Help me understand this better, on the global protect portal for the server cert i need a public cert from a place like godaddy? For the client cert I can use a cert that issued from our internal cert authority which has a cert on all the domain workstations already?
What I want is a pre-logon to happen when a user is not logged in yet, but a network connection is in place, then when the user signs in i want it to switch over to the user name for user-id on the palo.
I'm not sure I follow the question, so forgive me if this answers the wrong questions.
The portal certificate from a trusted third party like GoDaddy helps the connection from the user machine to the portal. This prevents the users computer from issuing a certificate warning that the the portal certificate fails the trusted authority check.
If you use a domain issued certificate for the portal your domain computers will still be just fine and have no warnings because the domain computers do trust the domain certificate authority. But any user connecting from computers outside the domain would be given the warning unless you distribute to them a copy of your domain trust chain. If your remote vpn policy requires users connect using only domain computers then you can use a domain certificate without any issues.
For certificate authentication of the connection we generally use domain issued certificates and install the domain trust chain onto the Palo Alto so that the certificates will be accepted. The idea is to trust the computer using this method. If you choose to accept this as the only authentication I don't believe you can make that location dependent but just on or off in total.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!