VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm.

 

Hello, I'm Matt from Duo Protection.

Within this movie, I am goingto demonstrate how to shield your Palo Alto GlobalProtect VPN gateway with Duo two-factor authentication.

This software employs RADIUS as well as Duo Authentication Proxy.

Right before seeing this video, make sure you go through the documentationfor this configuration at duo.

com/docs/paloalto.

Take note that In combination with thisRADIUS-dependent configuration, You can even protect PaloAlto SSO logins with Duo.

Read about the optionsfor that configuration at duo.

com/docs/paloalto-sso.

Just before organising this Duointegration with Palo Alto, you must have a Operating primaryauthentication configuration for your SSL VPN people, like LDAP authenticationto Lively Listing.

To integrate Duo using your Palo Alto VPN, you have got to installa local proxy service over a device within just your network.

In advance of continuing, you shouldlocate or create program on which you'll installthe Duo Authentication Proxy.

The proxy supportsWindows and Linux systems.

On this video, We'll use aWindows Server 2016 program.

Notice that this Duo proxy server also functions as a RADIUS server.

There is not any have to deploya separate RADIUS server to work with Duo.

The Palo Alto system in thisvideo is working PAN-OS 8.

0.

6.

The Guidance for installingDuo security by means of RADIUS on equipment runningolder versions of PAN-OS differs a little bit from whatis shown in this movie.

Reference the documentationfor more details.

On the process you are likely to set up the Duo Authentication Proxy on, log in to your Duo Admin Panel.

During the left sidebar, navigate to Applications.

Simply click Secure an Application.

During the lookup bar, style palo alto.

Close to the entry for Palo Alto SSL VPN, click on Secure this Software.

Take note your integration key, secret important, and API hostname.

You will require these later on all through set up.

Close to the prime with the website page, simply click the hyperlink to open up the Duodocumentation for Palo Alto.

Subsequent, put in the DuoAuthentication Proxy.

During this movie, We are going to make use of a 64-little bit Windows Server 2016 technique.

We advise a systemwith not less than a person CPU, two hundred megabytes of disk Place, and four gigabytes of RAM.

To the documentation page, navigate for the Install the DuoAuthentication Proxy area.

Click on the connection to downloadthe most recent Variation in the proxy for Windows.

Launch the installer within the server like a user with administrator legal rights and Adhere to the on-display promptsto complete installation.

Following the set up completes, configure and start the proxy.

For your needs of the movie, we believe that you have some familiarity with The weather which make upthe proxy configuration file and how to format them.

Complete descriptionsof Each individual of those aspects are available in the documentation.

The Duo AuthenticationProxy configuration file is named authproxy.

cfg and is located from the conf subdirectoryof the proxy installation.

Operate a textual content editor likeWordPad as an administrator and open the configuration file.

By default, the file is located in C:Program Files (x86) Duo Safety Authentication Proxyconf Given that this is a completelynew set up in the proxy, there'll be case in point contentin the configuration file.

Delete this written content.

Initially, configure the proxy foryour primary authenticator.

For this instance, we willuse Lively Listing.

Add an [ad_client] portion to the very best in the configuration file.

Add the host parameterand enter the host name or IP address of the area controller.

Then incorporate theservice_account_username parameter and enter the username ofa area member account that has permission to bind toyour AD and conduct queries.

Subsequent, include theservice_account_password parameter and enter the password that corresponds for the username entered previously mentioned.

Ultimately, incorporate the search_dn parameter and enter the LDAP distinguishedname of the Advertisement container or organizational unit that contains each of the usersyou desire to permit to log in.

Supplemental optionalvariables for this area are described in the documentation.

Future, configure the proxy for your personal Palo Alto GlobalProtect gateway.

Create a [radius_server_auto] segment under the [ad_client] section.

Increase The mixing critical, mystery key, and API hostname from your Palo Altoapplication's Homes web page while in the Duo Admin Panel.

Add the radius_ip_1 parameterand enter the IP deal with of one's Palo Alto GlobalProtect VPN.

Down below that, include theradius_secret_1 parameter and enter a mystery to get shared amongst the proxy and your VPN.

Insert the client parameterand enter ad_client.

Palo Alto isn't going to sendthe customer IP tackle using the conventional RADIUSattribute Contacting-Station-ID.

A whole new RADIUS attributecontaining the shopper IP deal with PaloAlto-Client-Resource-IP was introduced in PAN-OS Model 7.

To ship the PaloAlto-Customer-Supply-IPattribute to Duo, increase the client_ip_attrparameter and enter paloalto.

More optional variables for this [radius_server_auto] area are explained inside the documentation.

Help you save your configuration file.

Open up an administratorcommand prompt and operate Internet start out DuoAuthProxy tostart the proxy service.

Following, configure your PaloAlto GlobalProtect gateway.

Very first, We'll increase the Duo RADIUS server.

Log in on the Palo Altoadministrative interface.

