Configure Clientless VPN

  1. Before you begin:
    • Install a GlobalProtect subscription on the firewall that hosts the Clientless VPN from the GlobalProtect portal. Refer to Active Licenses and Subscriptions .
    • Install the GlobalProtect Clientless VPN dynamic update (see Install Content and Software Updates ).
      dynamic-updates.png
    • As a best practice, configure a separate FQDN for the GlobalProtect portal that hosts Clientless VPN. Do not use the same FQDN as the PAN-OS Web Interface.
    • Host the GlobalProtect portal on the standard SSL port (TCP port 443). Non-standard ports are not supported.
  2. Configure the applications that are available using GlobalProtect Clientless VPN. The GlobalProtect portal displays these applications on the landing page that users see when they log in (the applications landing page).
    1. Select NetworkGlobalProtectClientless Apps and Add one or more applications. For each application, specify the following:
      • Name—A descriptive name for the application (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
      • Location (for a firewall that is in multiple virtual system mode)—the virtual system (vsys) where the Clientless VPN applications are available. For a firewall that is not in multi-vsys mode, the Location field does not appear.
      • Application Home URL—The URL where the web application is located (up to 4095 characters).
      • Application Description (Optional)—A brief description of the application (up to 255 characters).
      • Application Icon (Optional)—An icon to identify the application on the published application page. You can browse to upload the icon.
    2. Click OK.
  3. (Optional). Create groups to manage sets of web applications.
    Clientless App Groups are useful if you want to manage multiple collections of applications and provide access based on user groups. For example, financial applications for the G&A team or developer applications for the Engineering team.
    1. Select NetworkGlobalProtectClientless App Groups. Add a new Clientless VPN application group and specify the following:
      • Name—A descriptive name for the application group (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
      • Location (for a firewall that is in multiple virtual system mode)—the virtual system (vsys) where the Clientless VPN application group is available. For a firewall that is not in multi-vsys mode, the Location field does not appear.
    2. In the Applications area, Add applications to the group. You can select from the list of existing Clientless VPN applications or define a New Clientless App.
    3. Click OK.
  4. Configure the GlobalProtect portal to provide the Clientless VPN service.
    1. Select NetworkGlobalProtectPortal and select an existing portal configuration or Add a new portal. Refer to Set Up Access to the GlobalProtect Portal .
    2. In the Authentication tab, you can:
      • (Optional) Create a new client authentication specifically for Clientless VPN. In this case, choose Browser as the OS for Client Authentication.
      • Use an existing client authentication.
    3. In ClientlessGeneral, select Clientless VPN to enable the portal service and configure the following:
      • Specify a Hostname (IP address or fully-qualified domain name) for the GlobalProtect portal that hosts the applications landing page. This hostname is used for rewriting application URLs. (For more information on URL rewriting, refer to 8 ).
      If you use Network Address Translation (NAT) to provide access to the GlobalProtect portal, the IP address or FQDN you enter must match (or resolve to) the NAT IP address for the GlobalProtect portal (the public IP address). Because users cannot access the GlobalProtect portal on a custom port, the pre-NAT port must also be TCP port 443.
      • Specify a Security Zone. This zone is used as a source zone for the traffic between the firewall and the applications. Security rules defined from this zone to the application zone determine which applications can be accessed.
      • Select a DNS Proxy server or configure a New DNS Proxy. GlobalProtect will use this proxy to resolve application names. Refer to DNS Proxy Object .
      • Login Lifetime—Specify the maximum hours or minutes that a Clientless VPN session is valid. The typical session time is 3 hours. The range for hours is 1-24; the range for minutes is 60-1440. After the session expires, users must re-authenticate and start a new Clientless VPN session.
      • Inactivity Timeout—Specify the number of hours or minutes that a Clientless VPN session can remain idle. The typical inactivity timeout is 30 minutes. The range for hours is 1-24; the range for minutes is 5 to 1440. If there is no user activity during the specified amount of time, users must re-authenticate and start a new Clientless VPN session.
      • Max User—Specify the maximum number of users who can be logged into the portal at the same time. If no value is specified, then endpoint capacity is assumed. If the endpoint capacity is unknown, then a capacity of 50 users is assumed. When the maximum number of users is reached, additional Clientless VPN users cannot log in to the portal.
  5. Map users and user groups to applications.
    This mapping controls which applications users or user groups can launch from a GlobalProtect Clientless VPN session.
    The GlobalProtect portal uses the user/user group settings that you specify to determine which configuration to deliver to the GlobalProtect Clientless VPN user that connects. If you have multiple configurations, make sure they are ordered properly and map to all of the required applications, as the portal looks for a configuration match starting from the top of the list. As soon as the portal finds a match, it delivers the configuration to the GlobalProtect Clientless VPN user.
    clientless_app_mapping.png
    Publishing an application to a user/user group or allowing them to launch unpublished applications does not imply that they can access those applications. Controlling access to applications (published or not) is done using security policies.
    You must configure group mapping (DeviceUser IdentificationGroup Mapping Settings) before you can select the groups.
