topic Re: One portal, multiple gateways for different users in GlobalProtect Discussions

One portal, multiple gateways for different users

S.Williams091162 — Tue, 04 Nov 2025 15:27:52 GMT

Posted a diagram of what I am trying to accomplish but seem to get road blocks so maybe there is something I am missing.

Company A will use an always on config with cert. So I assume the cert will take priority over the saml auth?

Company B will be using manual/on-demand with no cert. Each company should be able to use the SAME external URL (vpn.doamin.com) But based on global config agent config should use a different gateway that will have different HIP parameters and different policies.

Is there some way you need to redirect them to a different gateway by using the internal gateway config on agent config?

Maybe I am struggling to understand the flow.

User -> connects to portal: vpn.domain dot com-> user auths to some agent config based on AD group membership -> gets sent to corresponding gateway (how does this happen?) -> connects to gateway, passes hip, then proceeds to network policies

Re: One portal, multiple gateways for different users

santhuksha — Wed, 05 Nov 2025 10:55:17 GMT

The Missing Link: Portal Agent Configuration Rules

The mechanism to route users to the correct Gateway is located on the GlobalProtect Portal under the Agent tab, using Configs (Agent Configurations) and Rules.

Your flow: User → connects to portal: https://www.google.com/search?q=vpn.domain.com → user auths to some agent config based on AD group membership → gets sent to corresponding gateway (how does this happen?) → connects to gateway, passes hip, then proceeds to network policies.

1. Define Two Agent Configurations

First, you need to create the two distinct configurations under Network → GlobalProtect → Portals → Your Portal →Agent tab:

Agent Config A (e.g., Config-Company-A):

Connectivity Tab → External Gateways: List only Gateway A's external address.
Client Settings: Define the settings for Always-On (if not already set in a separate Client Configuration).

Agent Config B (e.g., Config-Company-B):

Connectivity Tab → External Gateways: List only Gateway B's external address.
Client Settings: Define the settings for Manual/On-Demand connection.

2. Create Selection Rules Based on Group Membership

On the same Agent tab of the Portal configuration, you define the rules that match users to these configs:

Rule 1 (Company A):

Criteria: Use the Source User column. Select the AD User Group for Company A (e.g., ldap-profile-A\Company A Users).
Action: Select Config-Company-A from the drop-down.

Rule 2 (Company B):

Criteria: Use the Source User column. Select the AD User Group for Company B (e.g., ldap-profile-B\Company B Users).
Action: Select Config-Company-B from the drop-down.

Default/Final Rule: A default config must be set at the end.

The Portal processes these rules top-down. When a user successfully authenticates (via Cert or SAML/LDAP) and their identity is resolved to a group, the Portal applies the first matching rule, and the client device downloads that specific Agent Configuration. The downloaded configuration tells the GlobalProtect client to only use the Gateway(s) defined within that specific config.

Authentication Priority for Company A (Cert vs. SAML)

Your assumption about the certificate taking priority is generally correct and is essential for Always-On functionality.

On the Portal, under the Authentication tab, you must define an Authentication Profile Sequence.
For Company A, the Client Certificate Profile must be placed before the SAML Authentication Profile in the sequence.
The Always-On client attempts certificate authentication first. If successful, the Portal resolves the user identity (from the certificate's subject) and immediately proceeds to the Agent Configuration Rule matching without prompting for SAML.

https://youtu.be/j5LdVWCfxRM <- Use this link

Re: One portal, multiple gateways for different users

reaper — Wed, 05 Nov 2025 12:39:17 GMT

Certificates are always checked first. Depending on your authentication preference (cert AND auth, or cert OR auth) will take priority and skip SAML, or will be required before going to SAML

Combining both companies on the same portal would require the OR condition, so no SAML for C1

after that first hurdle, the different gateways can be set up by creating an agent profile with a config selection criteria set to for example user groups. tricky thing there is that the C1-certificate-only users wont be able to match a group so you'll need to set the C2 profile on top with the group selection criteria and the C1 profile below with no selection criteria ( which could lead to cross-contamination if a C2 user falls outside the group mapping !)

the above is messy, so might i propose you try something different?

you can run the same URL on different ports and then use destination NAT to run different portals on loopback interfaces

e.g.

vpn.doamin.com:1443 -> DNAT loopback 172.16.0.1:443

vpn.doamin.com:2443 -> DNAT loopback 172.16.0.2:443

that way you can run 2 completely separate portals