Multiple GlobalProtect Gateways on same interface?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multiple GlobalProtect Gateways on same interface?

L3 Networker

We recently (today) configured pre-logon VPN, but have come across what could be a show stopper. As its currently configured we have configured:

 

Gateway > (gateway name) > Authentication > Certificate Profile > (a client cert signed by our infrastructure)

 

If a machine has this cert installed it now succesfully connects via "pre-logon", and once signed into Windows it all works as expected.

 

If a machine doesnt have this cert installed then "pre-logon" does not work, but additionally they are unable to sign in once in Windows as they are presented with an error stating cert is missing.

 

Is this how it should be configured or have i missed a step somewhere?

 

The issue is we have a requirement for some non-domain users/assets to be able to connect to the VPN. As it stands with the way i have configured pre-logon they cant connect, as the cert is missing.

 

What is the correct way to resolve this and keep pre-logon?

 

I was thinking to create a second gateway, on the same interface as the current one, but assign a secondary IP to the interface. I would more or less copy the config from the existing gateway, but not assign a certificate profile to it.

 

The portal agent config for these external users would then be configured to use the newly created gateway. 

 

Is this how to solve this problem?

3 REPLIES 3

L6 Presenter

@welly_59 wrote:

 

What is the correct way to resolve this and keep pre-logon?

 

I was thinking to create a second gateway, on the same interface as the current one, but assign a secondary IP to the interface. I would more or less copy the config from the existing gateway, but not assign a certificate profile to it.

 

The portal agent config for these external users would then be configured to use the newly created gateway. 

 

Is this how to solve this problem?


 

This should work.  This is what I was thinking as well.

@welly_59,

As @Brandon_Wertz mentioned this would work perfectly fine and accomplish exactly what you are looking to do without issue. 

Excellent news. While waiting for an answer here though ihave succesfuly configured it using a loopback interface on the FW (public IP on it, we have loads), and it all works

  • 5045 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!