n9vudje008

VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm.

Hi, I am Matt from Duo Security.

In this video, I am goingto tell you about how to protect your Palo Alto GlobalProtect VPN gateway with Duo two-element authentication.

This application makes use of RADIUS along with the Duo Authentication Proxy.

In advance of seeing this video, please read the documentationfor this configuration at duo.

com/docs/paloalto.

Take note that Along with thisRADIUS-dependent configuration, You may as well guard PaloAlto SSO logins with Duo.

Examine the optionsfor that configuration at duo.

com/docs/paloalto-sso.

Prior to creating this Duointegration with Palo Alto, you have to have a Doing the job primaryauthentication configuration for your personal SSL VPN buyers, for example LDAP authenticationto Energetic Directory.

To integrate Duo with the Palo Alto VPN, you need to installa community proxy services with a equipment within your network.

Prior to continuing, you shouldlocate or arrange procedure on which you will installthe Duo Authentication Proxy.

The proxy supportsWindows and Linux programs.

During this video, we will use aWindows Server 2016 method.

Be aware that this Duo proxy server also acts being a RADIUS server.

There isn't a should deploya different RADIUS server to implement Duo.

The Palo Alto system in thisvideo is jogging PAN-OS eight.

0.

6.

The Guidance for installingDuo security by way of RADIUS on gadgets runningolder variations of PAN-OS differs somewhat from whatis proven During this video.

Reference the documentationfor more info.

On the process you are likely to put in the Duo Authentication Proxy on, log in to the Duo Admin Panel.

Inside the left sidebar, navigate to Purposes.

Click Guard an Software.

Within the search bar, style palo alto.

Next to the entry for Palo Alto SSL VPN, click Secure this Software.

Notice your integration important, magic formula crucial, and API hostname.

You will need these later during setup.

Close to the major on the site, simply click the hyperlink to open the Duodocumentation for Palo Alto.

Up coming, install the DuoAuthentication Proxy.

On this video, We're going to utilize a 64-little bit Home windows Server 2016 process.

We suggest a systemwith at the very least one particular CPU, two hundred megabytes of disk Area, and four gigabytes of RAM.

To the documentation web page, navigate for the Set up the DuoAuthentication Proxy portion.

Simply click the backlink to downloadthe newest Edition with the proxy for Home windows.

Start the installer around the server like a consumer with administrator rights and Keep to the on-screen promptsto finish set up.

Once the installation completes, configure and begin the proxy.

For your purposes of the movie, we believe you have some familiarity with The weather that make upthe proxy configuration file and how to format them.

In depth descriptionsof Each individual of those components can be found in the documentation.

The Duo AuthenticationProxy configuration file is named authproxy.

cfg and is found from the conf subdirectoryof the proxy installation.

Operate a textual content editor likeWordPad as an administrator and open up the configuration file.

By default, the file is found in C:Plan Files (x86) Duo Safety Authentication Proxyconf Because this is the completelynew set up of your proxy, there'll be instance contentin the configuration file.

Delete this articles.

Initial, configure the proxy foryour Main authenticator.

For this example, we willuse Active Directory.

Add an [ad_client] portion to the best from the configuration file.

Incorporate the host parameterand enter the host title or IP deal with of the area controller.

Then insert theservice_account_username parameter and enter the username ofa area member account which has permission to bind toyour Advertisement and accomplish queries.

Upcoming, incorporate theservice_account_password parameter and enter the password that corresponds for the username entered over.

Ultimately, include the search_dn parameter and enter the LDAP distinguishedname of an Advert container or organizational device that contains most of the usersyou desire to permit to log in.

Additional optionalvariables for this section are described within the documentation.

Following, configure the proxy for the Palo Alto GlobalProtect gateway.

Make a [radius_server_auto] portion below the [ad_client] section.

Add the integration critical, key essential, and API hostname out of your Palo Altoapplication's Attributes site in the Duo Admin Panel.

Incorporate the radius_ip_1 parameterand enter the IP handle of the Palo Alto GlobalProtect VPN.

Underneath that, increase theradius_secret_1 parameter and enter a solution being shared concerning the proxy along with your VPN.

Add the consumer parameterand enter ad_client.

Palo Alto does not sendthe shopper IP handle using the conventional RADIUSattribute Contacting-Station-ID.

A brand new RADIUS attributecontaining the consumer IP tackle PaloAlto-Client-Source-IP was released in PAN-OS Model 7.

To deliver the PaloAlto-Consumer-Resource-IPattribute to Duo, increase the client_ip_attrparameter and enter paloalto.

Supplemental optional variables for this [radius_server_auto] area are explained from the documentation.

Help save your configuration file.

Open an administratorcommand prompt and run Internet commence DuoAuthProxy tostart the proxy provider.

Following, configure your PaloAlto GlobalProtect gateway.

To start with, We'll include the Duo RADIUS server.

Log in to your Palo Altoadministrative interface.

Simply click the Device tab.

