Configure the GlobalProtect Portal for LSVPN
The GlobalProtect portal provides the management functions for your GlobalProtect LSVPN. Every satellite system that participates in the LSVPN receives configuration information from the portal, including information about available gateways as well as the certificate it needs in order to connect to the gateways.
The following sections provide procedures for setting up the portal:
Prerequisite Tasks
Before configuring the GlobalProtect portal, you must complete the following tasks:
Create Interfaces and Zones for the LSVPN on the interface where you will configure the portal. Enable SSL Between GlobalProtect LSVPN Components by creating an SSL/TLS service profile for the portal server certificate, issuing gateway server certificates, and configuring the portal to issue server certificates for the GlobalProtect satellites. Configure the Portal to Authenticate Satellites by defining the authentication profile that the portal will use to authenticate satellites if the serial number is not available. Configure GlobalProtect Gateways for LSVPN.
Configure the Portal
After you have completed the Prerequisite Tasks, configure the GlobalProtect portal as follows:
Configure the Portal for LSVPN
Add the portal. Select Network > GlobalProtect > Portals and click Add. On the General tab, enter a Name for the portal. The portal name should not contain any spaces. ( Optional ) Select the virtual system to which this portal belongs from the Location field.
Specify the network information to enable satellites to connect to the portal. If you haven’t yet created the network interface for the portal, see Create Interfaces and Zones for the LSVPN for instructions. Select the Interface that satellites will use for ingress access to the portal. Select the IP Address for satellite access to the portal.
Specify an SSL/TLS Service profile to use to enable the satellite to establish an SSL/TLS connection to the portal. If you haven’t yet created an SSL/TLS service profile for the portal and issued gateway certificates, see Deploy Server Certificates to the GlobalProtect LSVPN Components. On the GlobalProtect Portal Configuration dialog, select Authentication. Select the SSL/TLS Service Profile.
Specify an authentication profile and optional certificate profile for authenticating satellites. If the portal can’t validate the serial numbers of connecting satellites, it will fall back to the authentication profile. Therefore, before you can save the portal configuration (by clicking OK), you must Configure an authentication profile. Add a Client Authentication, and then enter a Name to identify the configuration, select OS: Satellite to apply the configuration to all satellites, and specify the Authentication Profile to use to authenticate satellite devices. You can also specify a Certificate Profile for the portal to use to authenticate satellite devices.
Continue with defining the configurations to push to the satellites or, if you have already created the satellite configurations, save the portal configuration. Click OK to save the portal configuration or continue to Define the Satellite Configurations.
Define the Satellite Configurations
When a GlobalProtect satellite connects and successfully authenticates to the GlobalProtect portal, the portal delivers a satellite configuration, which specifies what gateways the satellite can connect to. If all your satellites will use the same gateway and certificate configurations, you can create a single satellite configuration to deliver to all satellites upon successful authentication. However, if you require different satellite configurations—for example if you want one group of satellites to connect to one gateway and another group of satellites to connect to a different gateway—you can create a separate satellite configuration for each. The portal will then use the enrollment username/group name or the serial number of the satellite to determine which satellite configuration to deploy. As with security rule evaluation, the portal looks for a match starting from the top of the list. When it finds a match, it delivers the corresponding configuration to the satellite.
For example, the following figure shows a network in which some branch offices require VPN access to the corporate applications protected by your perimeter firewalls and another site needs VPN access to the data center.
Use the following procedure to create one or more satellite configurations.
Create a GlobalProtect Satellite Configuration
Add a satellite configuration. The satellite configuration specifies the GlobalProtect LSVPN configuration settings to deploy to the connecting satellites. You must define at least one satellite configuration. Select Network > GlobalProtect > Portals and select the portal configuration for which you want to add a satellite configuration and then select the Satellite tab. In the Satellite section, click Add Enter a Name for the configuration. If you plan to create multiple configurations, make sure the name you define for each is descriptive enough to allow you to distinguish them. To change how often a satellite should check the portal for configuration updates specify a value in the Configuration Refresh Interval (hours) field (range is 1-48; default is 24).
Specify the satellites to which to deploy this configuration. The portal uses the Enrollment User/User Group settings and/or Devices serial numbers to match a satellite to a configuration. Therefore, if you have multiple configurations, be sure to order them properly. As soon as the portal finds a match, it will deliver the configuration. Therefore, more specific configurations must precede more general ones. See Step 5 for instructions on ordering the list of satellite configurations. Specify the match criteria for the satellite configuration as follows: To restrict this configuration to satellites with specific serial numbers, select the Devices tab, click Add, and enter serial number (you do not need to enter the satellite hostname; it will be automatically added when the satellite connects). Repeat this step for each satellite you want to receive this configuration. Select the Enrollment User/User Group tab, click Add, and then select the user or group you want to receive this configuration. Satellites that do not match on serial number will be required to authenticate as a user specified here (either an individual user or group member). Before you can restrict the configuration to specific groups, you must Map Users to Groups.
Specify the gateways that satellites with this configuration can establish VPN tunnels with. Routes published by the gateway are installed on the satellite as static routes. The metric for the static route is 10x the routing priority. If you have more than one gateway, make sure to also set the routing priority to ensure that routes advertised by backup gateways have higher metrics compared to the same routes advertised by primary gateways. For example, if you set the routing priority for the primary gateway and backup gateway to 1 and 10 respectively, the satellite will use 10 as the metric for the primary gateway and 100 as the metric for the backup gateway. On the Gateways tab, click Add. Enter a descriptive Name for the gateway. The name you enter here should match the name you defined when you configured the gateway and should be descriptive enough identify the location of the gateway. Enter the FQDN or IP address of the interface where the gateway is configured in the Gateways field. The address you specify must exactly match the Common Name (CN) in the gateway server certificate. ( Optional ) If you are adding two or more gateways to the configuration, the Routing Priority helps the satellite pick the preferred gateway. Enter a value in the range of 1-25, with lower numbers having the higher priority (that is, the gateway the satellite will connect to if all gateways are available). The satellite will multiply the routing priority by 10 to determine the routing metric.
Save the satellite configuration. Click OK to save the satellite configuration. If you want to add another satellite configuration, repeat the previous steps.
Arrange the satellite configurations so that the proper configuration is deployed to each satellite. To move a satellite configuration up on the list of configurations, select the configuration and click Move Up. To move a satellite configuration down on the list of configurations, select the configuration and click Move Down.
Specify the certificates required to enable satellites to participate in the LSVPN. In the Trusted Root CA field, click Add and then select the CA certificate used to issue the gateway server certificates. The portal will deploy the root CA certificate you add here to all satellites as part of the configuration to enable the satellite to establish an SSL connection with the gateways. As a best practice, all of your gateways should use the same issuer. Select the method of Client Certificate distribution: To store the client certificates on the portal —select Local and select the Root CA certificate that the portal will use to issue client certificates to satellites upon successfully authenticating them from the Issuing Certificate drop-down. If the root CA certificate used to issue your gateway server certificates is not on the portal, you can Import it now. See Enable SSL Between GlobalProtect LSVPN Components for details on how to import a root CA certificate. To enable the portal to act as a SCEP client to dynamically request and issue client certificates —select SCEP and then select the SCEP profile used to generate CSRs to your SCEP server. If the you have not yet set up the portal to act as a SCEP client, you can add a New SCEP profile now. See Deploy Client Certificates to the GlobalProtect Satellites Using SCEP for details.
Save the portal configuration. Click OK to save the settings and close the GlobalProtect Portal Configuration dialog. Commit your changes.

Related Documentation