https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29545#M21574 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"> <P>hshah wrote:</P> <P></P> <P>Hi Darrent</P> <P></P> <P>If you are not interested in "Certificate based" Authentication than, following document is useless.</P> <P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="5229" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-5229">https://live.paloaltonetworks.com/docs/DOC-5229</A></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P> <P><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">In your update it seems you are looking for AD based authentication, than configuration is much simpler. You just need following change in existing GP </SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">configuration</SPAN><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">.</SPAN></P> <P><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P> <P><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><IMG alt="pre-login.png" class="image-0 jive-image" height="521" src="https://live.paloaltonetworks.com/legacyfs/online/15542_pre-login.png" style="height: 428px; width: 620px;" width="754" /><BR /></SPAN></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Let me know if this helps you.</SPAN></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Regards,</SPAN></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Hardik Shah<BR /></SPAN></P> <P style="min-height: 8pt; height: 8pt; padding: 0px;"><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;"> </SPAN> </P> </PRE><P></P><P>Hardik.</P><P></P><P>Is this all I have to change? Is there any requirement for modification on the remote end of the VPN client?</P><P></P><P>To clarify - if I do this, does this mean that the PC will pre-logon to the VPN prior to the user entering credentials into the Windows 7 login screen and run domain scripts etc?</P><P></P><P>Sorry if I'm not being clear enough - I can't believe this could be that simple. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Mon, 15 Sep 2014 00:21:21 GMT darren_g 2014-09-15T00:21:21Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29540#M21569 <HTML><HEAD></HEAD><BODY><P>Folks.</P><P></P><P>My boss wants me to implement "pre-authentication" for my Global protect clients, so that they authenticate against AD before logging on to their laptops when on VPN, and ergo run login scripts, group policies etc.</P><P></P><P>I have <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-5229">https://live.paloaltonetworks.com/docs/DOC-5229</A> and read through it, and it describes setting up using self-signed certificates.</P><P></P><P>I've actually got valid, official CA issues certificates on my Palo Alto's for Global protect (vpn.organisation.org format, from Verisign).</P><P></P><P>Is there a similar procedure I can use to get pre-authentication working using these real certificates rather than self-signed ones?</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 11 Sep 2014 01:37:18 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29540#M21569 darren_g 2014-09-11T01:37:18Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29541#M21570 <HTML><HEAD></HEAD><BODY><P>Hi Darrent </P><P></P><P>If you are not interested in "Certificate based" Authentication than, following document is useless.</P><P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="5229" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-5229" style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #006595;">https://live.paloaltonetworks.com/docs/DOC-5229</A></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">In your update it seems you are looking for AD based authentication, than configuration is much simpler. You just need following change in existing GP </SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">configuration</SPAN><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">.</SPAN></P><P><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><IMG alt="pre-login.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15441_pre-login.png" style="height: 428px; width: 620px;" /><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Let me know if this helps you.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Regards,</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Hardik Shah<BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;"> </SPAN></P></BODY></HTML> Thu, 11 Sep 2014 12:55:21 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29541#M21570 hshah 2014-09-11T12:55:21Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29542#M21571 <HTML><HEAD></HEAD><BODY><P>"Server certificate" can be an official one, no problem with that. Go for it.</P></BODY></HTML> Thu, 11 Sep 2014 17:26:36 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29542#M21571 cpainchaud 2014-09-11T17:26:36Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29543#M21572 <HTML><HEAD></HEAD><BODY><P>Hi Darren,</P><P></P><P>Let us know for additional queries.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 12 Sep 2014 11:37:35 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29543#M21572 hshah 2014-09-12T11:37:35Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29544#M21573 <HTML><HEAD></HEAD><BODY><P>This pre-logon certificate is about having a specific client computer based certificate installed not the CA based certificate you have for your global connect portal.</P><P></P><P>In this scenario you have your internal CA in Active Directory issue computer certificates to your domain computers (which can be done automatically via GPO). Then you install the CA certificate on the PA so it can recognize and authenticate those certificates.&nbsp; Now you know at login that the computer connecting is a trusted domain asset.</P><P></P><P>If a domain computer is stolen you then revoke that computers certificate in your Active Directory CA and they can no longer connect.</P></BODY></HTML> Sun, 14 Sep 2014 16:12:09 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29544#M21573 pulukas 2014-09-14T16:12:09Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29545#M21574 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"> <P>hshah wrote:</P> <P></P> <P>Hi Darrent</P> <P></P> <P>If you are not interested in "Certificate based" Authentication than, following document is useless.