Administrative Install

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Administrative Install

L2 Linker

I'm having trouble finding the correct administrative installation process.  I have several field reps that do not have administrative rights to their laptops.  I need to install GlobalProtect for them and have it pre-configured with proper certificates, portal addresses, etc.  My certificates are self-generated by the firewalls, so are not trusted by a third-party such as goDaddy. 

My installation process is:

  • login with a proper administrative account
  • install the proper certificates into local computer and local user stores
  • install the agent using msiexec /i globalprotect.msi POSTVPNCONNECTCOMMAND=\\server\path\logon.bat /quiet

This sets up the first portal, but I have two portals.  I've tried importing registry files for the second portal and it works for user that ran the install, but not for any other user on the system.  All other users only have the portal created by the msiexec install.  So how do I install the agent with two portals?  

When the user first logs in, they are asked to accept the certificate of the portal, even though the cert is previously installed.  This acceptance is only required the first time the user logs in.  How do I have the agent accept this certificate so not to ask the end user?


L4 Transporter

The GlobalProtect agent uses Internet Explorer in the background, so it should trust whatever certs are in the Trusted Root Certificate Authorities store.  Are you placing the signing certificate used on the firewall in this store?


I'm not sure as to the multiple portal configuration.  If you don't mind me asking, why are you doing two separate portals?

Yes, I'm placing the signing certificate from the firewall in both the Local Computer and Current User Trusted Root Certification Authorities.

I have two portals because I have two different sites.

Does it fit within your usage requirements to do one portal with two different gateways?  For example, if it will all be the same users, but sometimes they'll connect to Site A, and sometimes to Site B, do one portal config with both gateways listed as options for manual connection?



No.  My second site is a warm backup site - so if my primary portal is down, that means my primary portal site is down and there wouldn't be any way to get to the second gateway configured on the primary.

Good Day Blwallace


The only way to install GP with multiple portals is to add a reg key to inside the users hive
I used this PS script to install the app using SCCM
$Location = (Get-ChildItem -Path C:\Windows\ccmcache -Filter "GlobalProtect64.msi" -Recurse | Select -Last 1 -Property Directory).Directory
Set-Location $Location
& ".\GlobalProtect64.msi" /q PORTAL="XXX.XXX.XXX.XX" CONNECTMETHOD="on-demand"
Start-Sleep -Seconds 15
$User = (Get-WmiObject -Class Win32_ComputerSystem).username
$SID = (Get-WmiObject Win32_UserAccount -Filter "Name= '$($user.substring(3))' AND Domain= '$($user.substring(0,2))'").SID
New-Item -Path "Registry::HKEY_USERS\$SID\Software\Palo Alto Networks\GlobalProtect\Settings" -Name '' -Force
New-Item -Path "Registry::HKEY_USERS\$SID\Software\Palo Alto Networks\GlobalProtect\Settings" -Name '' -Force
Start-Sleep -Seconds 10
Get-Service -Name PanGPS | Restart-Service -Force
If you dont use SCCM you can skip line 1 and 2 
Hope this works out for you
Any comment or question please let me know



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!