GlobalProtect Config Apple IOS RevC

GlobalProtect Configuration for Apple iOS Devices
Tech Note
PAN-OS 4.1
Revision C ©2012, Palo Alto Networks, Inc.

CONTENTS
OVERVIEW......................................................................................................................................................................................... 3
PREREQUISITES.................................................................................................................................................................................. 3
GLOBALPROTECT GATEWAY SETUP ................................................................................................................................................... 3
CERTIFICATE CREATION ............................................................................................................................................................................... 3
GLOBALPROTECT GATEWAY CONFIGURATION ..................................................................................................................................5
APPLE IOS SETUP ............................................................................................................................................................................... 6
EXPORTING AND IMPORTING CERTIFICATES ..................................................................................................................................................... 6
CREATING A VPN PROFILE ........................................................................................................................................................................... 8
APPLE IPHONE CONFIGURATION UTILITY ..........................................................................................................................................9
OBTAINING THE UTILITY .............................................................................................................................................................................. 9
CREATING A CONFIGURATION PROFILE ........................................................................................................................................................... 9
DISTRIBUTING THE CONFIGURATION PROFILE ................................................................................................................................................. 12
PRE-SHARED SECRET AUTHENTICATION .......................................................................................................................................... 12
CONFIGURING A PRE-SHARED SECRET ON THE GLOBALPROTECT GATEWAY ......................................................................................................... 12
CONFIGURING A PRE-SHARED SECRET ON THE IOS DEVICE ............................................................................................................................... 12
CONFIGURING A PRE-SHARED SECRET IN THE APPLE IPHONE CONFIGURATION UTILITY .......................................................................................... 14
DISTRIBUTING CONFIGURATION PROFILES USING MDM SOFTWARE .............................................................................................. 15
MOBILEIRON ........................................................................................................................................................................................... 15
ZENPRISE ................................................................................................................................................................................................ 20
REVISION HISTORY .......................................................................................................................................................................... 27
©2012, Palo Alto Networks, Inc. [2]

Overview
In its original design, IKE only addressed authentication of two devices through a pre-shared
symmetric key or a private/public key, in which the public key needed to be exchanged between
the two devices to establish a secure tunnel.
Extended Authentication (X-Auth) describes a method of authenticating users as part of the IKE
handshake between an IPSec client and gateway after the initial key exchange in phase 1. This
concept is supported in a variety of IPSec VPN clients, such as the built in VPN client of Apple
iOS devices like the iPhone and iPad.
In this tech note, we describe the steps needed to configure an existing GlobalProtect
Portal/Gateway environment to enable Apple iOS devices to establish VPN connectivity using the
built-in iOS IPSec client. There are three methods for authentication that will be discussed: self-
signed certificate, certificate issued by a root Certificate Authority (CA), and pre-shared secret.
Prerequisites
• GlobalProtect Gateway
Support for X-Auth is introduced in PAN-OS 4.1 as a feature of GlobalProtect Gateway and
doesn’t require any specific license to be activated.
• Apple iOS
Supported Apple iOS device running iOS 4.3 and later.
GlobalProtect Gateway Setup

This section describes how to setup the GlobalProtect Gateway and Apple iOS with certificate
based authentication for IKE phase 1 and user based authentication (X-Auth) thereafter.
The benefit of such a setup is that you could either use certificates created in the PAN-OS
management UI to reliably identify corporate devices, but also use certificates issued by an
external certificate authority to authenticate individual devices in the enterprise prior to
authenticating the user.
Certificate Creation
In order to setup certificate-based IKE phase 1 authentication, you need to create three
certificates either in the PAN-OS management UI or in an external certificate authority.
• Root Certificate Authority

