https://live.paloaltonetworks.com/t5/general-topics/multiple-globalprotect-gateways-on-same-interface/m-p/234706#M67280 <P>We recently (today) configured pre-logon VPN, but have come across what could be a show stopper. As its currently configured we have configured:</P><P>&nbsp;</P><P><STRONG>Gateway &gt; (gateway name) &gt; Authentication &gt; Certificate Profile &gt; (a client cert signed by our infrastructure)</STRONG></P><P>&nbsp;</P><P>If a machine has this cert installed it now succesfully connects via "pre-logon", and once signed into Windows it all works as expected.</P><P>&nbsp;</P><P>If a machine doesnt have this cert installed then "pre-logon" does not work, but additionally they are unable to sign in once in Windows as they are presented with an error stating cert is missing.</P><P>&nbsp;</P><P>Is this how it should be configured or have i missed a step somewhere?</P><P>&nbsp;</P><P>The issue is we have a requirement for some non-domain users/assets to be able to connect to the VPN. As it stands with the way i have configured pre-logon they cant connect, as the cert is missing.</P><P>&nbsp;</P><P>What is the correct way to resolve this and keep pre-logon?</P><P>&nbsp;</P><P>I was thinking to create a second gateway, on the same interface as the current one, but assign a secondary IP to the interface. I would more or less copy the config from the existing gateway, but not assign a certificate profile to it.</P><P>&nbsp;</P><P>The portal agent config for these external users would then be configured to use the newly created gateway.&nbsp;</P><P>&nbsp;</P><P><STRONG>Is this how to solve this problem?</STRONG></P> Wed, 10 Oct 2018 09:26:45 GMT welly_59 2018-10-10T09:26:45Z https://live.paloaltonetworks.com/t5/general-topics/multiple-globalprotect-gateways-on-same-interface/m-p/234706#M67280 <P>We recently (today) configured pre-logon VPN, but have come across what could be a show stopper. As its currently configured we have configured:</P><P>&nbsp;</P><P><STRONG>Gateway &gt; (gateway name) &gt; Authentication &gt; Certificate Profile &gt; (a client cert signed by our infrastructure)</STRONG></P><P>&nbsp;</P><P>If a machine has this cert installed it now succesfully connects via "pre-logon", and once signed into Windows it all works as expected.</P><P>&nbsp;</P><P>If a machine doesnt have this cert installed then "pre-logon" does not work, but additionally they are unable to sign in once in Windows as they are presented with an error stating cert is missing.</P><P>&nbsp;</P><P>Is this how it should be configured or have i missed a step somewhere?</P><P>&nbsp;</P><P>The issue is we have a requirement for some non-domain users/assets to be able to connect to the VPN. As it stands with the way i have configured pre-logon they cant connect, as the cert is missing.</P><P>&nbsp;</P><P>What is the correct way to resolve this and keep pre-logon?</P><P>&nbsp;</P><P>I was thinking to create a second gateway, on the same interface as the current one, but assign a secondary IP to the interface. I would more or less copy the config from the existing gateway, but not assign a certificate profile to it.</P><P>&nbsp;</P><P>The portal agent config for these external users would then be configured to use the newly created gateway.&nbsp;</P><P>&nbsp;</P><P><STRONG>Is this how to solve this problem?</STRONG></P> Wed, 10 Oct 2018 09:26:45 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-globalprotect-gateways-on-same-interface/m-p/234706#M67280 welly_59 2018-10-10T09:26:45Z https://live.paloaltonetworks.com/t5/general-topics/multiple-globalprotect-gateways-on-same-interface/m-p/234754#M67289 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91200">@welly_59</a>&nbsp;wrote:<BR /><P>&nbsp;</P><P>What is the correct way to resolve this and keep pre-logon?</P><P>&nbsp;</P><P>I was thinking to create a second gateway, on the same interface as the current one, but assign a secondary IP to the interface. I would more or less copy the config from the existing gateway, but not assign a certificate profile to it.</P><P>&nbsp;</P><P>The portal agent config for these external users would then be configured to use the newly created gateway.&nbsp;</P><P>&nbsp;</P><P><STRONG>Is this how to solve this problem?</STRONG></P><HR /></BLOCKQUOTE><P>&nbsp;</P><P>This should work.&nbsp; This is what I was thinking as well.</P> Wed, 10 Oct 2018 12:58:56 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-globalprotect-gateways-on-same-interface/m-p/234754#M67289 Brandon_Wertz 2018-10-10T12:58:56Z https://live.paloaltonetworks.com/t5/general-topics/multiple-globalprotect-gateways-on-same-interface/m-p/234768#M67294 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/91200">@welly_59</a>,</P><P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a>&nbsp;mentioned this would work perfectly fine and accomplish exactly what you are looking to do without issue.&nbsp;</P> Wed, 10 Oct 2018 13:40:42 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-globalprotect-gateways-on-same-interface/m-p/234768#M67294 BPry 2018-10-10T13:40:42Z https://live.paloaltonetworks.com/t5/general-topics/multiple-globalprotect-gateways-on-same-interface/m-p/234779#M67299 <P>Excellent news. While waiting for an answer here though ihave succesfuly configured it using a loopback interface on the FW (public IP on it, we have loads), and it all works</P> Wed, 10 Oct 2018 13:50:58 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-globalprotect-gateways-on-same-interface/m-p/234779#M67299 welly_59 2018-10-10T13:50:58Z