Global Protect pre-logon and SSO

markk96 — Wed, 15 Jul 2015 02:51:40 GMT

Help me understand this better, on the global protect portal for the server cert i need a public cert from a place like godaddy? For the client cert I can use a cert that issued from our internal cert authority which has a cert on all the domain workstations already?

What I want is a pre-logon to happen when a user is not logged in yet, but a network connection is in place, then when the user signs in i want it to switch over to the user name for user-id on the palo.

Re: Global Protect pre-logon and SSO

pulukas — Wed, 15 Jul 2015 12:04:08 GMT

I'm not sure I follow the question, so forgive me if this answers the wrong questions.

The portal certificate from a trusted third party like GoDaddy helps the connection from the user machine to the portal. This prevents the users computer from issuing a certificate warning that the the portal certificate fails the trusted authority check.

If you use a domain issued certificate for the portal your domain computers will still be just fine and have no warnings because the domain computers do trust the domain certificate authority. But any user connecting from computers outside the domain would be given the warning unless you distribute to them a copy of your domain trust chain. If your remote vpn policy requires users connect using only domain computers then you can use a domain certificate without any issues.

For certificate authentication of the connection we generally use domain issued certificates and install the domain trust chain onto the Palo Alto so that the certificates will be accepted. The idea is to trust the computer using this method. If you choose to accept this as the only authentication I don't believe you can make that location dependent but just on or off in total.

topic Global Protect pre-logon and SSO in General Topics

Global Protect pre-logon and SSO

Re: Global Protect pre-logon and SSO