Every Public Key Infrastructure requires a central source of its trust, which in an X.509
world is usually referred to as the Root Certificate Authority.
Like every product leveraging certificate based authentication, GlobalProtect requires the
existence of a Root Certificate, which can be either created within PAN-OS or from an

external certificate authority (CA). If an external certificate authority is used, the root
certificate needs to be imported into PAN-OS.
1. To create a certificate locally, navigate to the Certificate page on the Device tab and select
Generate.
2. Enter a unique name for the certificate.
3. Leave the Signed By field empty and select the Certificate authority checkbox underneath.
4. Click Generate.
• Gateway Certificate
The certificate for the gateway can be created on PAN-OS or imported from an external
certificate authority. This section only covers how to create a certificate locally with a CA
certificate on the device
Generate.
2. Enter a unique name for the certificate in the configuration.
3. Enter the gateway’s DNS hostname as the Common Name (CN).
4. Enter the gateway’s IP address in IP address field. Use the device’s internal and assigned IP
address if your device resides behind a NAT device.
5. Select the certificate authority created in the “Root Certificate Authority“section in the
Signed By drop-down to issue this certificate.
6. Click Generate.
• Identity Certificate
In the case of certificate based authentication, the client and the gateway go through a mutual
authentication. Therefore the iOS device requires a certificate from a certificate authority
trusted by the gateway. This certificate can either be issued by an external certificate

authority or from PAN-OS. This section describes the creation of a client certificate (referred
to as an Identity Certificate in iOS) in PAN-OS and the process to export this certificate.
Generate.
2. Enter a unique name for the certificate in the configuration.
3. Enter any name in the Common Name (CN).
4. Select the certificate authority to issue this certificate.
5. Click Generate.
• Certificate Profile
In order to validate the client certificate, a Client Certificate Profile needs to be created which
includes the CA certificate used to create the Identity Certificate. Please refer to the
corresponding section on creating Client Certificate Profiles in the Palo Alto Networks
Administrator’s Guide.
GlobalProtect Gateway Configuration

The following section describes the necessary steps to enable X-Auth required to support Apple
iOS devices on an existing GlobalProtect gateway configuration.
Note: If there is no existing GlobalProtect Portal/Gateway configuration, please refer to the
corresponding section in the Palo Alto Networks Administrator’s Guide on how to configure a
GlobalProtect Gateway.
1. In the Server Certificate drop-down, select the gateway certificate created in the “Gateway
Certificate” section of this document.
2. In the Client Certificate Profile drop-down, select the certificate profile which includes the
CA certificate used to issue the client certificate in the “Client Certificate” section.
3. Enable “Tunnel Mode” and select “Enable IPSec”.
4. Enable “Enable X-Auth Support” to enable Extended Authentication.
5. Leave the “Group Name” and “Group Password” fields empty to enable certificate
authentication in IKE phase 1.
6. Click OK and commit the configuration changes.

Apple iOS setup
As with the previous section, this section focuses on integrating Apple iOS devices into
GlobalProtect Gateway using certificate based authentication in IKE phase 1.
Exporting and Importing Certificates

As the first step, the certificates created in the “Root Certificate Authority” and “Identity
Certificate” section need to be exported from PAN-OS and imported into the iOS device.
• Exporting the Root Certificate Authority
1. In the PAN-OS management UI, navigate to the certificate section in the device
configuration tab.
2. Select the Root CA certificate created in the “Root Certificate Authority” section of this
document.
3. Click Export and select “Base64 Encoded Certificate (PEM)” as the file format.
4. Uncheck the “Export private key” checkbox and click OK.
• Importing the Root Certificate into iOS

1. Create a new email and attach the Root Certificate exported in the section above.
2. Send the email to the iOS user.
3. On the device, open the new email and tap on the root certificate attached.
4. Select install in the certificate information.
5. Select Install Now when prompted in the dialog and enter your device password.