Within the left sidebar, navigateto Server Profiles, RADIUS.

Click on the Incorporate button to adda new RADIUS server profile.

From the name subject, enter Duo RADIUS.

Boost the timeout to no less than 30.

We recommend working with 60 For anyone who is using force or cellular phone authentication, so We'll use sixty in this example.

Inside the dropdown for authenticationprotocol, choose PAP.

From the Servers portion, click Include.

From the Identify discipline, enter Duo RADIUS.

From the RADIUS Serverfield, enter the hostname or IP handle of yourDuo Authentication Proxy.

In the Secret field, enterthe RADIUS shared key used in the authenticationproxy configuration.

Leave or set the port to 1812, as that is the default used by the proxy.

Should you utilized a distinct port all through your Authentication Proxy set up, make sure to use that in this article.

Click Alright to save the newRADIUS server profile.

Now increase an authentication profile.

Inside the remaining sidebar.

Navigateto Authentication Profile.

Click the Include button.

From the Name discipline, enter Duo.

In the kind dropdown, choose RADIUS.

While in the Server Profiledropdown, pick Duo RADIUS.

Based upon how your userslog in to GlobalProtect, you might require to enter yourauthentication domain title in the Person Area subject.

This really is utilised along side the Username Modifier area.

When the Username Great post to read Modifieris left blank or is ready to %USERINPUT%, then theuser's input is unmodified.

You could prepend or appendthe price of %USERDOMAIN% to preconfigure the username input.

Learn more about both of those of these things while in the GlobalProtect documentation hosted on Palo Alto's Site, which happens to be joined from the Duo documentation.

Click on the Highly developed tab and click on Increase.

Find the All team.

Simply click Okay to save lots of theauthentication profile.

Upcoming, configure yourGlobalProtect gateway options.

In the Palo Alto administrative interface, click the Network tab.

Within the left sidebar, navigateto GlobalProtect, Gateways.

Pick your configuredGlobalProtect gateway.

Simply click the Authentication tab.

While in the entry for yourClient Authentication during the Authentication Profile dropdown, choose the Duo authenticationprofile you established before.

If You aren't usingauthentication override cookies on the GlobalProtect gateway, you might want to permit them to reduce Duo authentication requests at consumer reconnectionduring one gateway session.

You will require a certificateto use With all the cookie.

Click on the Agent tab.

Click the Client Options tab.

Click on the identify of yourconfiguration to open up it.

To the Authentication Override tab, Verify the bins togenerate and accept cookies for authentication override.

Enter a Cookie Life time.

In this example, We are going to use eight hrs.

Decide on a certificateto use Together with the cookie.

Click Alright after which simply click Okay yet again to save your gateway settings.

Now configure your portal settings.

If the GlobalProtect portal is configured for Duo two-factor authentication, consumers may have to authenticate 2 times when connecting to theGlobalProtect gateway agent.

For the very best user practical experience, Duo recommends leavingyour GlobalProtect portal set to work with LDAP orKerberos authentication.

If you need to do incorporate Duo to yourGlobalProtect portal, we also endorse that you choose to empower cookies for authentication override with your portal to stop numerous Duoprompts for authentication when connecting.

Within the Palo Alto administrative interface, in the Community tab, navigateto GlobalProtect, Portal.

Click your configured profile.

Simply click the Authentication tab.

From the entry for yourclient authentication, from the Authentication Profile dropdown, find the Duo authentication profile you configured earlier.

Click on the Agent tab.

Click the entry to your configuration.

Within the Authentication tab, inside the Authentication Override portion, Test the bins togenerate and settle for cookies for authentication override.

Enter a Cookie Life time.

In this example, We'll use eight several hours.

Choose a certificateto use With all the cookie.

Click Alright and afterwards simply click Okay again to save your gateway settings.

To help make your improvements acquire result, click the Commit buttonin the upper-ideal corner from the Palo Alto administrative interface.

Review your changesand click Dedicate yet again.

Now finish configuringyour Palo Alto gadget to send out the consumer IP to Duo.

Connect to the Palo Altodevice administration shell.

Utilizing the command fromstep on the list of consumer IP reporting portion of the Duofor Palo Alto documentation, allow sending the PaloAlto consumer supply IP shopper IP attribute.

Immediately after installing and configuring Duo for the Palo Alto GlobalProtectVPN, examination your setup.

Utilizing a username thathas been enrolled in Duo and which has activatedthe Duo Cellular software with a smartphone, attemptto connect to your VPN using your GlobalProtect gateway agent.

You'll receive an automaticpush within the Duo Mobile app on your own smartphone.

Open up the notification, checkthe contextual facts to substantiate the login is legit, approve it, and you are logged in.

Notice which you can alsoappend a form aspect to the top of yourpassword when logging in to use a passcode or manually pick out a two-factorauthentication strategy.

Reference the documentationfor more information.

You might have properly build Duo for your personal Palo Alto GlobalProtect gateway.