VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm.
Hi, I am Matt from Duo Stability.
Within this video clip, I'm goingto explain to you how to safeguard your Palo Alto GlobalProtect VPN gateway with Duo two-factor authentication.
This application uses RADIUS along with the Duo Authentication Proxy.
Just before seeing this video clip, remember to browse the documentationfor this configuration at duo.
com/docs/paloalto.
Be aware that As well as thisRADIUS-based configuration, It's also possible to protect PaloAlto SSO logins with Duo.
Examine the optionsfor that configuration at duo.
com/docs/paloalto-sso.
Ahead of starting this Duointegration with Palo Alto, you needs to have a working primaryauthentication configuration to your SSL VPN customers, for instance LDAP authenticationto Energetic Directory.
To integrate Duo together with your Palo Alto VPN, you will need to installa local proxy support on a machine within just your network.
Right before continuing, you shouldlocate or set up method on which you'll installthe Duo Authentication Proxy.
The proxy supportsWindows and Linux techniques.
On this online video, we will use aWindows Server 2016 system.
Note this Duo proxy server also functions as being a RADIUS server.
There is no have to deploya independent RADIUS server to make use of Duo.
The Palo Alto system in thisvideo is running PAN-OS eight.
0.
6.
The Directions for installingDuo defense via RADIUS on gadgets runningolder versions of PAN-OS differs a little from whatis proven in this movie.
Reference the documentationfor more info.
To the technique you will set up the Duo Authentication Proxy on, log in on the Duo Admin Panel.
Within the left sidebar, navigate to Programs.
Simply click Defend an Application.
From the lookup bar, kind palo alto.
Close to the entry for Palo Alto SSL VPN, simply click Secure this Software.
Note your integration key, solution essential, and API hostname.
You will want these afterwards in the course of setup.
Near the prime from the site, click on the link to open the Duodocumentation for Palo Alto.
Next, install the DuoAuthentication Proxy.
In this video clip, We are going to utilize a 64-bit Windows Server 2016 method.
We suggest a systemwith at least a single CPU, 200 megabytes of disk House, and 4 gigabytes of RAM.
Around the documentation site, navigate to your Put in the DuoAuthentication Proxy part.
Click the link to downloadthe most recent version of the proxy for Windows.
Start the installer within the server as being a user with administrator rights and follow the on-display promptsto total installation.
Following the installation completes, configure and start the proxy.
For the applications of the movie, we presume that you've some familiarity with The weather which make upthe proxy configuration file and how to format them.
Comprehensive descriptionsof Each individual of such things are available in the documentation.
The Duo AuthenticationProxy configuration file is named authproxy.
cfg and is situated during the conf subdirectoryof the proxy installation.
Run a text editor likeWordPad being an administrator and open up the configuration file.
By default, the file is located in C:Software Data files (x86) Duo Safety Authentication Proxyconf Since this is the completelynew set up of your proxy, there'll be example contentin the configuration file.
Delete this written content.
Very first, configure the proxy foryour Principal authenticator.
For this example, we willuse Energetic Directory.
Insert an [ad_client] part to the highest of the configuration file.
Increase the host parameterand enter the host title or IP deal with of one's domain controller.
Then include theservice_account_username parameter and enter the username ofa domain member account which includes permission to bind toyour AD and execute searches.
Following, include theservice_account_password parameter and enter the password that corresponds to your username entered over.
Eventually, add the search_dn parameter and enter the LDAP distinguishedname of an Advert container or organizational device containing most of the usersyou would like to allow to log in.
Further optionalvariables for this section are described in the documentation.
Up Check over here coming, configure the proxy for the Palo Alto GlobalProtect gateway.
Produce a [radius_server_auto] part underneath the [ad_client] portion.
Insert the integration essential, magic formula critical, and API hostname from a Palo Altoapplication's Qualities website page while in the Duo Admin Panel.
Insert the radius_ip_1 parameterand enter the IP handle within your Palo Alto GlobalProtect VPN.
Beneath that, include theradius_secret_1 parameter and enter a magic formula to get shared involving the proxy along with your VPN.
Insert the client parameterand enter ad_client.
Palo Alto isn't going to sendthe shopper IP tackle using the common RADIUSattribute Calling-Station-ID.
A completely new RADIUS attributecontaining the customer IP handle PaloAlto-Shopper-Source-IP was introduced in PAN-OS Variation seven.
To send the PaloAlto-Client-Source-IPattribute to Duo, insert the client_ip_attrparameter and enter paloalto.
Further optional variables for this [radius_server_auto] portion are explained from the documentation.
Save your configuration file.
Open an administratorcommand prompt and run Internet start out DuoAuthProxy tostart the proxy assistance.
Upcoming, configure your PaloAlto GlobalProtect gateway.
Initially, We are going to increase the Duo RADIUS server.
Log in to the Palo Altoadministrative interface.
Click on the Gadget tab.