• Exporting the Identity Certificate
1. In the PAN-OS management UI navigate to the certificate section in the device

configuration tab.
2. Select the Identity Certificate created in the “Identity Certificate” section of this
document.
3. Click Export and select “Encrypted Private Key and Certificate (PKCS12)” as the file
format.
4. Enter an export password and click OK.
• Importing the Identity Certificate into iOS
1. Compose a new email and attach the Identity Certificate exported in the section above.
2. Send the email to the iOS user.
3. On the device, open the new email and tap on the identity certificate attached.
4. Select install in the certificate information.
5. Select Install Now when prompted in the dialog and enter your device password.
6. Enter the export password you specified in the previous section and click “Next”

Creating a VPN Profile
To create a VPN profile in iOS, open the settings dialog and navigate to the “General > Network
> VPN” section and perform the following:
1. Select IPSec as the type.
2. Define a descriptive name for this connection.
3. Enter the address of the GlobalProtect Gateway.
4. Enter the username and password for this iOS device user.
5. Enable the “Use Certificate” option.
6. Select the Identity Certificate in the certificate selection.
7. Click “Save”

Your VPN profile is now configured and you can enable the VPN connection through the iOS
device Settings.
Apple iPhone Configuration Utility

To simplify configuration of the iOS VPN client and push out a configuration to all of your
users, you can use the iPhone Configuration Utility from Apple. This section describes how to
create a configuration for iOS devices and distribute it.
Obtaining the Utility

The utility and documentation can be accessed at
http://www.apple.com/support/iphone/enterprise/.
Creating a Configuration Profile

First, after opening the iPhone Configuration Utility, you need to create a new configuration
profile for your iOS users.
• Importing the Credentials

As the next step, you need to import the Root Certificate and Identity Certificate created in
the previous sections.
1. In the iPhone Configuration Utility, select “Credentials” and click “configure”
2. Click the “add” icon and select the Root Certificate file you exported earlier and click ok.

3. Click the “add” icon and select the Identity Certificate file (PKCS12) you exported earlier
and then click ok.
4. Enter the export password you defined earlier in the password field below the Identity
Certificate display.
• Creating a VPN profile

Next you need to create the profile for the IPSec client connection.
1. In the iPhone Configuration Utility, select “VPN” and click “Configure”.
2. Define a meaningful connection name.
3. For the connection type, choose “IPSec”.
4. Leave the “Account Name” empty unless you want to pre-populate a user name for this
configuration.
5. Select “Certificate” under “Machine Authentication” and choose the Identity Certificate
imported in the previous section.
6. Select “Share” in the toolbar to start the distribution of the profile.

Optional Automatic Connection Configuration
If you want the iOS VPN to automatically bring up a VPN connection when accessing internal
resources, you can use the Enable VPN On Demand settings. This is only available when using the
Certificate authentication type. In the VPN On Demand section, add strings that match internal
hostnames or IP addresses. When iOS attempts a connection to anything containing a string in the list
that is set to Always establish it will initiate the VPN first.

Distributing the Configuration Profile
The easiest way to distribute the configuration profile to a group of users is via email. After you
select “Share” in the iPhone Configuration Utility, you can select to send the profile via email.
1. Send the email to the target user or users.
2. On the iOS device, open the email and tap on the attached configuration profile.
3. Select “Install” in the configuration verification dialog and “Install now” in the following pop-
up dialog.
Your VPN profile is now configured and you can enable the VPN connection through the iOS
device Settings.
For more information on distributing profiles, refer to Distributing Configuration Profiles Using
MDM Software.
Pre-Shared Secret Authentication

