Palo Alto Networks Knowledgebase: How to Configure the NCP Secure Entry Client for Windows to Connect to a GlobalProtect Gateway

How to Configure the NCP Secure Entry Client for Windows to Connect to a GlobalProtect Gateway

5145
Created On 02/07/19 23:35 PM - Last Updated 02/07/19 23:36 PM
VPNs
Resolution

Overview

The NCP Secure Entry Client is an IPsec-compliant third-party application that can be used to establish a connection to a GlobalProtect Gateway using either a PSK or certificates with XAUTH. Versions are currently available for Windows, Mac OS X, and Android operating systems. The instructions below pertain to the Windows client and assume that the GlobalProtect Gateway has already been configured on the Palo Alto Networks firewall. Otherwise, refer to How to Configure GlobalProtect.

 

Steps

  1. Open the NCP Secure Entry Client and go to Configuration > Profiles.
User-added image
  1. Click the Add / Import button.
User-added image
  1. Choose the Connection Type.
    Select Link to Corporate Network Using IPsec.
User-added image
  1. Choose the Profile Name. Enter an alphanumeric name for the connection profile.
User-added image
  1. Choose the Communication Medium. Select the proper Communication Media depending on how the client connects to the internet. The two most common options are LAN (over IP) for Ethernet and Wi-Fi for wireless connections. The NCP client will automatically select the connection media if automatic media detection is selected.
User-added image
  1. Set the VPN Gateway Parameters.
    Gateway (Tunnel Endpoint): the DNS name or IP address of the GlobalProtect Gateway configured on the Palo Alto Networks firewall.
    Check the Extended Authentication (XAUTH) box. Enter a User ID and Password that can be authenticated by the Palo Alto Networks firewall.
User-added image
Note: The gateway address 1.1.1.1 is not active and used only as an example.
  1. IPsec Configuration.
    Exchange Mode. For PSK authentication, select aggressive mode (IKEv1).
    For certificate authentication, select main mode (IKEv1).
    PFS Group: none
User-added image
 
PSK configuration is shown above. For certificate authentication, select main mode (IKEv1).
Pre-shared Key
Local Identity (IKE):
For PSK authentication:
Type: select Free string used to identify groups.
ID: enter the Group Name configured under Network > GlobalProtect Gateways > Client Configuration on the Palo Alto Networks firewall.
For certificate authentication:
Type: select ASN1 Distinguished Name.
ID: leave this field blank.
Pre-shared Key (required for PSK authentication only):
Shared Secret: enter the Group Password configured under Network > GlobalProtect Gateways > Client Configuration on the Palo Alto Networks firewall. The configuration for PSK authentication is shown below.

User-added image

User-added image
 
GlobalProtect Gateway Client Configuration (7.0.1 firmware). Settings for PSK authentication are highlighted. When using certificates, the highlighted fields should be left blank. here is the The configuration for certificate authentication.

User-added image
  1. Configure the IP Addresses
    IP Address Assignment: select IKE Config Mode.
    Don't modify the DNS Server or WINS Server fields.
User-added image
  1. Set up the Firewall. Select the desired Stateful Inspection setting and click the Finish button.Figure 12.png
    If using PSK authentication, the configuration is complete and you should be able to connect to GlobalProtect Gateway.
User-added image
If you are using certificate authentication, continue with the instructions below.
  1. Export the root and client certificate from Device > Certificate Management > Certificates on the Palo Alto Networks firewall.
    Note: This step is not necessary if an external CA is used, but the root certificate must be DER encoded and the client certificate must be in the PKCS#12 format.
    Export the root certificate in the Binary Encoded Certificate (DER) format.

User-added image

Export the client certificate in the Encrypted Private Key and Certificate (PKCS12) format. The NCP client will prompt for the Passphrase before connecting to the VPN.

User-added image

In the NCP client, go to Configuration > Certificates.

User-added image


Click the Add button.

User-added image


User Certificate
Name: enter a name for the certificate configuration.
Certificate: select from PKCS#12 file.
PCKS#12 Filename: browse to the client certificate exported from the Palo Alto Networks firewall.
(optional) Check the PIN Request at each Connection box if you want the user to enter the client certificate Passphrase before every connection attempt.
Click the OK button.

User-added image
 
​15. In the NCP client, go to Configuration > Profiles, select the previously configured profile, and click the Edit button.

User-added image

16. Profile Settings
  1. In the left menu, select Identities.
  2. Certificate Configuration: select the certificate configuration you created earlier.
  3. Click the OK button.

User-added image

17. Move the exported root certificate into the NCP > SecureClient > CaCerts directory. The default installation path is C:\Program Files (x86)\NCP\SecureClient\CaCerts.

User-added image

You should now be able to use the NCP client to connect to the GlobalProtect Gateway using certificates and XAUTH.


User-added image



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloSCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language