is the intent to have your remote users also use an encrypted tunnel when they are in an MPLS connected office (is the MPLS considered 'untrusted'?) or simply have the GP client up so they remain connected when outside of the network
How does the topology look now, is the firewall in the core, at the perimeter, or somewhere to the side? If your mpls users currently already go through the PA when reaching out to the internet or other internal resources, you are already taking advantage of all the ngfw features, except a secured channel to the DC
regardless of the above, you will indeed need a NAT policy that hides all outbound connections behind a public IP (this can be added to your existing hide-NAT rules), and no nat rule to reach internal resources (if there are additional routers in your network, they may need to be set up with appropriate routing for the IP pool to be routed back)
Sounds like you are on a correct path. The only downside is that the users at the remote sites will not be able to use resources there directly. What I mean is lets say there is a local printer they all print to. No instead of printing directly to it, the traffic will flow down the MPLS and then U-turn back to that printer. Just might take a bit longer for print jobs to spool. If you are using a print server, then this should not change from a users standpoint.
You are correct a Nat is requried for them to browse the web.
Hope that helps.
Yes you can split tunnel if your organization allows it. Most acronym compliances no longs allow it, i.e. PCI, FIMSA, etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!