As an alternative to using certificate based authentication in IKE phase 1, you can configure a pre-
shared secret based authentication method.
This configuration is recommended for a single gateway environment or for a small number of
gateways since the configuration would have to be replicated on each gateway. Also, the client will not
have the functionality to find the nearest gateway in a multi-gateway environment; it will only connect
directly to the gateway that is defined on the client.
Configuring a Pre-Shared Secret on the GlobalProtect Gateway
1. On the GlobalProtect Gateway, navigate to Network > GlobalProtect > Gateways and create a
new Gateway configuration or modify an existing Gateway.
2. From the General tab, enable Tunnel Mode and then select Enable IPSec and Enable X-Auth
Support.
3. Enter a Group Name.
4. Enter and confirm the Group Password.
5. Click Ok and then commit the configuration.
Configuring a Pre-Shared Secret on the iOS Device
1. On the Apple device, open Settings and navigate to General > Network > VPN section and select
Add VPN Configuration.
2. Select type IPSec.
3. Enter a description of the new profile in the Description field.
4. In the Server field, enter the address of the GlobalProtect Gateway.
5. Enter your username in the Account field and your password in the Password field.
6. Enter the group name configured previously in the Group Name field.
7. Enter the group password in the Secret field.

8. Select Save to save your configuration.
9. To enable the VPN, open Settings and navigate to General > Network > VPN and change VPN
to ON. If you have multiple VPN profiles, select the desired profile first, then enable the VPN.

Configuring a Pre-Shared Secret in the Apple iPhone Configuration Utility
If you configure a pre-shared secret through the iPhone Configuration Utility, you don't need to go
through any of the certificate import steps previously outlined. Just perform the following steps to
create your VPN configuration profile:
1. In the iPhone Configuration Utility, select VPN and click Configure.

2. Define a meaningful connection name.
3. For the connection type chose IPSec.
4. Leave the Account Name empty unless you want to pre-populate a user name for this
configuration.
5. Select Shared Secret / Group Name in the Machine Authentication drop down menu.
6. Enter the group name configured previously in the Group Name field.
7. Enter the group password in the Secret field.
8. Select Share in the toolbar to start the distribution of the profile.

Distributing Configuration Profiles using MDM Software
Many organizations utilize Mobile Device Management Software to enable users to securely access
corporate resources with either their own personal or corporate owned tablets or smart phones. These
platforms can also be leveraged to distribute and maintain GlobalProtect iOS VPN Connectivity. Two
vendors that have been tested and verified to work with Palo Alto Networks Next Generation Firewalls
are MobileIron and Zenprise.
• MobilIron
• Zenprise
MobileIron
MobileIron reduces the cost, risk and usability challenges associated with mobile device management.
The MobileIron Virtual Smartphone Platform is the first solution to combine data-driven smart device
management with real-time wireless cost control. MobileIron is a flexible platform and offers many
features to control and secure mobile platforms, this configuration relies on a properly installed VSP
instance with iOS MDM Certificate signed and installed prior to configuring the MobileIron VSP
platform to distribute GlobalProtect profiles. It is also assumed that iOS devices are already enrolled in
the MobileIron system.
First, create or ensure that a label exists within the MobileIron VSP, in this case we are leveraging an
existing label “Company-Owned”
Next, the certificates created in the “Root Certificate Authority” and “Identity Certificate” section need
to be exported from PAN-OS and imported into the MobileIron VSP.

Exporting the Root Certificate Authority
1. In the PAN-OS management UI, navigate to the certificate section in the device  configuration
tab.
2. Select the Root CA certificate created in the “Root Certificate Authority” section of this  
document.
Importing the Root Certificate into MobileIron VSP

1. Under Apps & Files select Add New > Certificates.
2. Fill in the required fields and upload the exported Root Certificate Authority and click save.

3. Apply the Certificate to the label by selecting the check box next to the certificate entry that was
just created, then Select More Actions > Apply to Label.
4. Select the check box next to Company-Owned and click Apply.
Exporting the Identity Certificate

1. In the PAN-OS management UI navigate to the certificate section in the device configuration
tab.
2. Select the Identity Certificate created in the “Identity Certificate” section of this document.
3. Click Export and select “Encrypted Private Key and Certificate (PKCS12)” as the file format.
Importing the Identity Certificate into MobileIron VSP

1. Under Apps & Files select Add New > Certificates.

2. Fill in the required fields and upload the exported Identity Certificate and click save.
3. Apply the Certificate to the label by selecting the check box next to the certificate entry that
was just created, then Select More Actions > Apply to Label.

