VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm.
Hi, I'm Matt from Duo Stability.
During this online video, I'm goingto show you how to shield your Palo Alto GlobalProtect VPN gateway with Duo two-issue authentication.
This application works by using RADIUS as well as the Duo Authentication Proxy.
In advance of looking at this online video, you should study the documentationfor this configuration at duo.
com/docs/paloalto.
Note that In combination with thisRADIUS-centered configuration, You may as well safeguard PaloAlto SSO logins with Duo.
Examine the optionsfor that configuration at duo.
com/docs/paloalto-sso.
Just before creating this Duointegration with Palo Alto, you must have a Doing the job primaryauthentication configuration in your SSL VPN customers, which include LDAP authenticationto Energetic Listing.
To combine Duo together with your Palo Alto VPN, you will have to installa regional proxy company on the equipment within your network.
Prior to proceeding, you shouldlocate or setup procedure on which you will installthe Duo Authentication Proxy.
The proxy supportsWindows and Linux techniques.
On this video, We are going to use aWindows Server 2016 system.
Be aware this Duo proxy server also functions being a RADIUS server.
There isn't a should deploya independent RADIUS server to work with Duo.
The Palo Alto product in thisvideo is running PAN-OS 8.
0.
six.
The Recommendations for installingDuo defense via RADIUS on units runningolder variations of PAN-OS differs marginally from whatis proven During this online video.
Reference the documentationfor more details.
To the program you will set up the Duo Authentication Proxy on, log in towards the Duo Admin Panel.
Inside the left sidebar, navigate to Purposes.
Click on Defend an Software.
From the search bar, style palo alto.
Close to the entry for Palo Alto SSL VPN, simply click Defend this Software.
Notice your integration critical, top secret key, and API hostname.
You will need these later on throughout set up.
Close to the top rated with the web site, simply click the backlink to open the Duodocumentation for Palo Alto.
Next, put in the DuoAuthentication Proxy.
Within this online video, We'll make use of a sixty four-bit Home windows Server 2016 technique.
We Look at this website propose a systemwith not less than a person CPU, 200 megabytes of disk space, and four gigabytes of RAM.
To the documentation web site, navigate for the Set up the DuoAuthentication Proxy segment.
Click the backlink to downloadthe most recent version of the proxy for Home windows.
Start the installer within the server to be a consumer with administrator legal rights and Adhere to the on-display screen promptsto total set up.
After the set up completes, configure and start the proxy.
To the reasons of this online video, we suppose that you've some familiarity with The weather that make upthe proxy configuration file and how to structure them.
Detailed descriptionsof each of these components are available in the documentation.
The Duo AuthenticationProxy configuration file is named authproxy.
cfg and is situated from the conf subdirectoryof the proxy installation.
Run a textual content editor likeWordPad as an administrator and open up the configuration file.
By default, the file is located in C:Application Files (x86) Duo Stability Authentication Proxyconf Since this is a completelynew installation of the proxy, there will be case in point contentin the configuration file.
Delete this written content.
1st, configure the proxy foryour Most important authenticator.
For this instance, we willuse Lively Directory.
Add an [ad_client] portion to the highest with the configuration file.
Add the host parameterand enter the host identify or IP tackle within your domain controller.
Then incorporate theservice_account_username parameter and enter the username ofa area member account which includes permission to bind toyour Advert and perform searches.
Next, insert theservice_account_password parameter and enter the password that corresponds to the username entered previously mentioned.
At last, incorporate the search_dn parameter and enter the LDAP distinguishedname of an Advertisement container or organizational unit that contains most of the usersyou would like to permit to log in.
Added optionalvariables for this segment are described within the documentation.
Up coming, configure the proxy for your Palo Alto GlobalProtect gateway.
Create a [radius_server_auto] section under the [ad_client] portion.
Incorporate the integration key, key essential, and API hostname from the Palo Altoapplication's Homes website page inside the Duo Admin Panel.
Increase the radius_ip_1 parameterand enter the IP handle of the Palo Alto GlobalProtect VPN.
Beneath that, increase theradius_secret_1 parameter and enter a magic formula for being shared amongst the proxy along with your VPN.
Add the consumer parameterand enter ad_client.
Palo Alto isn't going to sendthe client IP handle utilizing the conventional RADIUSattribute Calling-Station-ID.
A brand new RADIUS attributecontaining the customer IP address PaloAlto-Customer-Resource-IP was released in PAN-OS Model seven.
To send out the PaloAlto-Consumer-Resource-IPattribute to Duo, add the client_ip_attrparameter and enter paloalto.
More optional variables for this [radius_server_auto] portion are explained from the documentation.
Conserve your configuration file.
Open up an administratorcommand prompt and run net get started DuoAuthProxy tostart the proxy support.
Future, configure your PaloAlto GlobalProtect gateway.
To start with, We are going to increase the Duo RADIUS server.
Log in towards the Palo Altoadministrative interface.