Click on the System tab.

Inside the left sidebar, navigateto Server Profiles, RADIUS.

Click on the Insert button to adda new RADIUS server profile.

In the title discipline, enter Duo RADIUS.

Enhance the timeout to at the very least 30.

We suggest employing sixty For anyone who is employing force or mobile phone authentication, so We'll use 60 in this example.

In the dropdown for authenticationprotocol, decide on PAP.

In the Servers part, click on Include.

While in the Name industry, enter Duo RADIUS.

During the RADIUS Serverfield, enter the hostname or IP handle of yourDuo Authentication Proxy.

In The key area, enterthe RADIUS shared solution used in the authenticationproxy configuration.

Leave or set the port to 1812, as that is the default utilized by the proxy.

If you utilized a distinct port for the duration of your Authentication Proxy setup, make sure to use that in this article.

Click OK to save lots of the newRADIUS server profile.

Now incorporate an authentication profile.

From the still left sidebar.

Navigateto Authentication Profile.

Click on the Add button.

Inside the Identify field, enter Duo.

In the kind dropdown, choose RADIUS.

During the Server Profiledropdown, find Duo RADIUS.

Based on how your userslog in to GlobalProtect, you may need to enter yourauthentication area title from the User Area discipline.

That is utilised together with the Username Modifier subject.

When the Username Modifieris remaining blank or is about to %USERINPUT%, then theuser's input is unmodified.

You could prepend or appendthe worth of %USERDOMAIN% to preconfigure the username enter.

Learn more about each of these things within the GlobalProtect documentation hosted on Palo Alto's website, that is linked within the Duo documentation.

Click the Superior tab and click Insert.

Select the All team.

Click Alright to avoid wasting theauthentication profile.

Next, configure yourGlobalProtect gateway configurations.

While in the Palo Alto administrative interface, click on the Network tab.

From the left sidebar, navigateto GlobalProtect, Gateways.

Select your configuredGlobalProtect gateway.

Click on the Authentication tab.

From the entry for yourClient Authentication in the Authentication Profile dropdown, select the Duo authenticationprofile you established previously.

If you are not usingauthentication override cookies on your GlobalProtect gateway, you might want to empower them to reduce Duo authentication requests at shopper reconnectionduring just one gateway session.

You will want a certificateto use Using the cookie.

Click on the Agent tab.

Click the Customer Settings tab.

Click on the identify of yourconfiguration to open it.

On the Authentication Override tab, check the boxes togenerate and settle for cookies for authentication override.

Enter a Cookie Lifetime.

In this example, We're going to use eight hours.

Decide on a certificateto use With all the cookie.

Click Okay after which click OK once more to save lots of your gateway configurations.

Now configure your portal options.

In case the GlobalProtect portal is configured for Duo two-variable authentication, consumers may have to authenticate 2 times when connecting to theGlobalProtect gateway agent.

For the top consumer encounter, Duo suggests leavingyour GlobalProtect portal set to work with LDAP orKerberos authentication.

If you are doing include Duo to yourGlobalProtect portal, we also advise you enable cookies for authentication override on your portal to avoid a number of Duoprompts for authentication when connecting.

In the Palo Alto administrative interface, from your Community tab, navigateto GlobalProtect, Portal.

Click your configured profile.

Click the Authentication tab.

Inside the entry for yourclient authentication, while in the Authentication Profile dropdown, pick out the Duo authentication profile you configured before.

Click on the Agent tab.

Click on the entry to your configuration.

Within the Authentication tab, inside the Authentication Override segment, Check out the boxes togenerate and acknowledge cookies for authentication override.

Enter a Cookie Life span.

In this example, We'll use 8 hrs.

Pick out a certificateto use Together with the cookie.

Simply click Okay after which you can click Alright again to save lots of your gateway settings.

To make your variations consider outcome, click the Commit buttonin the higher-correct corner with the Palo Alto administrative interface.

Evaluate your changesand click Commit all over again.

Now finish configuringyour Palo Alto unit to send the Additional hints shopper IP to Duo.

Connect with the Palo Altodevice administration shell.

Using the command fromstep among the shopper IP reporting segment on the Duofor Palo Alto documentation, help sending the PaloAlto shopper source IP client IP attribute.

Immediately after putting in and configuring Duo on your Palo Alto GlobalProtectVPN, exam your setup.

Using a username thathas been enrolled in Duo and that has activatedthe Duo Mobile software with a smartphone, attemptto connect with your VPN with all your GlobalProtect gateway agent.

You'll receive an automaticpush to the Duo Cellular application with your smartphone.

Open the notification, checkthe contextual facts to substantiate the login is reputable, approve it, and you simply are logged in.

Be aware that you could alsoappend a sort issue to the end of yourpassword when logging in to implement a passcode or manually choose a two-factorauthentication approach.

Reference the documentationfor more information.

You have effectively arrange Duo in your Palo Alto GlobalProtect gateway.