topic Re: Global Protect Setup in GlobalProtect Discussions

Global Protect Setup

S_Williams901 — Tue, 02 Sep 2025 14:35:32 GMT

Trying to setup GP for a scenario. One large org, multiple entities/departments that will require different policies, HIP checks, some will be manual connection, some will be always on.

The requirements that we would like to have are:

1 URL for all users to type in a browser to download client if need be, and same URL to be the entry for their client.

I have tried one portal and one gateway with multiple agent configs but the HIP checks are the blockers as it seems you cannot have HIP check messages per agent config or per AD user group.

How are others achieving this?

We do not want endpoints that are different, for example, dept1@domain.com, dept2@domain.com

for the GP gateways.

Re: Global Protect Setup

Raido_Rattameister — Tue, 02 Sep 2025 16:45:56 GMT

You can have 1 portal (so 1 URL / portal address to access).

Different gateway configs are given to users in different AD groups.

Different gateways present different HIP notifications to users.

Re: Global Protect Setup

S_Williams901 — Tue, 02 Sep 2025 17:32:59 GMT

BUT each gateway requires separate external IP/URL and interface correct?

Re: Global Protect Setup

Raido_Rattameister — Wed, 03 Sep 2025 15:42:37 GMT

Ideally yes.

It is also possible to run them on different internal interfaces.

Different external ports dnatted to different internal gateway IPs like example below.

vpn.mycompany.com:6443 > 10.0.0.1:443

vpn.mycompany.com:7443 > 10.0.1.1:443

Issue is that then you can probably do SSL-VPN only (more overhead, more sensitive to packet loss) as I am not aware capability to run IPSec (UDP/4501) on alternate port externally.