https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4606#M3380 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"> <P>nato wrote:</P> <P></P> <P>this didn't help? if not, create a case after you're initial config and we can assist further</P> <P></P> <P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="5229" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-5229">How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates</A></P> </PRE><P></P><P>That wasn't the doc I found and was referring to - but it looks like the doc I need!</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 29 Apr 2014 23:03:42 GMT darren_g 2014-04-29T23:03:42Z https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4603#M3377 <HTML><HEAD></HEAD><BODY><P>Folks.</P><P></P><P>As the subject requests, is there an "idiots guide" to deploying certificate-based pre-login for Global Protect?</P><P></P><P>My boss wants me to implement it so that pc's which are VPN-only connected can run domain scripts (machine policies) which only run on login - but you obviously don't connect to the domain until *after* you've logged in locally to the PC in the case of a VPN connected client - which means we need to have the PC connected to the VPN *before* login, so it can run scripts when the user actually logs in.</P><P></P><P>I've looked through the docs a bit, but can;t get my head around a few things - mainly, how you create and deploy the certificates which the PC's use to verify/connect to the firewall before the user logs in and supplies actual credentials to Global Protect.</P><P></P><P>Any pointers appreciated.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 29 Apr 2014 01:48:53 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4603#M3377 darren_g 2014-04-29T01:48:53Z https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4604#M3378 <HTML><HEAD></HEAD><BODY><P>this didn't help? if not, create a case after you're initial config and we can assist further</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5229">How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates</A></P></BODY></HTML> Tue, 29 Apr 2014 13:59:50 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4604#M3378 gswcowboy 2014-04-29T13:59:50Z https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4605#M3379 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote" modifiedtitle="true"> <P>darren.g wrote:</P> <P></P> <P>mainly, how you create and deploy the certificates which the PC's use to verify/connect to the firewall before the user logs in and supplies actual credentials to Global Protect.</P> </PRE><P></P><P>For certificate authentication on a windows domain you can use group policy to automatically create the certificates and auto enroll the domain computers.&nbsp; </P><P></P><P><A href="http://technet.microsoft.com/en-us/library/cc947849%28v=ws.10%29.aspx" title="http://technet.microsoft.com/en-us/library/cc947849%28v=ws.10%29.aspx">Configure Group Policy to Autoenroll and Deploy Certificates</A></P><P></P><P>With windows GINA pre login you essentially connect the login process on the computer to the creation of the vpn connection at login time.&nbsp; This way you do get the benefits of on network login from the vpn connected computers. </P></BODY></HTML> Tue, 29 Apr 2014 19:44:06 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4605#M3379 pulukas 2014-04-29T19:44:06Z https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4606#M3380 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"> <P>nato wrote:</P> <P></P> <P>this didn't help? if not, create a case after you're initial config and we can assist further</P> <P></P> <P><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="5229" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-5229">How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates</A></P> </PRE><P></P><P>That wasn't the doc I found and was referring to - but it looks like the doc I need!</P><P></P><P>Thanks!</P></BODY></HTML> Tue, 29 Apr 2014 23:03:42 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4606#M3380 darren_g 2014-04-29T23:03:42Z https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4607#M3381 <HTML><HEAD></HEAD><BODY><P>No prob. If you get stuck, please open a case so we can rectify issue.</P></BODY></HTML> Wed, 30 Apr 2014 15:37:50 GMT https://live.paloaltonetworks.com/t5/general-topics/is-there-an-idiots-guide-to-deploying-certificate-based-pre/m-p/4607#M3381 gswcowboy 2014-04-30T15:37:50Z