VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm.
Hi, I'm Matt from Duo Security.
In this particular movie, I am goingto teach you how to safeguard your Palo Alto GlobalProtect VPN gateway with Duo two-variable authentication.
This software takes advantage of RADIUS as well as the Duo Authentication Proxy.
Right before looking at this video, make sure you study the documentationfor this configuration at duo.
com/docs/paloalto.
Be aware that Along with thisRADIUS-centered configuration, It's also possible to guard PaloAlto SSO logins with Duo.
Read about the optionsfor that configuration at duo.
com/docs/paloalto-sso.
Prior to organising this Duointegration with Palo Alto, you must have a Functioning primaryauthentication configuration for your personal SSL VPN users, for example LDAP authenticationto Energetic Directory.
To integrate Duo using your Palo Alto VPN, you must installa regional proxy services on a device within your community.
Just before proceeding, you shouldlocate or arrange procedure on which you'll installthe Duo Authentication Proxy.
The proxy supportsWindows and Linux techniques.
In this online video, We'll use aWindows Server 2016 technique.
Note this Duo proxy server also functions being a RADIUS server.
There isn't any ought to deploya separate RADIUS server to use Duo.
The Palo Alto system in thisvideo is working PAN-OS eight.
0.
six.
The Directions for installingDuo protection by way of RADIUS on devices runningolder versions of PAN-OS differs slightly from whatis demonstrated During this video.
Reference the documentationfor more info.
Around the system you are going to set up the Duo Authentication Proxy on, log in on the Duo Admin Panel.
Within the remaining sidebar, navigate to Apps.
Click on Protect an Software.
In the research bar, style palo alto.
Close to the entry for Palo Alto SSL VPN, simply click Defend this Software.
Be aware your integration key, solution essential, and API hostname.
You may need these afterwards during set up.
Close to the best of the page, click the url to open the Duodocumentation for Palo Alto.
Next, set up the DuoAuthentication Proxy.
With this video clip, We are going to use a sixty four-bit Home windows Server 2016 system.
We endorse a systemwith a minimum of one CPU, two hundred megabytes of disk Room, and 4 gigabytes of RAM.
Within the documentation webpage, navigate on the Put in the DuoAuthentication Proxy section.
Click the backlink to downloadthe most recent Edition in the proxy for Home windows.
Start the installer within the server being a user with administrator legal rights and follow the on-display screen promptsto full installation.
Once the installation completes, configure and begin the proxy.
With the reasons of the online video, we suppose you have some familiarity with The weather which make upthe proxy configuration file and how to format them.
Detailed descriptionsof Every single of those aspects can be found in the documentation.
The Duo AuthenticationProxy configuration file is named authproxy.
cfg and is found in the conf subdirectoryof the proxy set up.
Run a text editor likeWordPad as an Take a look at the site here administrator and open the configuration file.
By default, the file is located in C:Method Information (x86) Duo Stability Authentication Proxyconf Since this is a completelynew set up of the proxy, there will be case in point contentin the configuration file.
Delete this content.
Very first, configure the proxy foryour Key authenticator.
For this example, we willuse Active Directory.
Include an [ad_client] segment to the best on the configuration file.
Incorporate the host parameterand enter the host title or IP tackle of your area controller.
Then add theservice_account_username parameter and enter the username ofa domain member account that has permission to bind toyour Advert and execute queries.
Upcoming, incorporate theservice_account_password parameter and enter the password that corresponds to the username entered above.
Eventually, insert the search_dn parameter and enter the LDAP distinguishedname of the Advertisement container or organizational unit containing the entire usersyou would like to allow to log in.
Additional optionalvariables for this portion are described within the documentation.
Next, configure the proxy on your Palo Alto GlobalProtect gateway.
Create a [radius_server_auto] segment underneath the [ad_client] part.
Insert the integration important, secret vital, and API hostname from a Palo Altoapplication's Qualities web site inside the Duo Admin Panel.
Incorporate the radius_ip_1 parameterand enter the IP tackle of your respective Palo Alto GlobalProtect VPN.
Below that, include theradius_secret_1 parameter and enter a magic formula for being shared among the proxy along with your VPN.
Include the client parameterand enter ad_client.
Palo Alto isn't going to sendthe customer IP handle using the common RADIUSattribute Calling-Station-ID.
A different RADIUS attributecontaining the shopper IP deal with PaloAlto-Client-Source-IP was introduced in PAN-OS Variation seven.
To ship the PaloAlto-Shopper-Supply-IPattribute to Duo, insert the client_ip_attrparameter and enter paloalto.
More optional variables for this [radius_server_auto] area are described in the documentation.
Preserve your configuration file.
Open an administratorcommand prompt and operate net start out DuoAuthProxy tostart the proxy services.
Next, configure your PaloAlto GlobalProtect gateway.
Initially, we will incorporate the Duo RADIUS server.
Log in into the Palo Altoadministrative interface.
Click on the Device tab.
