https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-internal-gateway-for-azure-ad-authenticated-users/m-p/549105#M4203 <P>In our on-prem firewalls, some policies are based on user-ID.</P> <P>User-to-IP mapping for the corresponding users are sourced via different mechanisms such as;</P> <P>&nbsp;- User-ID agents installed on domain-controllers</P> <P>&nbsp;- terminal server agents.</P> <P>This setup has been working pretty well so far.</P> <P>However, now we have a challenge after the introduction of Microsoft "modern devices". Users logged in to these devices are authenticated against Azure AD instead of the on-prem AD servers. Because of this, on-prem firewalls are unable to acquire any user-to-IP mapping information. To address this problem, we are looking at deploying GP internal gateway on modern devices hoping that it can provide the required mapping information to the firewall. However, we have some unknowns about this approach.</P> <P>&nbsp;</P> <UL> <LI>How to authenticate clients when connecting to the internal gateway</LI> </UL> <P>When a GP client connect to the internal gateway, firewall needs to authenticate it first.</P> <P>This authentication need to be seamless &nbsp;as the user already authenticated to the device already.</P> <P>We have the options of certificate authentication or SAML ( by communicating with Azure AD )</P> <P>&nbsp;</P> <UL> <LI>Even after this authentication, we are not sure what the format of the username populated in the firewall along with the IP address.</LI> </UL> <P>Since the user is authenticated against the Azure AD, we have a suspicion that the UPN (i.e. the email address ) will be populated as the username instead of the sAMAccountName (ie. Domain/username format)</P> <P>If the UPN is populated as the user name, the firewall will not be able to use it any of the policies as the firewall is not integrated with Azure AD.</P> <P>In that case, we will have to the cloud-ID-engine function as well to pull Azure-AD group mapping</P> <P>&nbsp;</P> <P>Just wondering whether anyone has implemented a similar solution ?</P> <P>Apologies for the lengthy message.</P> Wed, 12 Jul 2023 12:56:45 GMT bcdomain 2023-07-12T12:56:45Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-internal-gateway-for-azure-ad-authenticated-users/m-p/549105#M4203 <P>In our on-prem firewalls, some policies are based on user-ID.</P> <P>User-to-IP mapping for the corresponding users are sourced via different mechanisms such as;</P> <P>&nbsp;- User-ID agents installed on domain-controllers</P> <P>&nbsp;- terminal server agents.</P> <P>This setup has been working pretty well so far.</P> <P>However, now we have a challenge after the introduction of Microsoft "modern devices". Users logged in to these devices are authenticated against Azure AD instead of the on-prem AD servers. Because of this, on-prem firewalls are unable to acquire any user-to-IP mapping information. To address this problem, we are looking at deploying GP internal gateway on modern devices hoping that it can provide the required mapping information to the firewall. However, we have some unknowns about this approach.</P> <P>&nbsp;</P> <UL> <LI>How to authenticate clients when connecting to the internal gateway</LI> </UL> <P>When a GP client connect to the internal gateway, firewall needs to authenticate it first.</P> <P>This authentication need to be seamless &nbsp;as the user already authenticated to the device already.</P> <P>We have the options of certificate authentication or SAML ( by communicating with Azure AD )</P> <P>&nbsp;</P> <UL> <LI>Even after this authentication, we are not sure what the format of the username populated in the firewall along with the IP address.</LI> </UL> <P>Since the user is authenticated against the Azure AD, we have a suspicion that the UPN (i.e. the email address ) will be populated as the username instead of the sAMAccountName (ie. Domain/username format)</P> <P>If the UPN is populated as the user name, the firewall will not be able to use it any of the policies as the firewall is not integrated with Azure AD.</P> <P>In that case, we will have to the cloud-ID-engine function as well to pull Azure-AD group mapping</P> <P>&nbsp;</P> <P>Just wondering whether anyone has implemented a similar solution ?</P> <P>Apologies for the lengthy message.</P> Wed, 12 Jul 2023 12:56:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-internal-gateway-for-azure-ad-authenticated-users/m-p/549105#M4203 bcdomain 2023-07-12T12:56:45Z