How can I configure Global Protect for on-demand as well as pre-logon

Reply
Highlighted
Not applicable

How can I configure Global Protect for on-demand as well as pre-logon

Hello,

I have a scenario whereby I need to offer an on-demand VPN solution to untrusted endpoints as well as an always-on solution for my trusted endpoints. Running through guides I have been able to run a pre-logon VPN that has successfully allowed me to authenticate the workstation then make use of User-ID to identify and allow users into the network based on various rules however I need to also offer an on-demand function that will allow staff using untrusted endpoints to connect to the network and access a very restricted set of resources.

If anyone has done this or knows the methodology then please do let me know

Kind regards,

Matt

Highlighted
L4 Transporter

Re: How can I configure Global Protect for on-demand as well as pre-logon

I think you can build a separate portal profile and have it setup using OnDemand. Or worst case you can build a separate VSYS and in that separate VSYS you can build a separate portal config. This is from memory though so don't quote me on this, I'm too lazy to go look all this up.

L7 Applicator

Re: How can I configure Global Protect for on-demand as well as pre-logon

Hello Matt,

Using a single GP portal, you can specify multiple  "User/user Group" , where you have an optionto define different connect method.

Example: For Untrusted user select connect method= On-demand

                  For trusted user select connect method = pre-logon

globalP.JPG.jpg

Hope this helps.

Thanks

Highlighted
Not applicable

Re: How can I configure Global Protect for on-demand as well as pre-logon

Thanks - the issue that I have will be the endpoint that the user connects from rather than the users themselves. they should be able to connect pre-logon from their corporate laptop but if they work from home on a non-corp device they should be able to use GP on-demand to gain access to a second restricted network that only permits them access to an RDS server

Highlighted
L1 Bithead

Re: How can I configure Global Protect for on-demand as well as pre-logon

Hi,

I'm trying to make a similar configuration but I haven't been able, I tried HULK method but the problem is that for the config I need, the same user should have the ability to have an always on connection for the internal gateway and  an on-demand connection for external gateways. No luck so far ... Any advice?

Highlighted
L2 Linker

Re: How can I configure Global Protect for on-demand as well as pre-logon

I am also trying to do the same thing. I want them connected when at work (always-on), but when out of the office, I want the user to be able to enable on-demand. This seems like a pretty obvious use case. Surprised you can't do it.

Highlighted
L2 Linker

Re: How can I configure Global Protect for on-demand as well as pre-logon

You may create another portal and GW and allow users changing portal address on their GP agents. To avoid certificate issues, I would deploy this new portal using the same address but a different TCP port than default (443). To do this, a loopback interface can be used to support the GP portal and a NAT policy should be implemented to redirect traffic to the loopback interface on port 443.

Highlighted
L3 Networker

Re: How can I configure Global Protect for on-demand as well as pre-logon

Hi,

I have not tested this, but probably something like this

https://live.paloaltonetworks.com/docs/DOC-5986

with HULK Feb 10, 2014 7:37 AM (in response to mwhite@wavex.co.uk) suggestion ?

thanks

Victor

Highlighted
L0 Member

Re: How can I configure Global Protect for on-demand as well as pre-logon

Regarding internal trusted computers and external untrusted computers:

You may be able to use DNS to help if your internal DNS is separate from your Internet facing DNS.

Have two gateways with different IP's. One is prelogin (.1 for this example) and the other on-demand (.2)

Use one name in the client (ex. connect.xyz.com)

Internal users:

Internal DNS resolves connect.xyz.com to the .1 IP and users connect prelogon.

External untrusted users:

External DNS resolves connect.xyz.com to the .2 IP and users connect on demand. (assuming this doesn't use certificates for authentication)

Or, have a totally separate name and IP for external users to connect to.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!