06-06-2017 04:11 AM
Hi
I have a working GP setup. I have setup the agent to be always on, prelogon and auto login when the user logs in.
No I want to use the same setup to allow users at home to setup their PC so they can connect,
I do want to use the global protect agentm but I don't want it on all the time
Can I do this with the same gateway / portal setup ?
And how! I presume I use HIP objects and look for domain, but ....
Thanks
06-09-2017 08:10 AM
Considering that you want to do this specifically through computer info instead of user-id the only way you could do this is with another gateway and add specific HIP checking to specify something unique to these computers and have the rights to check that information. Likely you would want to do this through hostname.
06-06-2017 10:32 AM
Can you give more details when you say " I have a working GP setup"
I am looking for more details like, is this an External set up or an internal setup. In short is the portal accesible only from inside your organization or from anywhere.
06-06-2017 02:37 PM
Hi
Yes 🙂
I have PA-3060 in Active /Active cluster.
I have a Portal assigned to a loopback address - with a Highly available IP floating , bound to primary
I have 2 external gateways assigned to loopbacks on the PA - 1 on each node
I have setup for alway on in the Portal, using certificates stored currently only in the machine cert store
I do have an internal gateway but thats mainly for people using internal wifi.
My agent is condigured to do pre-logon and then do a SSO login with the users windows username and password.
This is all fine for all the corporate users.
But I would like to allow some users (mainly developers) the ability to connect from home - or remotely and not have always on, but on demand.
This would need to be made on computer not user name
06-09-2017 07:16 AM
Thank you for detail explanation.
"But I would like to allow some users (mainly developers) the ability to connect from home - or remotely and not have always on, but on demand."
Will these users use your organization assets to connect or their own/personal machines.
06-09-2017 08:10 AM
Considering that you want to do this specifically through computer info instead of user-id the only way you could do this is with another gateway and add specific HIP checking to specify something unique to these computers and have the rights to check that information. Likely you would want to do this through hostname.
06-09-2017 03:09 PM
Hi
Just for clarity and to make sure I understand as well.
I have setup GP for company assets and we mandate always on, so pre logon and auto SSO login with windows login. I believe I have that all setup on GP.
My next task was to allow some users - dev - to access the internal network, vpn in . But I didn't want to impose upon them that they needed to have always on, i wanted on by demand.
And it seems like the answer is I have to have 2 GP 1 for corporate users and 1 for guest ... non corporate laptop/pc/device
Does that sum it up correctly ?
06-13-2017 07:30 AM
That would be correct. Since you only want to allow it on non-corporate computers you'll have to do some testing to see what you can identify on and verify that the machine actually isn't corporate issued.
06-13-2017 04:57 PM
I saw there was a test in HIP ? I am new to this. which talks about domain I had hoped, that it was talking about MS AD domainm but I am guessing its ip domain.
I do control the certificates, I would just create 2 int CA's 1 for corporate and 1 for non corp. Although that sounds a but hard/extra work.
have to have a play with it some more
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
