access. |
DNS Proxy | The DNS server that resolves application
names. Select a DNS proxy server or configure
a New DNS Proxy (Network
> DNS Proxy). |
Login Lifetime | The number of Minutes (range
is 60 to 1,440) or Hours (range is 1 to 24;
default is 3) that a clientless SSL VPN session is valid. After
the specified time, users must re-authenticate and start a new clientless
VPN session. |
Inactivity Timeout | The number of Minutes (range
is 5 to 1,440; default is 30) or Hours (range
is 1 to 24) that a clientless SSL VPN session can remain idle. If
there is no user activity during the specified amount of time, the
user must re-authenticate and start a new clientless VPN session. |
Max User | The maximum numbers of users that can be
logged into the portal at the same time (default is 10; range is
1 to no maximum). When the maximum number of users is reached, additional
clientless VPN users cannot log in to the portal. |
Applications tab | |
Applications to User Mapping | Add one or more Applications
to User Mapping to match users with published applications.
This mapping controls which users or user groups can use a clientless
VPN to access applications. You must define the applications and
application groups before mapping them to users (Network
> GlobalProtect > Clientless Apps and Network
> GlobalProtect > Clientless App Groups).
|
User/User Group | You can Add individual
users or user groups to which the current application configuration
applies. These users have permission to launch the configured applications
using a GlobalProtect clientless VPN. You must configure
group mapping (DeviceUser IdentificationGroup Mapping Settings) before
you can select the groups. In addition to users and
groups, you can specify when these settings apply to the users or
groups:
|
Applications | You can Add individual
applications or application groups to the mapping. The Source Users you
included in the configuration can use GlobalProtect clientless VPN
to launch the applications you add. |
Crypto Settings tab | |
Protocol Versions | Select the required minimum and maximum
TLS/SSL versions. The higher the TLS version, the more secure the
connection. Choices include SSLv3, TLSv1.0, TLSv1.1,
or TLSv1.2. |
Key Exchange Algorithms | Select the supported algorithm types for
key exchange. Choices include RSA, Diffie-Hellman (DHE),
or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). |
Encryption Algorithms | Select the supported encryption algorithms. AES128 or
higher is recommended. |
Authentication Algorithms | Select the supported authentication algorithms.
Choices are: MD5, SHA1, SHA256,
or SHA384. SHA256 or
higher is recommended. |
Server Certificate Verification | Enable which actions to take for the following
issues that can occur when an application presents a server certificate:
|
Proxy tab | |
Name | A label of up to 31 characters to identify
the proxy server that the GlobalProtect portal uses to access published
applications. The name is case-sensitive, must be unique, and can
contain only letters, numbers, spaces, hyphens, and underscores. |
Domains | Add the domains served by the proxy server. |
Use Proxy | Select to allow the GlobalProtect portal
to use the proxy server to access the published applications. |
Server Port | Specify the hostname (or IP address) and
port number of the proxy server. |
User Password | Specify the username and password needed
to log in to the proxy server. Enter the password again for verification. |
Advanced Settings tab | |
Rewrite Exclude Domain List | (Optional) Add domain names,
host names, or IP addresses to the Rewrite Exclude Domain
List. The clientless VPN acts as a reverse proxy and
modifies pages returned by the published applications. When a remote
users accesses the URL, the requests go through the GlobalProtect
portal. In some cases, the application may have pages that do not
need to be accessed through the portal. Specify domains that should
be excluded from rewrite rules and cannot be rewritten. Paths
are not supported in host and domain names. The wildcard character
(*) for host and domain names can only appear at the beginning of
the name (for example, *.etrade.com). |