topic Re: Global protect company pc and user pc in General Topics

Global protect company pc and user pc

Alex_Samad — Tue, 06 Jun 2017 11:11:14 GMT

I have a working GP setup. I have setup the agent to be always on, prelogon and auto login when the user logs in.

No I want to use the same setup to allow users at home to setup their PC so they can connect,

I do want to use the global protect agentm but I don't want it on all the time

Can I do this with the same gateway / portal setup ?

And how! I presume I use HIP objects and look for domain, but ....

Thanks

Re: Global protect company pc and user pc

SuryaR — Tue, 06 Jun 2017 17:32:04 GMT

Can you give more details when you say " I have a working GP setup"

I am looking for more details like, is this an External set up or an internal setup. In short is the portal accesible only from inside your organization or from anywhere.

Re: Global protect company pc and user pc

Alex_Samad — Tue, 06 Jun 2017 21:37:37 GMT

Yes 🙂

I have PA-3060 in Active /Active cluster.

I have a Portal assigned to a loopback address - with a Highly available IP floating , bound to primary

I have 2 external gateways assigned to loopbacks on the PA - 1 on each node

I have setup for alway on in the Portal, using certificates stored currently only in the machine cert store

I do have an internal gateway but thats mainly for people using internal wifi.

My agent is condigured to do pre-logon and then do a SSO login with the users windows username and password.

This is all fine for all the corporate users.

But I would like to allow some users (mainly developers) the ability to connect from home - or remotely and not have always on, but on demand.

This would need to be made on computer not user name

Re: Global protect company pc and user pc

SuryaR — Fri, 09 Jun 2017 14:16:01 GMT

Thank you for detail explanation.

"But I would like to allow some users (mainly developers) the ability to connect from home - or remotely and not have always on, but on demand."

Will these users use your organization assets to connect or their own/personal machines.

Re: Global protect company pc and user pc

BPry — Fri, 09 Jun 2017 15:10:14 GMT

@Alex_Samad,

Considering that you want to do this specifically through computer info instead of user-id the only way you could do this is with another gateway and add specific HIP checking to specify something unique to these computers and have the rights to check that information. Likely you would want to do this through hostname.

Re: Global protect company pc and user pc

Alex_Samad — Fri, 09 Jun 2017 22:09:54 GMT

Just for clarity and to make sure I understand as well.

I have setup GP for company assets and we mandate always on, so pre logon and auto SSO login with windows login. I believe I have that all setup on GP.

My next task was to allow some users - dev - to access the internal network, vpn in . But I didn't want to impose upon them that they needed to have always on, i wanted on by demand.

And it seems like the answer is I have to have 2 GP 1 for corporate users and 1 for guest ... non corporate laptop/pc/device

Does that sum it up correctly ?

Re: Global protect company pc and user pc

BPry — Tue, 13 Jun 2017 14:30:55 GMT

That would be correct. Since you only want to allow it on non-corporate computers you'll have to do some testing to see what you can identify on and verify that the machine actually isn't corporate issued.

Re: Global protect company pc and user pc

Alex_Samad — Tue, 13 Jun 2017 23:57:41 GMT

I saw there was a test in HIP ? I am new to this. which talks about domain I had hoped, that it was talking about MS AD domainm but I am guessing its ip domain.

I do control the certificates, I would just create 2 int CA's 1 for corporate and 1 for non corp. Although that sounds a but hard/extra work.

have to have a play with it some more