This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect pre-logon and SSO

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect pre-logon and SSO

markk96
L3 Networker

‎07-14-2015 07:51 PM

Help me understand this better, on the global protect portal for the server cert i need a public cert from a place like godaddy?  For the client cert I can use a cert that issued from our internal cert authority which has a cert on all the domain workstations already?

What I want is a pre-logon to happen when a user is not logged in yet, but a network connection is in place, then when the user signs in i want it to switch over to the user name for user-id on the palo.  

0 Likes Likes
1 REPLY 1

pulukas
L7 Applicator

‎07-15-2015 05:04 AM

I'm not sure I follow the question, so forgive me if this answers the wrong questions.

The portal certificate from a trusted third party like GoDaddy helps the connection from the user machine to the portal.  This prevents the users computer from issuing a certificate warning that the the portal certificate fails the trusted authority check.

If you use a domain issued certificate for the portal your domain computers will still be just fine and have no warnings because the domain computers do trust the domain certificate authority.  But any user connecting from computers outside the domain would be given the warning unless you distribute to them a copy of your domain trust chain.  If your remote vpn policy requires users connect using only domain computers then you can use a domain certificate without any issues.

For certificate authentication of the connection we generally use domain issued certificates and install the domain trust chain onto the Palo Alto so that the certificates will be accepted.  The idea is to trust the computer using this method.  If you choose to accept this as the only authentication I don't believe you can make that location dependent but just on or off in total.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 1875 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks