Configuring Global Protect SSL VPN with a

user-defined port
Version 1.0

PAN-OS 5.0.1

Johan Loos

johan@accessdenied.be
Global Protect SSL VPN Overview
This document gives you an overview on how to configure Global Protect for SSL VPN access. I use a
customized port other than the default (443) and a little help from a loopback adapter.

You can also create a security group in Active Directory where the user must be a member of before
he can access the network via SSL VPN. Users will be authenticated via a Network Policy on the
Network Policy Server running on Windows Server 2012.

Global Protect Task List

 Create a Loopback Adapter
 Create a Tunnel Interface
 Create a Server Certificate
 Create a RADIUS Server Profile
 Create a RADIUS Authentication Profile
 Configure Global Protect Portal
 Configure Global Protect Gateway
 Configure the Internet zone for User Identification
 Create an object for the public address
 Create an object for the loopback adapter
 Create a service object for a custom port
 Create a NAT rule
 Create a Security Policy rule
 Create a group SSL VPN Users in Active Directory
 Create a Connection Request Policy on Windows Server 2012 NPS
 Create a Network Policy on Windows Server 2013 NPS
 Install Global Protect SSLVPN Client
 Configure Global Protect SSLVPN Client

Create a Loopback Adapter

 Navigate to Network | Interfaces | Loopback and click Add
 On the Loopback Interface | Config page, type a Interface number, add the interface into a
security zone, assign a virtual router

Configuring Global Protect SSL VPN with a user-defined port 2

  On the Loopback Interface | IPv4 page, type the IP address of the interface

 Click OK

Create a Tunnel Interface

 Navigate to Network | Interfaces | Tunnel and click Add
 On the Tunnel Interface | Config page, type a Interface number, add the interface into a
security zone, assign a virtual router

 On the Tunnel Interface | IPv4 page, leave the IP address of the interface blank

Configuring Global Protect SSL VPN with a user-defined port 3

  Click OK

Create a Server Certificate

Read the document on How to request a certificate

Create a RADIUS Server Profile

 Navigate to Device | Server Profiles | RADIUS and click Add
 On the RADIUS Server Profile page, type a name for your profile, specify a name for your
domain, click Add to add the IP Address of the RADIUS server, secret and port

 Click OK

Create a RADIUS Authentication Profile

 Navigate to Device | Authentication Profile and click Add
 On the Authentication Profile page, type a name, from the Authentication list box select
your RADIUS server profile and select RADIUS as Authentication
Configuring Global Protect SSL VPN with a user-defined port 4
  Click OK

Configure Global Protect Portal

 Navigate to Network | GlobalProtect | Gateways and click Add
 On the GlobalProtect Gateway | General page, type a name for your Gateway, select a
Server Certificate, select an Authentication Profile and select for Interface Address the
Loopback Interface

 On the GlobalProtect Gateway | Client Configuration page, click Add

 On the Configs | General page, type a name, clear use single sign-on, and select on-demand
as connection method

Configuring Global Protect SSL VPN with a user-defined port 5

  On the Configs | Gateways page, click Add
 Type the external IP address of your portal (Internet faced IP address) and specify also the
port number where the portal is listening on

 Click OK
 On GlobalProtect Portal| Client Configuration page, under Trusted Root CA, click Add and
select the certificate of your trusted Root CA

Configuring Global Protect SSL VPN with a user-defined port 6

  Click OK

Configure GlobalProtect Gateway

 Navigate to Network | GlobalProtect | Gateways and click Add
 On the GlobalProtect Gateway | General page, type a name for your Gateway, specify the
Interface and IP Address. Select your Server Certificate and select an Authentication Profile

 On the GlobalProtect Gateway | Client Configuration | Tunnel Settings page, enable Tunnel
Mode and select your Tunnel Interface

Configuring Global Protect SSL VPN with a user-defined port 7

  On the GlobalProtect Gateway | Client Configuration | Network Settings page, type the IP
Address of your internal DNS server, type a DNS suffix and specify the IP Pool address range
(IP Address range which your SSL VPN clients receive an IP address from)

 Click OK

Configure the Internet zone for User Identification

 Navigate to Network | Zones, select your internet zone and check Enable User Identification

Configuring Global Protect SSL VPN with a user-defined port 8

  Click OK

Create an object for the Public Address

 Select Object | Addresses and click Add
 On the Address page, type a new for the object you want to create and type the IP
address

 Click OK

Create an object for your Loopback Adapter

 Navigate to Objects | Address and click Add
 On the Address page, type a name and IP address

Configuring Global Protect SSL VPN with a user-defined port 9

  Click OK

Create a Service Object for TCP-3210

 Navigate to Objects | Services, and click Add
 On the Service page, specify a name and specify the Destination Port