During the still left sidebar, navigateto Server Profiles, RADIUS.
Click the Insert button to adda new RADIUS server profile.
While in the identify subject, enter Duo RADIUS.
Improve the timeout to no less than thirty.
We advocate applying sixty If you're utilizing drive or cellular phone authentication, so we will use sixty in this example.
During the dropdown for authenticationprotocol, pick out PAP.
Inside the Servers segment, simply click Incorporate.
Within the Identify field, enter Duo RADIUS.
Within the RADIUS Serverfield, enter the hostname or IP address of yourDuo Authentication Proxy.
In the Secret area, enterthe RADIUS shared magic formula used in the authenticationproxy configuration.
Go away or set the port to 1812, as that is the default employed by the proxy.
If you used a different port throughout your Authentication Proxy set up, be sure you use that below.
Click Okay to save lots of the newRADIUS server profile.
Now incorporate an authentication profile.
While in the remaining sidebar.
Navigateto Authentication Profile.
Click the Include button.
Inside the Name field, enter Duo.
In the Type dropdown, pick out RADIUS.
In the Server Profiledropdown, decide on Duo RADIUS.
Based upon how your userslog in to GlobalProtect, you may have to enter yourauthentication area name inside the Consumer Domain field.
This can be employed at the side of the Username Modifier field.
If your Username Modifieris still left blank or is ready to %USERINPUT%, then theuser's input is unmodified.
You may prepend or appendthe worth of %USERDOMAIN% to preconfigure the username input.
Learn more about both equally of these items while in the GlobalProtect documentation hosted on Palo Alto's Web page, which can be joined within the Duo documentation.
Simply click the Advanced tab and click on Increase.
Choose the All team.
Click on OK to avoid wasting theauthentication profile.
Upcoming, configure yourGlobalProtect gateway options.
Within the Palo Alto administrative interface, click the Community tab.
Inside the still left sidebar, navigateto GlobalProtect, Gateways.
Select your configuredGlobalProtect gateway.
Click on the Authentication tab.
From the entry for yourClient Authentication while in the Authentication Profile dropdown, find the Duo authenticationprofile you designed before.
If You aren't usingauthentication override cookies in your GlobalProtect gateway, you may want to empower them to attenuate Duo authentication requests at shopper reconnectionduring a person gateway session.
You may need a certificateto use While using the cookie.
Click on the Agent tab.
Click on the Consumer Configurations tab.
Click the title of yourconfiguration to open up it.
Around the Authentication Override tab, Verify the boxes togenerate and take cookies for authentication override.
Enter a Cookie Life span.
In this example, We'll use eight hrs.
Choose a certificateto use Along with the cookie.
Click on OK then click OK once more to save your gateway configurations.
Now configure your portal options.
If your GlobalProtect portal is configured for Duo two-factor authentication, end users might have to authenticate two times when connecting to theGlobalProtect gateway agent.
For the most beneficial consumer practical experience, Duo endorses leavingyour GlobalProtect portal set to work with LDAP orKerberos authentication.
If you need to do insert Duo to yourGlobalProtect portal, we also endorse which you allow cookies for authentication override on your own portal to prevent multiple Duoprompts for authentication when connecting.
Within the Palo Alto administrative interface, within the Network tab, navigateto GlobalProtect, Portal.
Click on your configured profile.
Click on the Authentication tab.
In the entry for yourclient authentication, inside the Authentication Profile dropdown, pick out the Duo authentication profile you configured earlier.
Click on the Agent tab.
Click on the entry for your configuration.
About the Authentication tab, during the Authentication Override portion, Look at the containers togenerate and acknowledge cookies for authentication override.
Enter a Cookie Life span.
In this instance, We're going to use 8 hrs.
Decide on a certificateto use With all the cookie.
Simply click OK after which you can click OK all over again to avoid wasting your gateway configurations.
To create your improvements just take influence, simply click the Dedicate buttonin the upper-correct corner of the Palo Alto administrative interface.
Review your changesand click on Dedicate again.
Now complete configuringyour Palo Alto system to mail the client IP to Duo.
Connect to the Palo Altodevice administration shell.
Utilizing the command fromstep on the list of customer IP reporting section from the Duofor Palo Alto documentation, allow sending the PaloAlto customer resource IP shopper IP attribute.
Just after putting in and configuring Duo on your Palo Alto GlobalProtectVPN, test your setup.
Utilizing a username thathas been enrolled in Duo and that has activatedthe Duo Cellular application on a smartphone, attemptto connect to your VPN along with your GlobalProtect gateway agent.
You might get an automaticpush within the Duo Cell application on your smartphone.
Open the notification, checkthe contextual details to substantiate the login is respectable, approve it, and you are logged in.
Note that you can alsoappend a type component to the end of yourpassword when logging in to use a passcode or manually pick a two-factorauthentication approach.
Reference the documentationfor more information.
You have successfully create Duo in your Palo Alto GlobalProtect gateway.