- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-10-2018 02:26 AM
We recently (today) configured pre-logon VPN, but have come across what could be a show stopper. As its currently configured we have configured:
Gateway > (gateway name) > Authentication > Certificate Profile > (a client cert signed by our infrastructure)
If a machine has this cert installed it now succesfully connects via "pre-logon", and once signed into Windows it all works as expected.
If a machine doesnt have this cert installed then "pre-logon" does not work, but additionally they are unable to sign in once in Windows as they are presented with an error stating cert is missing.
Is this how it should be configured or have i missed a step somewhere?
The issue is we have a requirement for some non-domain users/assets to be able to connect to the VPN. As it stands with the way i have configured pre-logon they cant connect, as the cert is missing.
What is the correct way to resolve this and keep pre-logon?
I was thinking to create a second gateway, on the same interface as the current one, but assign a secondary IP to the interface. I would more or less copy the config from the existing gateway, but not assign a certificate profile to it.
The portal agent config for these external users would then be configured to use the newly created gateway.
Is this how to solve this problem?
10-10-2018 05:58 AM
@welly_59 wrote:
What is the correct way to resolve this and keep pre-logon?
I was thinking to create a second gateway, on the same interface as the current one, but assign a secondary IP to the interface. I would more or less copy the config from the existing gateway, but not assign a certificate profile to it.
The portal agent config for these external users would then be configured to use the newly created gateway.
Is this how to solve this problem?
This should work. This is what I was thinking as well.
10-10-2018 06:40 AM
As @Brandon_Wertz mentioned this would work perfectly fine and accomplish exactly what you are looking to do without issue.
10-10-2018 06:50 AM
Excellent news. While waiting for an answer here though ihave succesfuly configured it using a loopback interface on the FW (public IP on it, we have loads), and it all works
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!