VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm.
Hello, I'm Matt from Duo Stability.
During this online video, I am goingto provide you with how to safeguard your Palo Alto GlobalProtect VPN gateway with Duo two-variable authentication.
This application works by using RADIUS and also the Duo Authentication Proxy.
Ahead of watching this online video, you should go through the documentationfor this configuration at duo.
com/docs/paloalto.
Observe that Besides thisRADIUS-dependent configuration, you can also protect PaloAlto SSO logins with Duo.
Read about the optionsfor that configuration at duo.
com/docs/paloalto-sso.
Prior to establishing this Duointegration with Palo Alto, you need to have a Performing primaryauthentication configuration for your SSL VPN buyers, which include LDAP authenticationto Lively Listing.
To integrate Duo along with your Palo Alto VPN, you will need to installa community proxy support on a equipment inside of your community.
Prior to continuing, you shouldlocate or setup technique on which you will installthe Duo Authentication Proxy.
The proxy supportsWindows and Linux devices.
Within this video clip, We'll use aWindows Server 2016 program.
Note this Duo proxy server also acts as being a RADIUS server.
There isn't a need to deploya individual RADIUS server to work with Duo.
The Palo Alto gadget in thisvideo is functioning PAN-OS 8.
0.
six.
The Guidance for installingDuo safety by using RADIUS on devices runningolder versions of PAN-OS differs a little bit from whatis revealed Within this video clip.
Reference the documentationfor more information.
Around the procedure you will install the Duo Authentication Proxy on, log in to the Duo Admin Panel.
From the remaining sidebar, navigate to Purposes.
Click on Defend an Software.
While in the research bar, kind palo alto.
Next to the entry for Palo Alto SSL VPN, click Safeguard this Software.
Take note your integration crucial, mystery crucial, and API hostname.
You'll need these later on during set up.
Close to the leading with the web page, click on the hyperlink to open the Duodocumentation for Palo Alto.
Next, install the DuoAuthentication Proxy.
Within this video clip, We are going to use a sixty four-little bit Windows Server 2016 program.
We propose a systemwith a minimum of a single CPU, two hundred megabytes of disk Room, and four gigabytes of RAM.
To the documentation website page, navigate towards the Install the DuoAuthentication Proxy portion.
Click on the backlink to downloadthe most up-to-date Edition of the proxy for Windows.
Launch the installer about the server as being a user with administrator rights and Stick to the on-display promptsto full set up.
Once the set up completes, configure and begin the proxy.
For that purposes of the video clip, we assume that you've got some familiarity with the elements which make upthe proxy configuration file and the way to format them.
Complete descriptionsof Each individual of such elements can be found in the documentation.
The Duo AuthenticationProxy configuration file is named authproxy.
cfg and is located while in the conf subdirectoryof the proxy installation.
Operate a textual content editor likeWordPad being an administrator and open up the configuration file.
By default, the file is situated in C:Plan Data files (x86) Duo Security Authentication Proxyconf Considering that this is the completelynew installation on the proxy, there'll be instance contentin the configuration file.
Delete this written content.
Initially, configure the proxy foryour Principal authenticator.
For this example, we willuse Active Directory.
Insert an [ad_client] portion to the top in the configuration file.
Include the host parameterand enter the host identify or IP address of the domain controller.
Then add theservice_account_username parameter and enter the username ofa domain member account that has authorization to bind toyour Advertisement and accomplish searches.
Subsequent, increase theservice_account_password parameter and enter the password that corresponds towards the username entered previously mentioned.
Ultimately, increase the search_dn parameter and enter the LDAP distinguishedname of an Advertisement container or organizational device that contains each of the usersyou would like to allow to log in.
Additional optionalvariables for this area are explained in the documentation.
Up coming, configure the proxy in your Palo Alto GlobalProtect gateway.
Make a [radius_server_auto] portion beneath the [ad_client] area.
Increase the integration crucial, solution important, and API hostname out of your Palo Altoapplication's Attributes site in the Duo Admin Panel.
Include the radius_ip_1 parameterand enter the IP handle of the Palo Alto GlobalProtect VPN.
Down below that, increase theradius_secret_1 parameter and enter a solution being shared concerning the proxy and also your VPN.
Insert the customer parameterand enter ad_client.
Palo Alto does not sendthe consumer IP deal with using the regular RADIUSattribute Contacting-Station-ID.
A completely new RADIUS attributecontaining the client IP deal with PaloAlto-Customer-Resource-IP was introduced in PAN-OS version 7.
To ship the PaloAlto-Consumer-Resource-IPattribute to Duo, add the client_ip_attrparameter and enter paloalto.
More optional variables for this [radius_server_auto] section are explained while in the documentation.
Conserve your configuration file.
Open up an administratorcommand prompt and run Web start off DuoAuthProxy tostart the proxy assistance.
Subsequent, configure your PaloAlto GlobalProtect gateway.
1st, We're going to include the Duo RADIUS server.
Log in towards the Palo Altoadministrative interface.