In the left sidebar, navigateto Server Profiles, RADIUS.
Simply click the Incorporate button to adda new RADIUS server profile.
From the name discipline, enter Duo RADIUS.
Raise the timeout to at least 30.
We advocate applying 60 For anyone who is using force or cell phone authentication, so We're going to use sixty in this example.
Inside the dropdown for authenticationprotocol, select PAP.
While in the Servers area, click Incorporate.
Inside the Identify discipline, enter Duo RADIUS.
Within the RADIUS Serverfield, enter the hostname or IP handle of yourDuo Authentication Proxy.
In the Secret area, enterthe RADIUS shared mystery Utilized in the authenticationproxy configuration.
Depart or established the port to 1812, as that is the default employed by the proxy.
In the event you utilised a distinct port in the course of your Authentication Proxy setup, make sure to use that listed here.
Click on Okay to save lots of the newRADIUS server profile.
Now insert an authentication profile.
Within the remaining sidebar.
Navigateto Authentication Profile.
Click the Incorporate button.
From the Identify subject, enter Duo.
In the Type dropdown, select RADIUS.
Inside the Server Profiledropdown, pick out Duo RADIUS.
Dependant upon how your userslog in to GlobalProtect, you may need to enter yourauthentication area title inside the Consumer Area area.
This is certainly utilized along with the Username Modifier industry.
If your Username Modifieris still left blank or is ready to %USERINPUT%, then theuser's enter is unmodified.
You'll be able to prepend or appendthe value of %USERDOMAIN% to preconfigure the username enter.
Learn more about both of those of these items during the GlobalProtect documentation hosted on Palo Alto's website, which is linked from the Duo documentation.
Simply click the Superior tab and click on Include.
Select the All team.
Click on Alright to avoid wasting theauthentication profile.
Following, configure yourGlobalProtect gateway options.
During the Palo Alto administrative interface, simply click the Community tab.
Within the left sidebar, navigateto GlobalProtect, Gateways.
Pick your configuredGlobalProtect gateway.
Click on the Authentication tab.
During the entry for yourClient Authentication inside the Authentication Profile dropdown, select the Duo authenticationprofile you established previously.
If you are not usingauthentication override cookies on your GlobalProtect gateway, you may want to allow them to attenuate Duo authentication requests at customer reconnectionduring 1 gateway session.
You may need a certificateto use Using the cookie.
Click on the Agent tab.
Simply click the Shopper Configurations tab.
Click the identify of yourconfiguration to open up it.
Around the Authentication Override tab, Verify the bins togenerate and take cookies for authentication override.
Enter a Cookie Life span.
In this instance, We'll use 8 hours.
Decide on a certificateto use with the cookie.
Click on Okay and after that simply click Alright again to save your gateway options.
Now configure your portal options.
If your GlobalProtect portal is configured for Duo two-aspect authentication, end users might have to authenticate two times when connecting to theGlobalProtect gateway agent.
For the ideal consumer practical experience, Duo recommends leavingyour GlobalProtect portal established to work with LDAP orKerberos authentication.
If you do insert Duo to yourGlobalProtect portal, we also recommend that you just enable cookies for authentication override in your portal in order to avoid several Duoprompts for authentication when connecting.
While in the Palo Alto administrative interface, with the Community tab, navigateto GlobalProtect, Portal.
Click on your configured profile.
Click the Authentication tab.
While in the entry for yourclient authentication, from the Authentication Profile dropdown, pick the Duo authentication profile you configured before.
Click on the Agent tab.
Click on the entry in your configuration.
To the Authentication tab, inside the Authentication Override area, Test the boxes togenerate and acknowledge cookies for authentication override.
Enter a Cookie Lifetime.
In this instance, we will use eight hrs.
Pick out a certificateto use Together with the cookie.
Click Alright and afterwards click on Alright yet again to avoid wasting your gateway options.
To generate your variations just take effect, click the Commit buttonin the higher-appropriate corner in the Palo Alto administrative interface.
Assessment your changesand click on Commit all over again.
Now complete configuringyour Palo Alto product to send the consumer IP to Duo.
Connect with the Palo Altodevice administration shell.
Using the command fromstep one of the customer IP reporting segment of the Duofor Palo Alto documentation, allow sending the PaloAlto shopper supply IP client IP attribute.
Soon after installing and configuring Duo for your Palo Alto GlobalProtectVPN, check your set up.
Employing a username thathas been enrolled in Duo and which has activatedthe Duo Mobile application with a smartphone, attemptto connect with your VPN with all your GlobalProtect gateway agent.
You are going to obtain an automaticpush within the Duo Cell app on your smartphone.
Open up the notification, checkthe contextual data to confirm the login is legitimate, approve it, so you are logged in.
Note that you can alsoappend a type aspect to the top of yourpassword when logging in to utilize a passcode or manually find a two-factorauthentication technique.
Reference the documentationfor more details.
You might have effectively setup Duo to your Palo Alto GlobalProtect gateway.