</P> <P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="5229" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-5229">https://live.paloaltonetworks.com/docs/DOC-5229</A></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P> <P><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">In your update it seems you are looking for AD based authentication, than configuration is much simpler. You just need following change in existing GP </SPAN><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">configuration</SPAN><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">.</SPAN></P> <P><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P> <P><SPAN style="line-height: 1.5em; color: #3b3b3b; font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><IMG alt="pre-login.png" class="image-0 jive-image" height="521" src="https://live.paloaltonetworks.com/legacyfs/online/15542_pre-login.png" style="height: 428px; width: 620px;" width="754" /><BR /></SPAN></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Let me know if this helps you.</SPAN></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Regards,</SPAN></P> <P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;">Hardik Shah<BR /></SPAN></P> <P style="min-height: 8pt; height: 8pt; padding: 0px;"><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; line-height: 1.5em;"> </SPAN> </P> </PRE><P></P><P>Hardik.</P><P></P><P>Is this all I have to change? Is there any requirement for modification on the remote end of the VPN client?</P><P></P><P>To clarify - if I do this, does this mean that the PC will pre-logon to the VPN prior to the user entering credentials into the Windows 7 login screen and run domain scripts etc?</P><P></P><P>Sorry if I'm not being clear enough - I can't believe this could be that simple. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Mon, 15 Sep 2014 00:21:21 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29545#M21574 darren_g 2014-09-15T00:21:21Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29546#M21575 <HTML><HEAD></HEAD><BODY><P>Hello <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Darrent,</SPAN></P><P></P><P>The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs in instead of using cached credentials.</P><P></P><P>With pre-logon, when an agent connects to the portal for the first time, the end user must authenticate (either via an authentication profile or a certificate profile configured to validate a client certificate containing a username). After authentication succeeds, the portal <SPAN class="GINGER_SOFTWARE_mark">ushes</SPAN> the client configuration to the agent along with a cookie that will be used for portal authentication to receive a configuration refresh. Then, when a client system <SPAN class="GINGER_SOFTWARE_mark">attempts to connect in</SPAN> pre-logon mode, it will use <SPAN class="GINGER_SOFTWARE_mark">cookie</SPAN> to authenticate to the portal and receive its pre-logon </P><P><SPAN class="GINGER_SOFTWARE_mark">client</SPAN> configuration. Then, it will connect to the gateway specified in the configuration and authenticate using its machine certificate (as specified in a certificate profile configured <SPAN class="GINGER_SOFTWARE_mark">on</SPAN> the gateway) and establish the VPN tunnel. When the end user subsequently logs in to the machine, if single sign-on (SSO) is enabled in the user-logon client configuration, the username will immediately be reported to the gateway so that the tunnel can be renamed and user- and group-based policy can be enforced.</P><P></P><P>FYI.. <SPAN class="GINGER_SOFTWARE_mark">a</SPAN> reference DOC for more detail information: <A href="https://live.paloaltonetworks.com/docs/DOC-2020">GlobalProtect Configuration Tech Note</A>&nbsp;&nbsp; --- page no 50</P></BODY></HTML> Mon, 15 Sep 2014 03:20:46 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29546#M21575 HULK 2014-09-15T03:20:46Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29547#M21576 <HTML><HEAD></HEAD><BODY><P>Hulk.</P><P></P><P>OK, after reading that, it looks like I can deploy this using the same process I use to get Lync certificates to work - but the document indicates that if I enable pre-login, Global protect will reject login from devices which aren't configured with a certificate?</P><P></P><P>Is this the case - so if I enable pre-login, users can't connect to the VPN without having a valid machine certificate issued by the internal CA? Even if they have a valid Global Protect access?</P><P></P><P>Just looking to confirm this one way or another - we have some Mac users who use our VPN where I can't issue certificates (because they're not in the domain, for starters).</P><P></P><P>Thanks</P></BODY></HTML> Mon, 15 Sep 2014 03:39:18 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29547#M21576 darren_g 2014-09-15T03:39:18Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29548#M21577 <HTML><HEAD></HEAD><BODY><P>Hello Darren,</P><P></P><P>Yes, you are correct. Pre-logon is a feature which will authenticate the user and connect the PC to global protect with pre-installed user certificate before he logs into his machine.</P><P></P><P><SPAN class="GINGER_SOFTWARE_mark">Few</SPAN> related discussion threads for your reference:</P><P> <A href="https://live.paloaltonetworks.com/message/20893">Pre-Logon Global Protect</A></P><P><A href="https://live.paloaltonetworks.com/message/26561">GlobalProtect</A></P><P><A href="https://live.paloaltonetworks.com/message/21628">Re: Pre-Logon Global Protect</A></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Mon, 15 Sep 2014 06:23:12 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29548#M21577 HULK 2014-09-15T06:23:12Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29549#M21578 <HTML><HEAD></HEAD><BODY><P>Hi Darren,</P><P></P><P>GP configuration is that simple, you do not need to do any changes on cilent end.</P><P></P><P>Yes, you need a valid certificate in order for it too work.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 15 Sep 2014 11:58:23 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-pre-authentication-with-public-ssl-cert/m-p/29549#M21578 hshah 2014-09-15T11:58:23Z