Configure GlobalProtect Clientless VPN

Overview

GlobalProtect Clientless VPN allows users to access internal web applications through a secure web portal without needing to install the GlobalProtect app. This is especially useful for BYOD scenarios, third-party contractors, or quick secure access from unmanaged devices.

Configuration Steps

1. Enable Clientless VPN:
   Go to Network > GlobalProtect > Portals , edit your portal and enable Clientless VPN.
2. Create SSL/TLS Service Profile:
   Go to Device > Certificate Management > SSL/TLS Service Profile and configure the certificate the portal will use.
3. Define Applications:
   Navigate to Network > Clientless VPN > Applications and define internal web apps (e.g., internal CRM, SharePoint) you want to publish. Specify:
   • App Name
   • App URL (e.g., http://intranet.corp.local)
   • App Bookmark Title
   • Authentication Method (e.g., SAML, LDAP)
4. Set Access Method:
   Choose whether the applications are accessible via:
   • Browser-Based Access: The application opens in the user's browser within the clientless VPN portal.
   • HTML5 Access: Use for applications that require backend terminal services.
5. Configure Authentication:
   Go to Device > Authentication Profile and configure authentication using LDAP, SAML, RADIUS, or a combination. Assign this profile to the portal.
6. Assign Apps to Portal Configuration:
   Go back to Network > GlobalProtect > Portals , edit the portal configuration, go to Clientless VPN > Applications tab, and add the applications.
7. Define Security Policies:
   Ensure security policies allow traffic from the clientless VPN zone to the internal application zones.
8. Commit and Test:
   Commit the configuration and test by accessing the GlobalProtect portal from an external browser and logging in.

Mermaid Diagram - Clientless VPN Workflow

      sequenceDiagram
        participant User
        participant Portal
        participant InternalApp
        participant Firewall

        User->>Portal: Access via browser (HTTPS)
        Portal->>User: Prompt Authentication (LDAP/SAML)
        User->>Portal: Submit Credentials
        Portal->>Firewall: Validate Credentials
        Firewall-->>Portal: Authentication Success
        Portal->>User: Display Clientless VPN Portal
        User->>Portal: Click on internal app
        Portal->>InternalApp: Proxy request
        InternalApp-->>Portal: Response
        Portal-->>User: Serve internal app content
    

Common PCNSE Exam Topics

• Clientless VPN requirements (GlobalProtect Gateway license)
• Authentication profiles compatible with Clientless VPN
• Clientless VPN application types and protocols supported (HTTP, HTTPS, RDP via HTML5)
• Policy enforcement between clientless VPN zone and internal resources
• Certificate requirements and SSL/TLS profiles
• Limitations (not supported on multi-VSYS firewalls across VSYS boundaries)

Supported Protocols and Applications in Clientless VPN

Palo Alto Networks GlobalProtect Clientless VPN supports access to internal resources using secure web-based protocols. The following protocols and applications are supported:

• HTTP / HTTPS – Standard web applications, intranet sites, web-based dashboards.
• RDP (Remote Desktop Protocol) – Supported via HTML5 browser-based rendering (no client required).
• SSH – Secure shell access via browser-based HTML5 rendering (terminal access without needing a local client).
• Telnet – Basic terminal access for legacy systems, provided via browser-based session.
• VNC (Virtual Network Computing) – For remote graphical desktops; supported using HTML5 viewer.
• SFTP – Secure file transfer via browser interface.
• Web-based email clients – Such as Outlook Web Access (OWA), Zimbra, etc.

Note: Only applications that can be proxied through HTTP/HTTPS or rendered in HTML5 are supported. Clientless VPN does not support arbitrary TCP/UDP applications or thick-client applications (e.g., SMB, VoIP).

References

• Clientless VPN Overview
• Configure Clientless VPN
• GlobalProtect License Requirements