Click the Gadget tab.
Inside the left sidebar, navigateto Server Profiles, RADIUS.
Click the Incorporate button to adda new RADIUS server profile.
While in the name industry, enter Duo RADIUS.
Raise the timeout to no less than 30.
We propose applying sixty If you're employing press or cellphone authentication, so We are going to use 60 in this instance.
From the dropdown for authenticationprotocol, pick out PAP.
In the Servers area, simply click Add.
From the Title field, enter Duo RADIUS.
In the RADIUS Serverfield, enter the hostname or IP address of yourDuo Authentication Proxy.
In The trick discipline, enterthe RADIUS shared mystery used in the authenticationproxy configuration.
Leave or established the port to 1812, as that's the default used by the proxy.
In case you made use of a special port in the course of your Authentication Proxy set up, make sure you use that here.
Click on OK to save the newRADIUS server profile.
Now incorporate an authentication profile.
In the left sidebar.
Navigateto Authentication Profile.
Click the Include button.
Inside the Title field, enter Duo.
In the kind dropdown, decide on RADIUS.
Inside the Server Profiledropdown, decide on Duo RADIUS.
According to how your userslog in to GlobalProtect, you might need to enter yourauthentication area name in the Consumer Area industry.
That is applied at the side of the Username Modifier area.
In the event the Username Modifieris remaining blank or is about to %USERINPUT%, then theuser's input is unmodified.
You are able to prepend or appendthe value of %USERDOMAIN% to preconfigure the username enter.
Find out more about the two of these things while in the GlobalProtect documentation hosted on Palo Alto's website, and that is joined within the Duo documentation.
Click the State-of-the-art tab and click Add.
Select the All team.
Click Okay to save lots of theauthentication profile.
Upcoming, configure yourGlobalProtect gateway configurations.
Inside the Palo Alto administrative interface, simply click the Network tab.
Inside the remaining sidebar, navigateto GlobalProtect, Gateways.
Decide on your configuredGlobalProtect gateway.
Click the Authentication tab.
During the entry for yourClient Authentication while in the Authentication Profile dropdown, decide on the Duo authenticationprofile you made earlier.
If You're not usingauthentication override cookies with your GlobalProtect gateway, you might want to empower them to minimize Duo authentication requests at client reconnectionduring just one gateway session.
You will require a certificateto use Using the cookie.
Click on the Agent tab.
Click the Customer Settings tab.
Click on the identify of yourconfiguration to open up it.
Within the Authentication Override tab, Verify the containers togenerate and acknowledge cookies for authentication override.
Enter a Cookie Life time.
In this instance, We are going to use eight hours.
Select a certificateto use Together with the cookie.
Simply click Alright after which you can click Okay once again to avoid wasting your gateway settings.
Now configure your portal options.
When the GlobalProtect portal is configured for Duo two-aspect authentication, users could have to authenticate twice when connecting to theGlobalProtect gateway agent.
For the best consumer experience, Duo suggests leavingyour GlobalProtect portal established to make use of LDAP orKerberos authentication.
If you do increase Duo to yourGlobalProtect portal, we also advise that you just allow cookies for authentication override in your portal to avoid a number of Duoprompts for authentication when connecting.
Inside the Palo Alto administrative interface, within the Community tab, navigateto GlobalProtect, Portal.
Click on your configured profile.
Simply click the Authentication tab.
Inside the entry for yourclient authentication, from the Authentication Profile dropdown, find the Duo authentication profile you configured previously.
Click on the Agent tab.
Click the entry for the configuration.
About the Authentication tab, within the Authentication Override segment, Examine the boxes togenerate and take cookies for authentication override.
Enter a Cookie Life span.
In this instance, We are going to use eight hrs.
Pick a certificateto use Together with the cookie.
Simply click Okay and then click OK yet again to save your gateway settings.
To help make your improvements just take influence, simply click the Commit buttonin the upper-proper corner from the Palo Alto administrative interface.
Review your changesand simply click Commit once more.
Now end configuringyour Palo Alto machine to ship the client IP to Duo.
Connect to the Palo Altodevice administration shell.
Using the command fromstep one of several customer IP reporting section from the Duofor Palo Alto documentation, permit sending the PaloAlto client resource IP client IP attribute.
Just after putting in and configuring Duo on your Palo Alto GlobalProtectVPN, test your set up.
Using a username thathas been enrolled in Duo and that has activatedthe Duo Cellular application with a smartphone, attemptto hook up with your VPN using your GlobalProtect gateway agent.
You'll get an automaticpush on the Duo Cellular app on your own smartphone.
Open the notification, checkthe contextual info to confirm the login is respectable, approve it, so you are logged in.
Be aware you could alsoappend a sort component to the tip of yourpassword when logging in to employ a passcode or manually decide on a two-factorauthentication method.
Reference the documentationfor more details.
You may have correctly setup Duo in your Palo Alto GlobalProtect gateway.