Creating an iOS VPN Profile in MobileIron VSP
To create a VPN profile in MobileIron, Under Apps & Files > App Settings Select Add New > VPN:
1. Define a name for this connection.
2. Enter a Description.
3. Select IPSec as the connection type.
4. Enter the IP Address or resolvable hostname of the GlobalProtect gateway.
5. Enter $USERID$ to automatically populate user name with enrolled user data.
6. Enter $PASSWORD$ to automatically populate password with enrolled user data.
7. For Authentication, select Certificate from the drop down list.
8. For Identity Certificate, select the Client Identity Certificate that was just imported.

9. If desired, select VPN on Demand and populate match criteria for automatically bringing up
the VPN.
10. Save the VPN Profile, then select More Actions > Apply to Label.
Your VPN profile is now configured in MobileIron and will be automatically distributed to all managed
devices attached to the Company-Owned label. Once deployed, the VPN connection can be enabled
through the iOS device Settings or automatically depending on the VPN on-demand and match settings
in MobileIron.
Zenprise
Zenprise is focused on managing mobile device lifecycle for enterprise customers. Whether delivered as
an on-premise mobile device management server or cloud solution, Zenprise MobileManager lets you
manage the device lifecycle across every major platform—iPhone, iPad, Android, BlackBerry, Symbian,
and Windows Mobile. Zenprise is a flexible platform and offers many features to control and secure
mobile platforms, this configuration relies on a properly installed Device Manager instance with iOS
MDM Certificate signed and installed prior to configuring the Zenprise Device Manager platform to
distribute GlobalProtect profiles. It is also assumed that iOS devices are already enrolled in the
Zenprise system.
First, the certificates created in the “Root Certificate Authority” and “Identity Certificate” section need
to be exported from PAN-OS and imported into the Zenprise Device Manager.

Exporting the Root Certificate Authority
1. In the PAN-OS management UI, navigate to the certificate section in the device  
configuration tab.
2. Select the Root CA certificate created in the “Root Certificate Authority” section of this
document.
Importing the Root Certificate into Zenprise Device Manager

1. Under Policies, select iOS > Configurations from the left menu.
2. Select New Configuration > Profiles and Settings > Credentials.
3. Fill in the required fields, Select the Credential tab and upload the exported Root Certificate Authority and
click Create.

Exporting the Identity Certificate
1. In the PAN-OS management UI navigate to the certificate section in the device configuration
tab.
2. Select the Identity Certificate created in the “Identity Certificate” section of this document.
3. Click Export and select “Encrypted Private Key and Certificate (PKCS12)” as the file format
Importing the Identity Certificate into Zenprise Device Manager

1. Under Policies, select iOS > Configurations from the left.
2. Select New Configuration > Profiles and Settings > Credentials.
3. Fill in the required fields, Select the Credential tab and upload the exported Identity
Certificate and click Create.

Creating an iOS VPN Profile in Zenprise Device Manager
To create a VPN profile in Zenprise, Under Policies, select iOS > Configurations from the left menu:
1. Select New ConfigurationProfiles and SettingsVPN
2. Under General, enter a unique Identifier and Display Name
3. Under VPN, enter the Connection name displayed on the device
4. Select IPSec as Connection type

5. Enter the Hostname or IP of the GlobalProtect Gateway
6. Enter User account and password if desired (Variables can also be utilized to auto
populate from database)
7. For Authentication type for the connection, select Credential from the drop down list
8. For Identity credential, Select the Client Identity Certificate that was just imported
9. If desired Select VPN on Demand and populate match criteria for automatically bringing
up the VPN.
10. Click Create

Deploying an iOS VPN Profile in Zenprise Device Manager
1. Under Deployment tab, select New Package > New iOS Package.
2. Enter the Package Name and click next.
3. Select appropriate groups of users to receive package and click next.
4. Under Available resources > Configurations select the imported Root Certificate and click the
right arrow to move it to the Resources to Deploy window. Repeat with the Identity
Certificate and VPN Profile and click next.
5. For the deployment schedule, accept the default values and click next.
6. For Deployment rules, skip this by clicking next.

