Zero Trust Access Setup Guide
Zero Trust Access (ZTA) for allowing server administrator to securely connect to servers.
Currently, supported endpoint platforms as below:
- Microsoft Windows 10 and above
- Computers running Apple Mac OS 13 and above
- iPad/iPhone devices running Apple iOS
1. For Computers running Microsoft Windows or Mac OS
1.1 Installation of the GlobalProtect Agent
1.2 Connect to the Zero Trust Access via the GlobalProtect Agent
2. For iPad/iPhone devices running iOS
3. Endpoint Compliance Check
3.1 Access matrix
3.2 Examples of "Your device not complied" warning message:
4. Frequently Asked Questions (FAQs)
1. For Computers running Microsoft Windows or Mac OS
1.1 Installation of the GlobalProtect Agent
- Use a web browser to visit the "CityU Zero Trust Access" service webpage at
https://cityu-zta.gpcloudservice.com/.
- You will be redirected to the CityU sign-in page. Please enter your EID and password, then click "Sign In" to log in via Okta.
- In the "Okta Verify" menu, click "Send Push" or "Enter Code". Then, check the "Okta Verify App" on your mobile phone.
- Click "Yes, it's me" on on the mobile app to confirm (if you selected "Send Push")
- Enter the one-time password shown on the mobile app (if you selected "Enter Code")
- After successful login, You will see the Palo Alto GlobalProtect portal page. You can download the latest version of the GlobalProtect Agent software by clicking the link on the top menu.
- You may download the appropriate version of the GlobalProtect agent according to your computer's Operating System (O/S).
(Note: For Windows users, if you are not sure to use the 32-bit or the 64-bit GlobalProtect agent, please refer to Q1 of the FAQs).
Computers |
Download Option |
For 32-bit Windows O/S |
Download Windows 32-bit GlobalProtect agent |
For Windows 10 and above |
Download Windows 64-bit GlobalProtect agent |
For Apple Mac O/S 13 and above |
Download Mac 32/64-bit GlobalProtect agent |
- After downloading the GlobalProtect agent software, you can install it on your computer according to setup wizard.
- After successful installation, you will find the GlobalProtect icon in the system tray of your computer:
1.2 Connect to the Zero Trust Access via the GlobalProtect Agent
- You can invoke the GlobalProtect agent by clicking the GlobalProtect icon in the system tray.
- When the "Welcome!" menu appear, click "Get Started" to proceed.
- Enter the Portal Address "cityu-zta.gpcloudservice.com" in the address field and click "Connect".
- The system will redirect you to the CityU sign in page. Please enter your EID and password to sign in.
- When the "Open GlobalProtect?" menu appears, click "Open GlobalProtect". The GlobalProtect icon on the system tray will change from "GlobalProtect Disconnected" to "GlobalProtect Connected" upon successful login.
2. For iPad/iPhone devices running iOS
- Search and install the app in App Store.
- Launch the app .
- Setup GlobalProtect Gateway Address (cityu-zta.gpcloudservice.com).
- Click "Connect" and login, click on "open" when prompt after successful login.
- You will see the "connected" on app, and "VPN" at top right hand corner of the screen.
3. Endpoint Compliance Check
Administrative access will be granted to endpoint devices that have passed "compliance check".
3.1 Access matrix
For Administrative Access - Agent Access with Compliance Check
# |
App/Resources |
Access From |
Access To |
OS |
Endpoint Compliance Check |
1 |
Admin Access (e.g. RDP, SSH, Ping, Traceroute, Web Console Access)
|
Campus/
Remote Access |
Server Farm |
Windows 10 or above.
macOS 13 and above |
1. Anti-Malware: Installed. Real-time Protection enabled. Signature within 7 days
2. Patch Management: Installed and Enabled. |
2 |
Admin Access (e.g. RDP, SSH, Ping, Traceroute, Web Console Access)
|
Campus/
Remote Access |
Server Farm |
Apple iOS/iPadOS |
*not jailbroken |
3.2 Examples of "Your device is not complied" warning message:
4. Frequently Asked Questions (FAQs)
Q1: My computer is running Microsoft Windows. Which one should I install among the "Windows 32-bit GlobalProtect agent" and "Windows 64-bit GlobalProtect agent"?
Q2: We are system administrators. Do we have the same access right after switching from FortiClient VPN to PA Zero Trust Access?
Q3: Will PA Zero Trust Access replace FortiClient VPN?
Q4: I cannot successfully re-install the new GlobalProtect agent because my computer has installed old GlobalProtect software. What should I do?
Q5: My computer should have met the compliance requirement (installed anti-malware software, enabled real-time protection with updated signature and enabled patch management). But when I connect to the ZTA service at the first time, the "Your device is not complied" warning message is shown. What should I do?
Q6: On Windows, the GlobalProtect software hanging and show connecting but not connected and could not manually refresh/disconnect the attempt.
Q1: My computer is running Microsoft Windows. Which one should I install among the "Windows 32-bit GlobalProtect agent" and "Windows 64-bit GlobalProtect agent"?
A1: Most modern PCs are pre-installed with 64-bit Windows operating system. If you want to confirm which version of Windows you are using, you may use the following steps:
- Click the Start button, then select Settings➔ System ➔ About:
- Locate your System type under "Device Specifications".
Q2: We are system administrators. Do we have the same access right after switching from FortiClient VPN to PA Zero Trust Access?
A2: Based on existing firewall rule policies and traffic information, system administrators are granted with similar access rights as FortiClient VPN to access the server farm. If you cannot access some servers after switching to PA Zero Trust Access, please contact CSC Network Team to check.
Q3: Will PA Zero Trust Access replace FortiClient VPN?
A3: Yes, we plan to replace FortiClient VPN this year.
Q4: I cannot successfully re-install the new GlobalProtect agent because my computer has installed old GlobalProtect software. What should I do?
A4: You should uninstall the old GlobalProtect agent before installing the new GlobalProtect agent.
Q5: My computer should have met the compliance requirement (installed anti-malware software, enabled real-time protection with updated signature and enabled patch management). But when I connect to the ZTA service at the first time, the "Your device is not complied" warning message is shown. What should I do?
A5: Please disconnect from GlobalProtect and reconnect again.
Q6: On Windows, the GlobalProtect software hanging and show connecting but not connected and could not manually refresh/disconnect the attempt.
A6: Open the "Task Manager" and kill the process "Global Protect client" via "End task", the Global Protect agent will re-run, and you can try to connect again.
IT.ServiceDesk@cityu.edu.hk