I need to enforce VPN so users will not be able to access Internet unless tunnel is establish or wired corporate network is connected. Users should also be required to supply credentials and MFA every time the tunnel is built when accessing from external networks.
Once the laptop is inside on the corporate network the connection should not require to establish vpn tunnel.
It should also require that users are always asked for password and MFA is prompting them for acceptance even when computer is set to sleep instead of Reboot/ Shutdown.
Please let me know if anyone was able to accomplish the above succesfully.
seems similar to what i have...
portal app will be
connect method "user logon always on"
allow user to disable globalprotect "no"
enforce globalprotect "yes"
use authentication overide for gateways but not portals. and set cookie lifetime to 1 min
when adding gateways, include the "Internal host Detection" option, this will prevent GP from establishing a tunnel when connected to your LAN. it will display a little house thing "Home"
i think thats about it... see how you get on but please ask if you need any further advice.
Thank you for your reply.
I was able to to configure it and it seems to be working as intended.
There is however an issue with Automatic Restoration of the tunnel.
The issue i have now is with the automatic reconnection to the VPN.
The problem occures when user puts the laptop to sleep, drives home or other location then connects to different Wifi, Global Protect will not ask for any credentials or at least the MFA to re-create the tunnel.
I have found the the Global Protect client caches creds and when computer wakes up it reconnects.
User is asked for credentials only with a reboot or log off.
A lot of users nowadays just close the lid or put laptops/ tablets to sleep instead.
Now, do you think it is an issue or a feature?
@mwiadrowski which GP version do you use? If you are on 4.1.x, I strongly recommend to stop further troubleshooting before you have installed 5.0.0. Over the last year I was in the same troubles as you now ... do you have a RADIUS server for MFA or are you using SAML and I assume you have an active directory where the users are stored? I am askong this questions to hopefully give you the correct answer, because now with globalprotect 5.0.0 I finally hive this setup up and running
@MickBall in your setup proposal isn't MFA required also from the internal network? I think I remember this was the reason why I did not use this configurationa
yes of course.... thanks for the reminder, we use cert authentication not MFA so not an issue.......
internal host detection could still be possible (i think) if you use cert auth for portal and MFA for gateways.
you could then turn off authentication overide. from my tests it seems that the cookie is being used for the gateway reauthentication when device wakes up. (unless it has timed out).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!