Create a Service Connection to Enable Access between Mobile Users and Remote Networks

We recommend always creating a service connection, even if you don’t need to access resources at your organization’s HQ or data center. You must configure a service connection to allow network communication between mobile users and remote network locations and between mobile users in different geographical locations.
We recommend creating this type of service connection for the following environments:
  • Your deployment includes both remote networks and mobile users and you do not already have a service connection configured.
  • You have mobile users in different geographical areas who need direct access to each other’s endpoints.
  • You have already configured a service connection, but the existing service connection is not in an ideal location between the remote networks and mobile users.
    All remote network locations communicate to each other in a mesh network. Mobile users connect to remote networks using the service connection in a hub-and-spoke network. In some cases, it might improve network efficiency to place another service connection closer to the remote network or networks that the mobile users most frequently access.
The following example shows a GlobalProtect cloud service deployment with mobile users in different geographical areas and remote networks. The remote network connections are connected in a mesh network in the GlobalProtect cloud service infrastructure, but the mobile users cannot connect to the remote networks. In addition, the mobile users in different geographic areas cannot connect to each other without a service connection.
remote-networks-mobile-users-before-svc-connections.png
After you add a service connection, the service connection connects the mobile users and the remote networks in a hub-and-spoke network.
remote-networks-mobile-users-after-svc-connections.png
Another case where a service connection of this type is useful is when the service connection is far from the remote users. The following figure shows an example of this network deployment.
remote-networks-mobile-users-2nd-svc-connection-before.png
Adding a second service connection that is closer to the mobile users creates a more efficient network between the mobile users and remote networks.
remote-networks-mobile-users-2nd-svc-connection-after.png

Add a Service Connection To Enable Access Between Mobile Users and Remote Networks

To configure a service connection to connect mobile users and remote networks, Set Up Access to Your Corporate Network and Add a service connection using the following values:
  • Specify a Region that is close to your mobile users.
  • Add an IPSec Tunnel and IKE Gateway, using placeholder values.
  • Add placeholder Corporate Subnets.
    Since the GlobalProtect cloud service doesn’t route any traffic through this tunnel, any value that does not conflict or overlap with other configured subnets is valid.

Related Documentation