This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Stop Connect "On-Demand" after "Pre-Logon"

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Stop Connect "On-Demand" after "Pre-Logon"

M.Kluibenschdl
L1 Bithead

‎05-13-2025 06:08 AM

Hi !

 

we use the pre-login feature with client cert logon - this work quite good. after logon we would like to connect on demand with saml login. we made two configs, one for prelogon and one for the user, both with prelogon:

2025-05-13 15_00_16-Panorama und 7 weitere Seiten - Geschäftlich – Microsoft_ Edge.png


At the moment if you login to the client the GP client starts direct with the SAML login - is it possible to stopp this behavier?

 

We want the prelogon tunnel to remain active in the background until the user manually establishes a user vpn session.

We also tried "Pre-logon then On-demand" but with the same behavior:

2025-05-13 15_03_51-Panorama und 7 weitere Seiten - Geschäftlich – Microsoft_ Edge.png

 

 

THX for your feedback!

0 Likes Likes
4 REPLIES 4

Brandon_Wertz
L6 Presenter

‎05-13-2025 09:20 AM - edited ‎05-13-2025 09:22 AM

@M.Kluibenschdl wrote:

Hi !

 

we use the pre-login feature with client cert logon - this work quite good. after logon we would like to connect on demand with saml login. we made two configs, one for prelogon and one for the user, both with prelogon:

2025-05-13 15_00_16-Panorama und 7 weitere Seiten - Geschäftlich – Microsoft_ Edge.png


At the moment if you login to the client the GP client starts direct with the SAML login - is it possible to stopp this behavier?

 

We want the prelogon tunnel to remain active in the background until the user manually establishes a user vpn session.

We also tried "Pre-logon then On-demand" but with the same behavior:

2025-05-13 15_03_51-Panorama und 7 weitere Seiten - Geschäftlich – Microsoft_ Edge.png

 

 

THX for your feedback!

To clarify, have pre-logon configured and that is successfully creating a VPN tunnel without a user logging in (This has to be using machine cert for auth)?  You also have user-logon currently configured for client certificate auth which is also working without issue?

 

You want to switch the user-logon authentication method from client certificate to SAML auth?  Your issue is when the users are logging in the SAML auth for the user is happening right away?  You want the pre-logon tunnel to stay on and the user to manually select/enable the VPN tunnel at their discretion?

 

If I have these facts correct then what you're wanting to achieve isn't possible.  The pre-logon tunnel will get torn down the second a user logs in. (regardless of if they've connected the VPN or not)

0 Likes Likes

M.Kluibenschdl
L1 Bithead

‎05-13-2025 11:26 PM

Hi Brandon,

 

yes pre-logon is working with a machine cert and yes we wan't that the if the user logs on, the prelogon tunnel should stay established until the user manually starts the vpn tunnel.

 

Would it be possible that if the user logges on, the vpn connection get disconnected without any login window? 
At the moment with this configuration everytime if the user logs into the client, they are disturbed by the GP login window.

 

We tried to set the "Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)" to 0, so the prelogon tunnel gets disconnected with the logon - this works but also the GP login windows popsup after the windows login.

 

KR Manuel 

 

 

 

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to M.Kluibenschdl

‎05-14-2025 07:00 AM

@M.Kluibenschdl wrote:

Hi Brandon,

 

yes pre-logon is working with a machine cert and yes we wan't that the if the user logs on, the prelogon tunnel should stay established until the user manually starts the vpn tunnel.

Unfortunately that's not the way it works.  Pre-logon = Pre-logon.  If a user has logged in that tunnel, by definition, needs to go away.

 

If I understand what you're saying, is that it's a UI / user experience issue.  For whatever the reason is, the GP client is "annoying" / "gets in the way" and you only want the users to see the GP client when they directly want to interact with it?  Am I understanding the issue correctly?

 

If I'm right in my assumption then unfortunately I don't have a solve for you.  I've not messed around enough with the GP client to find the UI nuance to make it behave the way you want.  My only idea would be to convert the user-logon method to be always on (with SSO), this would make the client not appear as it connects immediately and pulls credentials from the OS directly not requiring user interaction.

0 Likes Likes

M.Kluibenschdl
L1 Bithead

‎05-14-2025 07:19 AM

This is exactly my "problem" - thx for your help brandon!

0 Likes Likes
  • 526 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks