topic Re: MS Active Directory Security Group Changes Not Applying over VPN w/ prelogon in General Topics

MS Active Directory Security Group Changes Not Applying over VPN w/ prelogon

Kevin_McCall — Wed, 20 Apr 2022 16:13:25 GMT

Our organization has been struggling with getting MS AD security group changes to apply over VPN w/ prelogon enabled for a long period of time now. I have had support tickets in with Palo support and MS support. Palo support has determined via Globalprotect logs, prelogon appears to be functioning properly and no traffic for this function is being denied by prelogon/user firewall security policies.

Sometimes we have noticed if the user reboots twice the security group changes are then reflected on the user's PC. It hasn't been a great experience. I am curious if others are having the same headaches with gpo/security group changes that apply during boot with prelogon. Is it solvable or just something we must live with? We are configured with SAML authentication prelogon always on. Prelogon authenticates via a cookie.

Re: MS Active Directory Security Group Changes Not Applying over VPN w/ prelogon

BPry — Wed, 20 Apr 2022 17:11:53 GMT

@Kevin_McCall,

This is working perfectly fine throughout the environments I manage, however whenever folks want an always-on connection we utilize certificates not SAML. Have you verified through the local client side logs and the firewall traffic logs that pre-logon is actually connected and passing traffic when your experiencing the issue? As long as pre-logon is actually working, and you're allowing the traffic, you shouldn't run into any issues with this at all.

Re: MS Active Directory Security Group Changes Not Applying over VPN w/ prelogon

Kevin_McCall — Wed, 20 Apr 2022 17:34:28 GMT

Thanks for sharing your experience. Yes I did verify that prelogon was passing traffic during the logon in firewall logs. Also we are using the same subnet on the gateway for prelogon and users so the tunnel only gets renamed to the user. It could be something to do with our workstation build I don't know. Palo support did see that there is a wait for network connectivity during the boot process. Maybe networking is taking a little longer to initialize? It's good to know that it's functioning for others.

Re: MS Active Directory Security Group Changes Not Applying over VPN w/ prelogon

Kevin_McCall — Fri, 06 May 2022 15:39:43 GMT

@BPry Would you mind sharing with me your configuration so that I may mimic what is working in your environment without giving any sensitive information? That may help us determine if it is an issue with our workstation or Globalprotect configuration.