10-07-2014 12:15 PM
Or
The Further Adventures of a Networking Neophyte
PA-200
Software Version: 6.0.1
GlobalProtect Agent 2.0.4
Now what I need, and desire, is to have client PCs, in an office remote from the data center, login to the domain controller -in- the data center. They would like this as transparent as possible, i.e. to present that domain at login via the standard login menu, and not have it available after boot.
I believe the way forward is to - somehow - enable the GlobalProtect client to authenticate during boot. I see ways to do this using Windows VPN client, and Cisco has the process documented, but I can't tell how to make it work for GlobalProtect.
I'm searching, and will continue to look, but .. is it even possible?
10-07-2014 12:19 PM
Hi Bdunbar,
Solution that you are looking for is pre-logon. It will take domain credentials and establish tunnel before users gets to windows desktop. Please refer to following documents for explanation :
GlobalProtect Administrator's Guide 6.0 (English)
Hope this helps. Thank you.
10-07-2014 12:20 PM
Did you check the pre-logon feature available in globalprotect: GlobalProtect Administrator's Guide 6.0 (English)
I think that might be feature you are looking into
Hope it helps !
10-07-2014 12:21 PM
Hi Bdunbar,
You may want to try pre-login option for GP.
Regards,
Hardik Shah
10-07-2014 03:05 PM
Just wanted to add this document to the thread. It gives a step by step configuration assistance to set up pre-logon with self signed certificate on the PAN firewall.
How To Configure GlobalProtect SSO With Pre-Logon Access Using Self-Signed Certificates
Hope this is helpful to you.
Thanks
10-08-2014 07:43 AM
I've setup and having some minor issues. What log files on the PAN-200 should I be looking at?
10-08-2014 10:04 AM
I will suggest first checking the global protect PanGP Agent logs and then move to the firewall.
There are multiple logs to check on the firewall depending on what you see in agent logs:
less mp-log authd.log
show log system direction equal backward subtype equal globalprotect
less webserver-log sslvpn-access.log
less webserver-log sslvpn-error.log
less mp-log sslvpn.log
less mp-log rasmgr.log
Hope it helps !
10-08-2014 10:17 AM
Hi Bdunbar,
You can focus on following logs, sslvpn.log and ramgr.log are most important.
sslvpn.log, rasmgr.log, authd.log, sslvpn-access.log, sslvpn-error.log
Regards,
HArdik Shah
10-08-2014 10:23 AM
We're partially up: Following the guide linked to by tshiv, I'm generating self-signed certs from the PAN-200, sending them to the machines, importing to the test client machine, and we're set. After lunch I'll see about getting the clients logged in at boot.
The problem I had was that the PA-200's self-signed cert did not match the it's DNS or IP - my mistake when I created it.
I've got a card on my board to circle back to this after we go-live and do it 'right' using certs from our PKI, but that's another battle.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
