Not sure if I am answering the correct question, but I would take a look at the following article:
Hope that helps,
This one has me confused...
From @Otakar.Klier's link "A pre-logon VPN tunnel has no username association because the user has not logged in. "
When you're doing "pre-login" that inherently means no known user. So I'm confused @MikeC when you say you want to establish a VPN tunnel, but you also want to user user ID and PW. "I want to establish the VPN connection prior to login but I also want to make use of username/password."
Do you mean once the user supplies credentials to the computer you want GP to also ask for creds from the user to make the connection to the gateway?
@Brandon_Wertz I was really comparing pre-logon to checkpoint's "secure domain logon" feature. With CP, the computer would boot up, user would enter their windows login info, which would then prompt the CP VPN to pop up, user would enter vpn credentials, vpn would connect and then log into windows.
I'm currently using "Always on" with both username/pw and client certificates for multiple factors requirement. Initially, looking at pre-logon, it seemed it only uses a computer certificate, so can't really have multiple factor auth (not counting windows login). Based on the link @Otakar.Klier posted, it seems I can use computer cert to establish the VPN and also use username/pw + client cert.
I also use Internal Host Detection for when laptops are in the office, not sure if that will be an issue.
I need to test what happens if there is no internet connection when the computer boots up. I have a requirement to make sure VPN connects if there is an internet connection. Will it automatically connect, or will it require the user to hit connect
Here's a pretty detailed example of the pre-logon config:
Of note there's security policy that you need to also have, that allows a "pre-logon" connection.
@Brandon_Wertz thanks for the links, I'll check them out. I guess the way it works is part of my issue, I can't really have multiple factors before establishing the VPN.
What about when these machines are on the internal network? the VPN is still going to connect? That would be unnessary
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!