11-05-2018 11:13 AM
Hello all
We have one public IP address and two groups of users who must connect to Head Office but get different policies
We decide to use loopback ip address and NAT it to the public one but with different port (for example loopback ip 1.1.1.1 and public ip is 85.10.10.1 and we NATed 85.10.10.1:446 to 1.1.1.1:443)
but when client try to connect to public IP with that port it says :This address was not found
is there any guide how to realize it correctly?
11-05-2018 11:42 AM
Hello,
Just another thought on this, what about using AD groups and a VPN zone? This way you can have your different levels of acess using the AD groups.
Just a thought.
11-05-2018 01:39 PM
There are a number of guides on using a loopback address for a GP connection, one of which is a knowledge base article HERE, which further details an article more directly about using a different port for GP.
As @OtakarKlier mentioned though I'm really not sure you need a whole new portal for this short of an unmentioned requirement. You could do what was mentioned and use different AD groups and build policies that focus on those users, or you could simply use the user-id to give both set of users a different ip-pool and build the policies further seperated by different ip-pools.
Personally I would recommend assigning the two groups different IPs, and then still yet using user-id in the security policies to actually grant them access to things. This ensures that you have multiple layers of security for any important aspect of your environment.
11-06-2018 11:05 PM
11-12-2018 12:15 AM
we did it but it seems dont work correctly
11-12-2018 05:02 AM
If your only purpose is to have different policy for the two user groups I would suggest you to use different approach insteead of playing with loopbacks, NATs, ports and etc.
How do you authenticate users: Is it LDAP, local, RADIUS?
The simple solution with local users would be:
1 Create users locally and add them in local user-groups
2 Create Auth profile and select type local, add the two user-groups to allow list
3 Configure global-protect portal as usual
4 configure global-protect gateway and under client setting configure two profiles, matching the loca user-groups. The tricky part here is that you need to use different pools for the two groups. But you can have the split-tunnel settings different for each group (ex. group A should access only to 10.0.0.0/24 while group B only to 172.16.0.0/24)
5 configure two security rules filtering on source user-group and put each group in separate rule.
You can choose to skip fourth step and configure one client setting profile for both groups, that way all users will receive same routes through the tunnel, but the policy will decide if the traffic should be indeed allowed or rejected.
AD authentiation over LDAP is pretty much similar, but you need additional steps to create group-mapping profile so the firewall can get the AD user group membership.
11-12-2018 05:37 AM
Hello
Alexander
Yes the authentication is via LDAP
Thanks we will try ones more
11-14-2018 12:19 AM
Ok we could resolve this solution
But one more point
When the worker connect to corporate network through GP at home with user-logon option it is ok
But when that worker returns to workplace with the same corporate notebook it still remains in GP network
Is it possible to force the PA or GP agent to recognize the internal network when one plugged in the ethernet cable in workplace and dont connect through GP agen with user-logon option?
11-16-2018 11:59 AM
Unless they properly disconnect from within the agent, the agent will attempt to reconnect to the portal once the laptop is turned on again. There is an option called 'Automatic Restoration of VPN Connection Timeout' that by default is enabled and set to 30 minutes,however I've never gotten this option to work correctly when working on a mac OS machine. Try setting this option to '0' to disable the resilient VPN behavior and see if that helps things, it should.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
