Wednesday, March 22, 2017

Palo Alto Networks - Clientless VPN and RDP

With the 8.0 release of the PAN-OS operating system, the ability to access applications via web portal has now been added. This is sometimes referred to as "Clientless VPN." Prior to this release, some existing Palo Alto Networks customers may have been hesitant to fully migrate away from point products like PulseSecure or Aventail because they offer pretty robust capabilities around Clientless VPN. Although this capability is still relatively new to the platform and additional features will be added over time, I thought I would highlight how one can currently leverage Clientless VPN for remote access to a desktop.

In its current state, the Palo Alto Networks client-less VPN supports access to internal applications via web browser. With the development of HTML5, this means that we can leverage tools like Apache Guacamole. In this scenario, we are going to leverage this application.
  • Chase Wright has a fully scripted version of the Apache Guacamole install for Ubuntu here. Just in case his site is not accessible for some reason, here are some of the details (I would recommend viewing all details/comments on his site):
    • The following will install Guacamole 0.9.11, Tomcat 8, and MySQL for you. All you have to do is pick a MySQL Root Password and change the guacamole_user password
    wget https://raw.githubusercontent.com/MysticRyuujin/guac-install/master/guac-install.sh
    chmod +x guac-install.sh
    apt-get update
    apt-get -y install dos2unix
    dos2unix guac-install.sh
    ./guac-install.sh
    • You will be prompted to enter passwords for mysql.
    • Reboot once the install is complete.
    • Once rebooted, navigate to the GUI (http://<IP address of Ubuntu machine>:8080/guacamole)
      • user: guacadmin
      • password: guacadmin
    • Within the GUI, you can add multiple multiple users, as well as add connection types, like RDP.
  • Within the firewall, we will build upon my first GlobalProtect post, by adding Clientless VPN functionality.
    • Navigate to Network -> GlobalProtect -> Clientless Apps -> Add
      • Enter a Name for the Clientless Application
      • Enter the Application Home URL
        • This is the URL of the Apache Guacamole server
      • Click OK
    • Navigate to Network -> GlobalProtect -> Portals -> (Select the portal) -> Clientless VPN -> General
      • Enable the Clientless VPN
      • Enter a Hostname
        • This should be the FQDN or IP address of the GlobalProtect Portal
      • Select a Security Zone
        • To keep things simple in this example, I have selected the zone in which the Clientless Application resides
      • Select a DNS Proxy
        • For more information on how to configure DNS Proxy, see this post
    • Navigate to the Applications tab and select Add.
      • Enter a Name
      • Select the Application that was previously created
      • Click OK
    • Click OK
    • Commit the configuration
  • You can now test remote access to the application via Clientless VPN by navigating to the FQDN/IP of the GlobalProtetct Portal (https://<FQDN or IP>/)
  • Once logged in, there will be an option to select the application
  • Upon selecting the application, you will be redirected to the Apache Guacamole login page, and upon logging in, you will have successfully established an RDP session through your web browser



5 comments:

  1. I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in TECHNOLOGY , kindly contact us http://www.maxmunus.com/contact
    MaxMunus Offer World Class Virtual Instructor led training on TECHNOLOGY. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us.
    Sangita Mohanty
    MaxMunus
    E-mail: sangita@maxmunus.com
    Skype id: training_maxmunus
    Ph:(0) 9738075708 / 080 - 41103383
    http://www.maxmunus.com/

    ReplyDelete
  2. VPN protects all your information by preventing any third parties to see your location or traffic's nature. When you are connected with a USA VPN IP, it keeps the ISPs from performing any deep packet inspection or inspecting your traffic's nature. John

    ReplyDelete
  3. All of them have plans to have networks of their own in this era of internet boom. Intranets have been around for a while now and they are available for use by the employees of a particular company. why use VPN

    ReplyDelete
  4. If you want to buy vpn service, you will get 30 days free trial, you can get discount only after using Promo Codes which offer discount up to 20%.

    ReplyDelete
  5. i have recently purchased VPN Premium service and used Promo Codes that give me 20% discount, If you want to buy VPN premium service you can visit this website and get Coupon Codes to get discount.

    ReplyDelete