topic Re: Administrative Install in General Topics

Administrative Install

blwallace — Mon, 09 Mar 2020 16:48:27 GMT

I'm having trouble finding the correct administrative installation process. I have several field reps that do not have administrative rights to their laptops. I need to install GlobalProtect for them and have it pre-configured with proper certificates, portal addresses, etc. My certificates are self-generated by the firewalls, so are not trusted by a third-party such as goDaddy.

My installation process is:

login with a proper administrative account
install the proper certificates into local computer and local user stores
install the agent using msiexec /i globalprotect.msi POSTVPNCONNECTCOMMAND=\\server\path\logon.bat PORTAL=vpn.domain.us /quiet

This sets up the first portal, but I have two portals. I've tried importing registry files for the second portal and it works for user that ran the install, but not for any other user on the system. All other users only have the portal created by the msiexec install. So how do I install the agent with two portals?

When the user first logs in, they are asked to accept the certificate of the portal, even though the cert is previously installed. This acceptance is only required the first time the user logs in. How do I have the agent accept this certificate so not to ask the end user?

Re: Administrative Install

OwenFuller — Mon, 09 Mar 2020 20:17:11 GMT

The GlobalProtect agent uses Internet Explorer in the background, so it should trust whatever certs are in the Trusted Root Certificate Authorities store. Are you placing the signing certificate used on the firewall in this store?

I'm not sure as to the multiple portal configuration. If you don't mind me asking, why are you doing two separate portals?

Re: Administrative Install

blwallace — Mon, 09 Mar 2020 20:26:06 GMT

Yes, I'm placing the signing certificate from the firewall in both the Local Computer and Current User Trusted Root Certification Authorities.

I have two portals because I have two different sites.

Re: Administrative Install

OwenFuller — Mon, 09 Mar 2020 20:32:59 GMT

Does it fit within your usage requirements to do one portal with two different gateways? For example, if it will all be the same users, but sometimes they'll connect to Site A, and sometimes to Site B, do one portal config with both gateways listed as options for manual connection?

Re: Administrative Install

blwallace — Mon, 09 Mar 2020 22:48:09 GMT

No. My second site is a warm backup site - so if my primary portal is down, that means my primary portal site is down and there wouldn't be any way to get to the second gateway configured on the primary.

Re: Administrative Install

A.Saenz — Mon, 14 Sep 2020 16:10:21 GMT

Good Day Blwallace

The only way to install GP with multiple portals is to add a reg key to inside the users hive
I used this PS script to install the app using SCCM
$Location = (Get-ChildItem -Path C:\Windows\ccmcache -Filter "GlobalProtect64.msi" -Recurse | Select -Last 1 -Property Directory).Directory
Set-Location $Location
& ".\GlobalProtect64.msi" /q PORTAL="XXX.XXX.XXX.XX" CONNECTMETHOD="on-demand"
Start-Sleep -Seconds 15
$User = (Get-WmiObject -Class Win32_ComputerSystem).username
$SID = (Get-WmiObject Win32_UserAccount -Filter "Name= '$($user.substring(3))' AND Domain= '$($user.substring(0,2))'").SID
New-Item -Path "Registry::HKEY_USERS\$SID\Software\Palo Alto Networks\GlobalProtect\Settings" -Name 'xx.xx.xxx.xxx' -Force
New-Item -Path "Registry::HKEY_USERS\$SID\Software\Palo Alto Networks\GlobalProtect\Settings" -Name 'xxx.xxx.xxx.xxx' -Force
Start-Sleep -Seconds 10
Get-Service -Name PanGPS | Restart-Service -Force
If you dont use SCCM you can skip line 1 and 2
Hope this works out for you
Any comment or question please let me know

Thanks

Regards