Click on the Unit tab.
Inside the remaining sidebar, navigateto Server Profiles, RADIUS.
Click the Incorporate button to adda new RADIUS server profile.
While in the title industry, enter Duo RADIUS.
Boost the timeout to at the very least 30.
We advocate making use of 60 In case you are using force or cell phone authentication, so We're going to use sixty in this instance.
Inside the dropdown for authenticationprotocol, select PAP.
While in the Servers segment, click on Add.
Within the Identify subject, enter Duo RADIUS.
During the RADIUS Serverfield, enter the hostname or IP tackle of yourDuo Authentication Proxy.
In The trick discipline, enterthe RADIUS shared top secret used in the authenticationproxy configuration.
Go away or established the port to 1812, as that's the default used by the proxy.
In case you made use of a special port all through your Authentication Proxy setup, make sure you use that right here.
Click OK to save lots of the newRADIUS server profile.
Now increase an authentication profile.
In the left sidebar.
Navigateto Authentication Profile.
Simply click the Insert button.
In the Name field, enter Duo.
In the sort dropdown, find RADIUS.
Inside the Server Profiledropdown, pick Duo RADIUS.
Based on how your userslog in to GlobalProtect, you might require to enter yourauthentication area identify from the Person Area area.
This is certainly made use of together with the Username Modifier subject.
Should the Username Modifieris left blank or is set to %USERINPUT%, then theuser's input is unmodified.
You'll be able to prepend or appendthe price of %USERDOMAIN% to preconfigure the username input.
Find out more about both of those of this stuff during the GlobalProtect documentation hosted on Palo Alto's Web-site, that's linked from the Duo documentation.
Simply click the Highly developed tab and click on Include.
Pick out the All team.
Click Okay to avoid wasting theauthentication profile.
Up coming, configure yourGlobalProtect gateway options.
From the Palo Alto administrative interface, click on the Community tab.
During the left sidebar, navigateto GlobalProtect, Gateways.
Find your configuredGlobalProtect gateway.
Simply click the Authentication tab.
Inside the entry for yourClient Authentication from the Authentication Profile dropdown, pick out the Duo authenticationprofile you established earlier.
If You aren't usingauthentication override cookies on the GlobalProtect gateway, you might want to permit them to reduce Duo authentication requests at consumer reconnectionduring just one gateway session.
You will require a certificateto use with the cookie.
Click the Agent tab.
Click the Customer Options tab.
Click on the identify of yourconfiguration to open up it.
Over the Authentication Override tab, Test the containers togenerate and acknowledge cookies for authentication override.
Enter a Cookie Life span.
In this instance, we will use 8 hours.
Select a certificateto use With all the cookie.
Simply click OK and then click on OK all over again to save lots of your gateway configurations.
Now configure your portal options.
If the GlobalProtect portal is configured for Duo two-aspect authentication, buyers may have to authenticate 2 times when connecting to theGlobalProtect gateway agent.
For the ideal consumer encounter, Duo recommends leavingyour GlobalProtect portal set to utilize LDAP orKerberos authentication.
If you do include Duo to yourGlobalProtect portal, we also suggest which you enable cookies for authentication override in your portal in order to avoid multiple Duoprompts for authentication when connecting.
While in the Palo Alto administrative interface, with the Community tab, navigateto GlobalProtect, Portal.
Click on your configured profile.
Click on the Authentication tab.
In the entry for yourclient authentication, from the Authentication Profile dropdown, decide on the Duo authentication profile you configured earlier.
Click on the Agent tab.
Click on the entry in your configuration.
About the Authentication tab, in the Authentication Override segment, Check out the bins togenerate and settle for cookies for authentication override.
Enter a Cookie Lifetime.
In this instance, we will use 8 several hours.
Pick out a certificateto use Using the cookie.
Click on OK and afterwards simply click Alright once more to save lots of your gateway options.
For making your modifications just take impact, simply click the Commit buttonin the upper-ideal corner of the Palo Alto administrative interface.
Assessment your changesand click Commit once more.
Now complete configuringyour Palo Alto device to mail the customer IP to Duo.
Hook up with the Palo Altodevice administration shell.
Using the command fromstep one of the shopper IP reporting section of the Duofor Palo Alto documentation, help sending the PaloAlto shopper source IP shopper IP Great site attribute.
Immediately after installing and configuring Duo in your Palo Alto GlobalProtectVPN, check your set up.
Utilizing a username thathas been enrolled in Duo and which has activatedthe Duo Cell software over a smartphone, attemptto connect to your VPN with the GlobalProtect gateway agent.
You are going to acquire an automaticpush to the Duo Mobile app on your own smartphone.
Open up the notification, checkthe contextual information and facts to verify the login is legitimate, approve it, therefore you are logged in.
Note you could alsoappend a form issue to the tip of yourpassword when logging in to implement a passcode or manually choose a two-factorauthentication strategy.
Reference the documentationfor more details.
You have got productively create Duo for your personal Palo Alto GlobalProtect gateway.