Palo Alto Networks - Clientless VPN and RDP

With the 8.0 release of the PAN-OS operating system, the ability to access applications via web portal has now been added. This is sometimes referred to as "Clientless VPN." Prior to this release, some existing Palo Alto Networks customers may have been hesitant to fully migrate away from point products like PulseSecure or Aventail because they offer pretty robust capabilities around Clientless VPN. Although this capability is still relatively new to the platform and additional features will be added over time, I thought I would highlight how one can currently leverage Clientless VPN for remote access to a desktop.

In its current state, the Palo Alto Networks client-less VPN supports access to internal applications via web browser. With the development of HTML5, this means that we can leverage tools like Apache Guacamole. In this scenario, we are going to leverage this application.

• Chase Wright has a fully scripted version of the Apache Guacamole install for Ubuntu here. Just in case his site is not accessible for some reason, here are some of the details (I would recommend viewing all details/comments on his site):
• The following will install Guacamole 0.9.11, Tomcat 8, and MySQL for you. All you have to do is pick a MySQL Root Password and change the guacamole_user password

wget https://raw.githubusercontent.com/MysticRyuujin/guac-install/master/guac-install.sh
chmod +x guac-install.sh
apt-get update
apt-get -y install dos2unix
dos2unix guac-install.sh
./guac-install.sh

• You will be prompted to enter passwords for mysql.
• Reboot once the install is complete.
• Once rebooted, navigate to the GUI (http://<IP address of Ubuntu machine>:8080/guacamole)
• user: guacadmin
• password: guacadmin
• Within the GUI, you can add multiple multiple users, as well as add connection types, like RDP.
• Within the firewall, we will build upon my first GlobalProtect post, by adding Clientless VPN functionality.
• Navigate to Network -> GlobalProtect -> Clientless Apps -> Add
• Enter a Name for the Clientless Application
• Enter the Application Home URL
• This is the URL of the Apache Guacamole server
• Click OK

• Navigate to Network -> GlobalProtect -> Portals -> (Select the portal) -> Clientless VPN -> General
• Enable the Clientless VPN
• Enter a Hostname
• This should be the FQDN or IP address of the GlobalProtect Portal
• Select a Security Zone
• To keep things simple in this example, I have selected the zone in which the Clientless Application resides
• Select a DNS Proxy
• For more information on how to configure DNS Proxy, see this post

• Navigate to the Applications tab and select Add.
• Enter a Name
• Select the Application that was previously created
• Click OK

• Click OK
• Commit the configuration
• You can now test remote access to the application via Clientless VPN by navigating to the FQDN/IP of the GlobalProtetct Portal (https://<FQDN or IP>/)
• Once logged in, there will be an option to select the application

• Upon selecting the application, you will be redirected to the Apache Guacamole login page, and upon logging in, you will have successfully established an RDP session through your web browser