    1. In the Applications tab, Add an Applications to User Mapping to match users with published applications.
      • Name—Enter a name for the mapping (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
      • Display application URL address bar—Select this option to display an application URL address bar from which users can launch applications that are not published on the applications landing page. When enabled, users can click the Application URL link on the page and specify a URL.
    2. Specify the Source Users. You can Add individual users or user groups to which the current application configuration applies. These users have permission to launch the configured applications using a GlobalProtect Clientless VPN. In addition to users and groups, you can specify when these settings apply to the users or groups:
      • any—The application configuration applies to all users (no need to Add users or user groups).
      • select—The application configuration applies only to users and user groups you Add to this list.
    3. Add individual applications or application groups to the mapping. The Source Users you included in the configuration can use GlobalProtect Clientless VPN to link to the applications you add.
  6. Specify the security settings for a Clientless VPN session.
    1. In the Crypto Settings tab, specify the authentication and encryption algorithms for the SSL sessions between the firewall and the published applications.
      • Protocol Versions—Select the required minimum and maximum TLS/SSL versions. The higher the TLS version, the more secure the connection. Choices include SSLv3, TLSv1.0, TLSv1.1, or TLSv1.2.
      • Key Exchange Algorithms—Select the supported algorithm types for key exchange. Choices are: RSA, Diffie-Hellman (DHE), or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE).
      • Encryption Algorithms—Select the supported encryption algorithms. AES128 or higher is recommended.
      • Authentication Algorithms—Select the supported authentication algorithms. Choices are: MD5, SHA1, SHA256, or SHA384. SHA256 or higher is recommended.
    2. Select the action to take when the following issues occur with a server certificate presented by an application:
      • Block sessions with expired certificate—If the server certificate has expired, block access to the application.
      • Block sessions with untrusted issuers—If the server certificate is issued from an untrusted certificate authority, block access to the application.
      • Block sessions with unknown certificate status—If the OCSP or CRL service returns a certificate revocation status of unknown, block access to the application.
      • Block sessions on certificate status check timeout—If the certificate status check times out before receiving a response from any certificate status service, block access to the application.
  7. (Optional) Specify one or more proxy server configurations to access the applications.
    Only basic authentication to the proxy is supported (username and password).
    If users need to reach the applications through a proxy server, specify a Proxy Server. You can add multiple proxy server configurations, one for each set of domains.
    • Name—A label (up to 31 characters) to identify the proxy server configuration. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    • Domains—Add the domains served by the proxy server. You can use a wild card character (*) at the beginning of the domain name to indicate multiple domains.
    • Use Proxy—Select to assign a proxy server to provide access to the domains.
    • Server—Specify the IP address or host name of the proxy server.
    • Port—Specify a port for communication with the proxy server.
    • User and Password—Specify the User and Password credentials needed to log in to the proxy server. Specify the password again for verification.
  8. (Optional) Specify any special treatment for application domains.
    The Clientless VPN acts as a reverse proxy and modifies web pages returned by the published web applications. It rewrites all URLs and presents a rewritten page to remote users such that when they access any of those URLs, the requests go through GlobalProtect portal.
    In some cases, the application may have pages that do not need to be accessed through the portal (for example, the application may include a stock ticker from yahoo.finance.com). You can exclude these pages.
    In the Advanced Settings tab, Add domain names, host names, or IP addresses to the Rewrite Exclude Domain List. These domains are excluded from rewrite rules and cannot be rewritten.
    Paths are not supported in host and domain names. The wildcard character (*) for host names and domain names can only appear at the beginning of the name (for example, *.etrade.com).
  9. Save the portal configuration.
    1. Click OK twice.
    2. Commit your changes.
  10. Configure a Security policy rule to enable users to access the published applications.
    You need security policies for the following:
    • Make the GlobalProtect portal that hosts Clientless VPN reachable from the Internet. This is traffic from Untrust or Internet Zone to the zone where you host the Clientless VPN portal.
    • Allow Clientless VPN users to reach the Internet. This is traffic from the Clientless VPN zone to the Untrust or Internet Zone.
      clientless-vpn-zones.png
    • Allow Clientless VPN users to reach corporate resources. This is traffic from the Clientless VPN zone to the Trust or Corp Zone. The security policies you define control which users have permission to use each published application. For the security zone where the published application servers are hosted, make sure Enable User Identification is set in order to create user-based rules for accessing published applications.
      By default Service/URL in Security Policy Rule is set application-default. Clientless VPN will not work for HTTPS sites with this default setting. Change Service/URL to include both service-http and service-https.
      security-policy-serviceURL.png
    • When you configure a proxy server to access Clientless VPN applications, make sure you include the proxy IP address and port in the security policy definition. When applications are accessed through a proxy server, only security policies defined for the proxy IP address and port are applied.
The source IP address of Clientless VPN traffic (as seen by the application) will either be the IP address of the egress interface through which the portal can reach the application or the translated IP address when source NAT is in use.

Related Documentation