 Click OK

Create a NAT rule

 Select Policies | NAT, and click Add
 On the NAT Policy Rule page on General page type a name for the NAT rule

 Click on Original Packet

Configuring Global Protect SSL VPN with a user-defined port 10

  As Source Zone, select LAN, as Destination Zone select Internet, as Service select your
service object you have created before, as destination address select the public
address of your outside interface
 Select Translated Packet

 As Translation Type select Destination Address Translation, for Translated Address

select your loopback adapter, type 443 as translated port
 Click OK

Create a Security Policy rule

 Navigate to Policies | Security, and click Add
 On the General page, type a name for your policy

 Click on Source
 Select a Source Zone and a Source Address

Configuring Global Protect SSL VPN with a user-defined port 11

  Click on Destination
 Select a Destination Zone

 Click on Application
 Add the applications you need for that server
 Click on Service
 Select the service you have created above

 Click on Actions
 Select the actions that you need
Configuring Global Protect SSL VPN with a user-defined port 12
  Click OK

Create a group SSL VPN Users in Active Directory

 Open Active Directory Users and Computers from Administrative Tools

 Navigate to an OU, right click and select New Group
 On the New Object-Group dialog box, type the name of your group GlobalProtect
SSLVPN Users

 On the Members tab add the required user accounts

Configuring Global Protect SSL VPN with a user-defined port 13

  Click OK

Configure your firewall as RADIUS client on Windows Server 2012 NPS

 Open Network Policy Server from Administrative Tools

 Expand RADIUS Clients and Servers, right click on RADIUS Clients and select New
RADIUS Client
 On the New RADIUS Client dialog box, specify a friendly name and IP address

Configuring Global Protect SSL VPN with a user-defined port 14

  Click on Advanced, uncheck or check the required options

Configuring Global Protect SSL VPN with a user-defined port 15

  Click OK

Create a Connection Request Policy on Windows Server 2012 NPS

 From the Network Policy Server Console, right click on Connection Request Policies
and select New
 On the Specify Connection Request Policy Name and Connection Type page, type a
name for the policy and click Next

Configuring Global Protect SSL VPN with a user-defined port 16

  On the Specify Conditions page, click Add. Select NAS Port Type (Ethernet)
 On the Select conditions dialog box, select Client IPv4 Address and click Add
 On the Client IPv4 Address dialog box, type the management IP address of the
firewall
 Click OK and click Next

Configuring Global Protect SSL VPN with a user-defined port 17

  On the Specify Connection Request Forwarding page, select Authenticate requests
on this server and click Next

 On the Specify Authentication Methods page, click Next

 On the Configure Settings page, click Next

Configuring Global Protect SSL VPN with a user-defined port 18

  On the Completing Connection Request Policy Wizard page, click Finish

Create a Network Policy on Windows Server 2012 NPS

 From the Network Policy Server Console, right click on Network Policies and select
New
 On the Specify Network Policy Name and Connection Type page, type a name for
your policy and click Next

Configuring Global Protect SSL VPN with a user-defined port 19

  On the Specify Conditions page, click Add
 From the Select Condition dialog box, add the following Windows Groups
GlobalProtect SSLVPN Users, and click Next

 On the Specify Access Permissions page, select Access Granted and click Next

Configuring Global Protect SSL VPN with a user-defined port 20

  On the Configure Authentication Methods page, clear all authentications methods
and select only Unencrypted Authentication (PAP,SPAP) and click Add

 On the Configure Constraints page, click Next

Configuring Global Protect SSL VPN with a user-defined port 21

  On the Configure Settings page, click Next

 On the Completing New Network Policy page, click Finish

Configuring Global Protect SSL VPN with a user-defined port 22

Install Global Protect SSLVPN Client
 Open your web browser and connect to your Global Protect Portal by using
https://192.168.10.25:3210/
 On the login page, type your domain username and password and click on Login

 On the GlobalProtect Portal select the required Agent

Configuring Global Protect SSL VPN with a user-defined port 23

  On the Welcome to the GlobalProtect Setup Wizard page, click Next

 On the Select Installation Folder page, click Next

Configuring Global Protect SSL VPN with a user-defined port 24

  On the Confirm Installation page, click Next

 On the Installation Complete page, click Close

Configuring Global Protect SSL VPN with a user-defined port 25

Configure Global Protect SSLVPN Client
 Navigate to Start | Programs | Palo Alto Networks | GlobalProtect and launch
GlobalProtect
 On the GlobalProtect page, type your domain credentials, portal IP address and click Apply

 If authentication is successful, the status displays Connected

Configuring Global Protect SSL VPN with a user-defined port 26

  On GlobalProtect dialog, select View | Advanced

 Navigate to Logs | Monitor | System to verify authentication

 Windows Event Log

Configuring Global Protect SSL VPN with a user-defined port 27

Configuring Global Protect SSL VPN with a user-defined port 28