topic Re: How can I configure Global Protect for on-demand as well as pre-logon in General Topics

How can I configure Global Protect for on-demand as well as pre-logon

mwhite — Mon, 10 Feb 2014 09:54:50 GMT

Hello,

I have a scenario whereby I need to offer an on-demand VPN solution to untrusted endpoints as well as an always-on solution for my trusted endpoints. Running through guides I have been able to run a pre-logon VPN that has successfully allowed me to authenticate the workstation then make use of User-ID to identify and allow users into the network based on various rules however I need to also offer an on-demand function that will allow staff using untrusted endpoints to connect to the network and access a very restricted set of resources.

If anyone has done this or knows the methodology then please do let me know

Kind regards,

Matt

Re: How can I configure Global Protect for on-demand as well as pre-logon

ericgearhart — Mon, 10 Feb 2014 14:18:45 GMT

I think you can build a separate portal profile and have it setup using OnDemand. Or worst case you can build a separate VSYS and in that separate VSYS you can build a separate portal config. This is from memory though so don't quote me on this, I'm too lazy to go look all this up.

Re: How can I configure Global Protect for on-demand as well as pre-logon

HULK — Mon, 10 Feb 2014 15:35:22 GMT

Hello Matt,

Using a single GP portal, you can specify multiple "User/user Group" , where you have an optionto define different connect method.

Example: For Untrusted user select connect method= On-demand

For trusted user select connect method = pre-logon

Hope this helps.

Thanks

Re: How can I configure Global Protect for on-demand as well as pre-logon

mwhite — Fri, 28 Feb 2014 11:10:35 GMT

Thanks - the issue that I have will be the endpoint that the user connects from rather than the users themselves. they should be able to connect pre-logon from their corporate laptop but if they work from home on a non-corp device they should be able to use GP on-demand to gain access to a second restricted network that only permits them access to an RDS server

Re: How can I configure Global Protect for on-demand as well as pre-logon

hopcio — Wed, 09 Jul 2014 01:07:52 GMT

Hi,

I'm trying to make a similar configuration but I haven't been able, I tried HULK method but the problem is that for the config I need, the same user should have the ability to have an always on connection for the internal gateway and an on-demand connection for external gateways. No luck so far ... Any advice?

Re: How can I configure Global Protect for on-demand as well as pre-logon

pwebber — Tue, 30 Jun 2015 19:46:15 GMT

I am also trying to do the same thing. I want them connected when at work (always-on), but when out of the office, I want the user to be able to enable on-demand. This seems like a pretty obvious use case. Surprised you can't do it.

Re: How can I configure Global Protect for on-demand as well as pre-logon

ACortes — Tue, 07 Jul 2015 07:02:33 GMT

You may create another portal and GW and allow users changing portal address on their GP agents. To avoid certificate issues, I would deploy this new portal using the same address but a different TCP port than default (443). To do this, a loopback interface can be used to support the GP portal and a NAT policy should be implemented to redirect traffic to the loopback interface on port 443.

Re: How can I configure Global Protect for on-demand as well as pre-logon

vcappuccio — Wed, 08 Jul 2015 20:00:57 GMT

Hi,

I have not tested this, but probably something like this

https://live.paloaltonetworks.com/docs/DOC-5986

with HULK Feb 10, 2014 7:37 AM (in response to mwhite@wavex.co.uk) suggestion ?

thanks

Victor

Re: How can I configure Global Protect for on-demand as well as pre-logon

skusnarowis — Thu, 09 Jul 2015 14:13:33 GMT

Regarding internal trusted computers and external untrusted computers:

You may be able to use DNS to help if your internal DNS is separate from your Internet facing DNS.

Have two gateways with different IP's. One is prelogin (.1 for this example) and the other on-demand (.2)

Use one name in the client (ex. connect.xyz.com)

Internal users:

Internal DNS resolves connect.xyz.com to the .1 IP and users connect prelogon.

External untrusted users:

External DNS resolves connect.xyz.com to the .2 IP and users connect on demand. (assuming this doesn't use certificates for authentication)

Or, have a totally separate name and IP for external users to connect to.