Zero Trust Access Setup Guide

Zero Trust Access (ZTA) for allowing server administrator to securely connect to servers.
Currently, supported platforms as below:

1. Microsoft Windows 10 and above
2. Computers running Apple Mac OS 13 and above
3. iPad/iPhone devices running Apple iOS

1. For Computers running Microsoft Windows or Mac OS

1.1 Installation of the GlobalProtect Agent

1.2 Connect to the Zero Trust Access via the GlobalProtect Agent

2. For iPad/iPhone devices running iOS

3. Endpoint Compliance Check

3.1 Access matrix

3.2 Examples of "Your device not complied" warning message:

4. Frequently Asked Questions (FAQs)

1. For Computers running Microsoft Windows or Mac OS

1.1 Installation of the GlobalProtect Agent

1. Use a web browser to visit the "CityU Zero Trust Access" service webpage at
   https://cityu-zta.gpcloudservice.com/.
2. You will be redirected to the CityU sign-in page. Please enter your EID and password, then click "Sign In" to log in via Okta.




3. In the "Okta Verify" menu, click "Send Push" or "Enter Code". Then, check the "Okta Verify App" on your mobile phone.
   1. Click "Yes, it's me" on on the mobile app to confirm (if you selected "Send Push")
   2. Enter the one-time password shown on the mobile app (if you selected "Enter Code")
   
   
   
   
4. After successful login, You will see the Palo Alto GlobalProtect portal page. You can download the latest version of the GlobalProtect Agent software by clicking the link on the top menu.




5. You may download the appropriate version of the GlobalProtect agent according to your computer's Operating System (O/S).
   (Note: For Windows users, if you are not sure to use the 32-bit or the 64-bit GlobalProtect agent, please refer to Q1 of the FAQs).



Computers	Download Option
For 32-bit Windows O/S	Download Windows 32-bit GlobalProtect agent
For Windows 10 and above	Download Windows 64-bit GlobalProtect agent
For Apple Mac O/S 13 and above	Download Mac 32/64-bit GlobalProtect agent





6. After downloading the GlobalProtect agent software, you can install it on your computer according to setup wizard.




7. After successful installation, you will find the GlobalProtect icon in the system tray of your computer:





1.2 Connect to the Zero Trust Access via the GlobalProtect Agent

1. You can invoke the GlobalProtect agent by clicking the GlobalProtect icon in the system tray.
2. When the "Welcome!" menu appear, click "Get Started" to proceed.




3. Enter the Portal Address "cityu-zta.gpcloudservice.com" in the address field and click "Connect".




4. The system will redirect you to the CityU sign in page. Please enter your EID and password to sign in.




5. When the "Open GlobalProtect?" menu appears, click "Open GlobalProtect". The GlobalProtect icon on the system tray will change from "GlobalProtect Disconnected" to "GlobalProtect Connected" upon successful login.

2. For iPad/iPhone devices running iOS

1. Search and install the app in App Store.




2. Launch the app .


3. Setup GlobalProtect Gateway Address (cityu-zta.gpcloudservice.com).




4. Click "Connect" and login, click on "open" when prompt after successful login.


5. You will see the "connected" on app, and "VPN" at top right hand corner of the screen.

3. Endpoint Compliance Check

There are two types of access according to the "endpoint compliance check" result of the user's computer or mobile device.

(1) Admin Access: For computers and mobile devices with successful endpoint compliance check, the users can have required administrative access to the servers (e.g. RDH, SSH).

(2) General Access: For computers and mobile devices without successful endpoint compliance check, they can have web-console access to servers via the HTTPS.

3.1 Access matrix

For Administrative Access - Agent Access with Compliance Check

#	App/Resources	Access From	Access To	OS	Endpoint Compliance Check
1	Admin Access (RDP, SSH, Ping, Traceroute) Web Console Access (443)	Campus/ Remote Access	Server Farm	Windows 10 or above. macOS 13 and above	1. Anti-Malware: Installed. Real-time Protection enabled. Signature within 7 days 2. Patch Management: Installed and Enabled.
2	Admin Access (RDP, SSH, Ping, Traceroute) Web Console Access (443)	Campus/ Remote Access	Server Farm	Apple iOS/iPadOS	*not jailbroken

For General Access - Agent Access WITHOUT Compliance Check

#	App/Resources	Access From	Access To
3	Web Console Access via SSL	Campus	Server Farm
4	Web Console Access via SSL	Remote Access	Server Farm
5	RDP, SSL, web browsing	Remote Access	Campus

3.2 Examples of "Your device is not complied" warning message:

4. Frequently Asked Questions (FAQs)

Q1: My computer is running Microsoft Windows. Which one should I install among the "Windows 32-bit GlobalProtect agent" and "Windows 64-bit GlobalProtect agent"?

Q2: We are system administrators. Do we have the same access right after switching from FortiClient VPN to PA Zero Trust Access?

Q3: Will PA Zero Trust Access replace FortiClient VPN?

Q4: I cannot successfully re-install the new GlobalProtect agent because my computer has installed old GlobalProtect software. What should I do?

Q5: My computer should have met the compliance requirement (installed anti-malware software, enabled real-time protection with updated signature and enabled patch management). But when I connect to the ZTA service at the first time, the "Your device is not complied" warning message is shown. What should I do?

Q6: On Windows, the GlobalProtect software hanging and show connecting but not connected and could not manually refresh/disconnect the attempt.

Q1: My computer is running Microsoft Windows. Which one should I install among the "Windows 32-bit GlobalProtect agent" and "Windows 64-bit GlobalProtect agent"?

A1: Most modern PCs are pre-installed with 64-bit Windows operating system. If you want to confirm which version of Windows you are using, you may use the following steps:

1. Click the Start button, then select Settings➔ System ➔ About:


2. Locate your System type under "Device Specifications".

Q2: We are system administrators. Do we have the same access right after switching from FortiClient VPN to PA Zero Trust Access?

A2: Based on existing firewall rule policies and traffic information, system administrators are granted with similar access rights as FortiClient VPN to access the server farm. If you cannot access some servers after switching to PA Zero Trust Access, please contact CSC Network Team to check.

Q3: Will PA Zero Trust Access replace FortiClient VPN?

A3: Yes, we plan to replace FortiClient VPN this year.

Q4: I cannot successfully re-install the new GlobalProtect agent because my computer has installed old GlobalProtect software. What should I do?

A4: You should uninstall the old GlobalProtect agent before installing the new GlobalProtect agent.

Q5: My computer should have met the compliance requirement (installed anti-malware software, enabled real-time protection with updated signature and enabled patch management). But when I connect to the ZTA service at the first time, the "Your device is not complied" warning message is shown. What should I do?

A5: Please disconnect from GlobalProtect and reconnect again.

Q6: On Windows, the GlobalProtect software hanging and show connecting but not connected and could not manually refresh/disconnect the attempt.

A6: Open the "Task Manager" and kill the process "Global Protect client" via "End task", the Global Protect agent will re-run, and you can try to connect again.

 

IT.ServiceDesk@cityu.edu.hk