05-25-2021 03:43 AM - edited 05-25-2021 03:44 AM
During the still ongoing pandemic, this issue is a little painful...
We use sccm to install windows and additional software to computers. One of this additional software is global protect. The intention was to install the computer in the office by the client team and then send the device to the employees. With Pre-Logon actually it should be possible to log in to the computer directly even if this active directory account was not logged in at that time.
The problem now is that global protect does not connect after this computer installation. As msiexec params we use the following:
CANCONTINUEIFPORTALCERTINVALID="no" CONNECTMETHOD="pre-logon" CANSAVEPASSWORD="no" PORTAL="******************" CANCHANGEPORTAL="no" USESSO="no"
Does anyone know a sollution which makes global protect opening the connection directly after the installation or at least after a reboot after the installation? As soon as a user loggs in global protect connects and this setting then also persists for the next reboots - global protect then connects already prior to the user login (as it should with the pre-logon setting).
Btw: The firewall where the client should connect to is running PAN-OS 9.1.9 and the used Global Protect version is 5.2.6.
05-26-2021 02:03 AM
Hi @vsys_remo ,
Couple of months ago we have some transparent upgrade from 5.0 to 5.1 failing on random computers. From the logs I noticed that the transparent upgrade client is running batch file msiexec to uninstall and install the new msi with all of the required parameters.
I am saying this because since that I am using the exact same command to re-install GP remotely and it seems the pre-logon to work after reboot. This is what is working for me:
TARGETDIR="C:\Program Files\Palo Alto Networks\GlobalProtect" CONNECTMETHOD="pre-logon" USESSO="yes" CERTIFICATESTORELOOKUP="user-and-machine" CACUNPLUGBEHAVE="yes" USEPROXY="yes" PORTAL="vpn.portla.wow" BENICE="yes" /l+* "C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPMsi.log
Comparing with what you have probably you can try where to look for the client certificate. Although looking at the docs it seems user-and-machine should be default and not need to specify it.
05-26-2021 06:12 AM
Hi @vsys_remo ,
Please check the following document which explains your requirement. Step 11 more specifically:
Please correct me if I misunderstood you.
05-31-2021 01:01 PM - edited 05-31-2021 01:02 PM
You can also test the feature "Connect Before Logon" that is even before the user logs into his computer.
Another thing is if you are using "enforce network access" you may need to exclude some ip addresses from this:
05-31-2021 03:48 PM
As we intend to use Windows Hello, we cannot use this connect button on the loginscreen (it is only available with the global protect login option).
At the moment the vpn connection is not enforced for network access.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!