I have a query on Global Protect.
one of our customer wants the requirement
if user is working from home internet should only work on his laptop if he is connected to global protect
if user is not connected to global protect his internet should not work even if he is connected to wifi also. All his traffic should pass through Global Protect itself.
And if the same user is coming back into office network GP should disconnect and user machine should be working on LAN network.
Is it possible ?
If possible please let me know what are configuration changes that are required.
Thanks and Regards
Yes, this is possible and is a very common setup. Your customer wants to set the GlobalProtect client to "Always-On" - the client always connects to the GlobalProtect Gateway and doesn't allow traffic until connected, and enable "Enforce GlobalProtect Connection for Network Access".
Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> App -> Connect Method = User-logon (Always-On)
Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> App -> Enforce GlobalProtect Connection for Network Access = Yes
You may also want to block local network access when connected to the VPN:
Network -> GlobalProtect -> Gateways -<gateway_config> -> Agent -> <agent_config> -> Split Tunnel -> No direct access to local network = checked
Second, you want to enable "Internal Host Detection" to detect when the client is connected to the local network
Network -> GloablProtect -> Portals -> <portal_config> -> Agent -> <agent_config> -> Internal -> Internal Host Detection = checked
You need to specify an internal IP address and matching reverse-DNS name that the IP will match. If the clients DNS returns a matching value (Note: this is case-sensitive), then the client will know it is on the internal network and will connect directly to the local network without requiring a VPN tunnel.
Note that the client must still connect to the Portal to get the GlobalProtect configuration, before it can determine if it is on a local network. So the GP client will still prompt for user credentials when connecting internally. You can get around this (have nearly transparent internal connection) by using a user/machine certificate for the Portal authentication. The Gateway authentication (for when connecting to the VPN from outside the network) can continue to use your standard user/password credentials.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!