topic Always on Global Protect in General Topics

Always on Global Protect

OtakarKlier — Mon, 31 Jan 2022 20:31:33 GMT

Hello All,

Looking to get advice on this topic. The idea is to have the users connect via a VPN tunnel regardless of their location, internal LAN or working from home, etc. I need to make it easy on the users so its to a burden, e.g. having to authenticate to the vpn after logging into heir workstations with similar creds.

I'm thinking of something like username, password, and MFA token for external and just MFA token for internal.

What have you done and what has worked well without too much burden onto the end user?

Cheers!

Re: Always on Global Protect

BPry — Mon, 31 Jan 2022 22:01:12 GMT

@OtakarKlier,

These machines are all managed right, nothing BYOD (or at least if it's BYOD it's enrolled)? If they're all managed and you have an internal PKI I would just use certificates for authentication. It's the easiest way from an end-user aspect because they don't have to do anything special from a machine aspect, just sign in like they do normally and the certificates will take care of everything else.

Re: Always on Global Protect

OtakarKlier — Tue, 01 Feb 2022 18:48:10 GMT

Hello,

Yeah I have been thinking about certificates, however they can be exported and used on a non-corp machine. Guess we can use posture validation to verify. Yes this will be only corp owned machines, no byod.

Just seeing what else others have done.

Regards,

Re: Always on Global Protect

BPry — Wed, 02 Feb 2022 01:59:03 GMT

@OtakarKlier,

Depending on how you generate them and import them if need be you can make them non-exportable to prevent that. Either way I would still recommend using HIP checks to verify that it's actually an issued endpoint. I always try to make our "Issued Device" profile as detailed as possible. Is it joined to the proper domain, does it have the proper EDR tool installed, does it have any custom applications we install, ect.

You won't ever get to the point where someone with the proper permissions couldn't generate a valid certificate, install the proper applications, and join it to your domain. We've taken the mindset that if you make it pass all of our security checks and have the permission to actually install everything, generate the certificates, join it to the domain, and get everything setup properly you likely wouldn't risk your job to do so.