7. On the Summary page click Finish.
Your VPN profile is now configured in Zenprise and will be automatically distributed to all managed
devices attached to the deployment package that you created. Once deployed, the VPN connection can
be enabled through the iOS device settings or automatically depending on the VPN on-demand and
match settings in Zenprise Device Manager.

Revision History
Date Revision Comment
7/9/2012 C • Updated “Prerequisites” to show that Apple
iOS 4.3 and later is supported. Specifically,
iOS 5.1 is now supported and future releases
of iOS will also be supported.
• Minor formatting updates to the pre-shared
secret section.
4/20/2012 B New section on MobileIron and Zenprise added.

11/7/2011 A Initial release.

GlobalProtect Config Apple IOS RevC

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GlobalProtect Config Apple IOS RevC

Uploaded by

Copyright:

Available Formats

GlobalProtect Configuration for Apple iOS Devices

Revision C ©2012, Palo Alto Networks, Inc.

©2012, Palo Alto Networks, Inc. [2]

GlobalProtect Gateway Setup

• Root Certificate Authority

©2012, Palo Alto Networks, Inc. [3]

©2012, Palo Alto Networks, Inc. [4]

GlobalProtect Gateway Configuration

©2012, Palo Alto Networks, Inc. [5]

Exporting and Importing Certificates

• Importing the Root Certificate into iOS

©2012, Palo Alto Networks, Inc. [6]

1. In the PAN-OS management UI navigate to the certificate section in the device

• Importing the Identity Certificate into iOS

©2012, Palo Alto Networks, Inc. [7]

©2012, Palo Alto Networks, Inc. [8]

Apple iPhone Configuration Utility

Obtaining the Utility

Creating a Configuration Profile

• Importing the Credentials

©2012, Palo Alto Networks, Inc. [9]

• Creating a VPN profile

©2012, Palo Alto Networks, Inc. [10]

©2012, Palo Alto Networks, Inc. [11]

Pre-Shared Secret Authentication

Configuring a Pre-Shared Secret on the GlobalProtect Gateway

Configuring a Pre-Shared Secret on the iOS Device

©2012, Palo Alto Networks, Inc. [12]

©2012, Palo Alto Networks, Inc. [13]

1. In the iPhone Configuration Utility, select VPN and click Configure.

©2012, Palo Alto Networks, Inc. [14]

©2012, Palo Alto Networks, Inc. [15]

Importing the Root Certificate into MobileIron VSP

©2012, Palo Alto Networks, Inc. [16]

4. Select the check box next to Company-Owned and click Apply.

Exporting the Identity Certificate

Importing the Identity Certificate into MobileIron VSP

©2012, Palo Alto Networks, Inc. [17]

4. Select the check box next to Company-Owned and click Apply.

©2012, Palo Alto Networks, Inc. [18]

©2012, Palo Alto Networks, Inc. [19]

©2012, Palo Alto Networks, Inc. [20]

Importing the Root Certificate into Zenprise Device Manager

©2012, Palo Alto Networks, Inc. [21]

Importing the Identity Certificate into Zenprise Device Manager

©2012, Palo Alto Networks, Inc. [22]

©2012, Palo Alto Networks, Inc. [23]

©2012, Palo Alto Networks, Inc. [24]

©2012, Palo Alto Networks, Inc. [25]

©2012, Palo Alto Networks, Inc. [26]

4/20/2012 B New section on MobileIron and Zenprise added.

©2012, Palo Alto Networks, Inc. [27]

You might also like