What is it and why do I need it?
A Virtual Private Network (VPN) service creates a secure connection (“tunnel”) between your device and the campus network and is used when you need to access restricted networked resources from off campus. At Princeton, GlobalProtect is one of two VPN services that you can use to access protected resources remotely and is soon to become the primary VPN service for its reliability and ease of use. The instructions on this page are specific to the GlobalProtect service.
Note: OIT will continue to support the legacy SonicWall Secure Remote Access (SRA) service. However, OIT is not encouraging new installations of SRA.
Accessing protected applications through the web
Open the Mac App Store and search for Microsoft Remote Desktop app (also available here). Download and install Microsoft Remote Desktop app. Launch Microsoft Remote Desktop from your Mac’s Applications folder. Figure 1 After launching the remote desktop application, you are presented with an empty list of remote connections. Download and install the GlobalProtect app from the Google Play Store. Enter the portal address vpn.princeton.edu and tap Connect. Enter your NetID and password. Wait for Duo to send a request to your default device and approve the Duo request. Tap OK on the Connection request pop-up. Install on iOS devices: Search for.
The easiest way to access protected applications is through the GlobalProtect Portal on the web. For this, all you need is a web browser. Some Princeton applications available through this portal are:
- Prime Portal (PeopleSoft Financials)
- Information Warehouse (Cognos)
- OnBase
- Stripes
To access any of these applications:
- Visit the GlobalProtect web portal.
- Enter your Princeton NetID, your password, and click Log in.
- The system will send a Duo request to your default device. Approve the Duo request.
- The GlobalProtect portal page displays with 'tiles' for the set of protected applications accessible through the portal. Click the tile for the application you want to access.
5. GlobalProtect makes a secure connection to the application and opens the application.
Important! Not all protected services are available through the web portal. If you know the application you are trying to reach remotely is a restricted service, and yet it is not listed in the portal, you will need to install GlobalProtect software on your device to access it remotely (described in the next section).
Symptom
When trying to connect GlobalProtect to the Palo Alto Networks firewall, it is successfully connecting to the portal, but gives a certificate error when it tries to connect to the gateway. When using older versions of the agent it connects without issue.
Environment
- Pan-Os
- Global Protect
Cause
This issue might be caused by a new check that was introduced in GlobalProtect version 4 and later. The validation check makes sure that the gateway address configured in the GlobalProtect portal matches the CN of the certificate that the gateway is configured to use. This check was not implemented in older versions, so this issue was not encountered.
Note: When the gateway address is a FQDN and this FQDN is in the certificate, GlobalProtect Agent v4 and up produces the certificate error until the PTR record is created in DNS.
Resolution
- Determine which certificate the gateway is configured under the ssl/tls service profile to use and write it down.
2.Go to Device > Certificate Management > Certificates and write down the CN of the certificate that was copied in Step 1.
3. Adjust the address of the gateway in the GlobalProtect portal client configuration to the CN that was copied in Step 2.
- Commit the changes and try to reconnect with the agent.
Additional Information
Note:
Globalprotect Client Mac
If the gateway certificate includes a hostname (dnsname) in the Subject Alternative Name (SAN) attribute, it should also match the Common Name of the certificate as indicated in the article above.
Important! Before making this change, make sure the DNS servers that are used on the firewall are able to resolve the 'GlobalProtect Portal' hostname to a public IP address and that there is also a PTR record to resolve the IP address back to the hostname. If it resolves to an internal IP address, this will make the portal inaccessible from the external interface.