Palo Alto Networks Knowledgebase: How to Configure the NCP Secure Entry Client for Windows to Connect to a GlobalProtect Gateway
How to Configure the NCP Secure Entry Client for Windows to Connect to a GlobalProtect Gateway
Created On 02/07/19 23:35 PM - Last Updated 02/07/19 23:36 PM
The NCP Secure Entry Client is an IPsec-compliant third-party application that can be used to establish a connection to a GlobalProtect Gateway using either a PSK or certificates with XAUTH. Versions are currently available for Windows, Mac OS X, and Android operating systems. The instructions below pertain to the Windows client and assume that the GlobalProtect Gateway has already been configured on the Palo Alto Networks firewall. Otherwise, refer to How to Configure GlobalProtect.
Open the NCP Secure Entry Client and go to Configuration > Profiles.
Click the Add / Import button.
Choose the Connection Type. Select Link to Corporate Network Using IPsec.
Choose the Profile Name. Enter an alphanumeric name for the connection profile.
Choose the Communication Medium. Select the proper Communication Media depending on how the client connects to the internet. The two most common options are LAN (over IP) for Ethernet and Wi-Fi for wireless connections. The NCP client will automatically select the connection media if automatic media detection is selected.
Set the VPN Gateway Parameters. Gateway (Tunnel Endpoint): the DNS name or IP address of the GlobalProtect Gateway configured on the Palo Alto Networks firewall. Check the Extended Authentication (XAUTH) box. Enter a User ID and Password that can be authenticated by the Palo Alto Networks firewall.
Note: The gateway address 126.96.36.199 is not active and used only as an example.
IPsec Configuration. Exchange Mode. For PSK authentication, select aggressive mode (IKEv1). For certificate authentication, select main mode (IKEv1). PFS Group: none
PSK configuration is shown above. For certificate authentication, select main mode (IKEv1). Pre-shared Key Local Identity (IKE): For PSK authentication: Type: select Free string used to identify groups. ID: enter the Group Name configured under Network > GlobalProtect Gateways > Client Configuration on the Palo Alto Networks firewall. For certificate authentication: Type: select ASN1 Distinguished Name. ID: leave this field blank. Pre-shared Key (required for PSK authentication only): Shared Secret: enter the Group Password configured under Network > GlobalProtect Gateways > Client Configuration on the Palo Alto Networks firewall. The configuration for PSK authentication is shown below.
GlobalProtect Gateway Client Configuration (7.0.1 firmware). Settings for PSK authentication are highlighted. When using certificates, the highlighted fields should be left blank. here is the The configuration for certificate authentication.
Configure the IP Addresses IP Address Assignment: select IKE Config Mode. Don't modify the DNS Server or WINS Server fields.
Set up the Firewall. Select the desired Stateful Inspection setting and click the Finish button. If using PSK authentication, the configuration is complete and you should be able to connect to GlobalProtect Gateway.
If you are using certificate authentication, continue with the instructions below.
Export the root and client certificate from Device > Certificate Management > Certificates on the Palo Alto Networks firewall. Note: This step is not necessary if an external CA is used, but the root certificate must be DER encoded and the client certificate must be in the PKCS#12 format. Export the root certificate in the Binary Encoded Certificate (DER) format.
Export the client certificate in the Encrypted Private Key and Certificate (PKCS12) format. The NCP client will prompt for the Passphrase before connecting to the VPN.
In the NCP client, go to Configuration > Certificates.
Click the Add button.
User Certificate Name: enter a name for the certificate configuration. Certificate: select from PKCS#12 file. PCKS#12 Filename: browse to the client certificate exported from the Palo Alto Networks firewall. (optional) Check the PIN Request at each Connection box if you want the user to enter the client certificate Passphrase before every connection attempt. Click the OK button.
15. In the NCP client, go to Configuration > Profiles, select the previously configured profile, and click the Edit button.
16. Profile Settings
In the left menu, select Identities.
Certificate Configuration: select the certificate configuration you created earlier.
Click the OK button.
17. Move the exported root certificate into the NCP > SecureClient > CaCerts directory. The default installation path is C:\Program Files (x86)\NCP\SecureClient\CaCerts.
You should now be able to use the NCP client to connect to the GlobalProtect Gateway using certificates and XAUTH.