Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-28-2023 12:35 PM
I'm looking to find out if anyone is aware of how to configure the Internal Host Detection prior to authenticating through the Portal.
I've dug through every GP client installation manual I could find whether it be regkey settings or msi installation triggers but can't seem to find it.
Scenario - If we image a new workstation with GP installed, pointed to our Prisma portal with Always-On enabled, when it arrives to users location and hooked up to our corporate network the GP client will SSO them in to the portal to pull the config which includes the Internal Host Detection settings. What this is causing since the user successfully authenticated in to the portal (not the gateway), it then shows them as "connected - internal" - Being they are successfully auth'ing in to the portal it is consuming one of our Prisma Access licenses for that user even though they will never be a remote VPN user.
I know that blocking the portal is always an option from the internal network, but what issues could come from that? How would the GP client act with always-on enabled but is unable to reach the portal able to ever get the Internal Host Detection settings to know it is on the corporate network? I would imagine it would start blocking everything because it doesn't know any better without that setting.
I do know the license is removed from the user after 90 days, however, being we only have 10k licenses with 70k+ users daily if every machine has GP installed on it each user is going to grab a license every time they login to Windows even though 65k of them are on the corporate network just doesn't make sense.
Disabling SSO is pretty much not going to help because they are still going to get prompted to login to the GP client after windows is logged in to, and most users will just type in their creds because it will ask for them.
There has to be a way to set this setting per device rather than per authenticated user so even if you are logging in as a local admin account the GP client would know it's connected internally or not.
12-29-2023 02:52 PM
you can only get the internal host detection configuration after receiving the configuration from the portal (the first time)
if an agent is unable to connect to the portal thereafter, it will use the 'previously retrieved config' instead and be on it's merry way, so blocking the portal from inside (or redirecting it's internal DNS record to an internal portal fielding the same config?) would to the trick
12-29-2023 02:52 PM
you can only get the internal host detection configuration after receiving the configuration from the portal (the first time)
if an agent is unable to connect to the portal thereafter, it will use the 'previously retrieved config' instead and be on it's merry way, so blocking the portal from inside (or redirecting it's internal DNS record to an internal portal fielding the same config?) would to the trick
01-02-2024 09:20 AM
Thanks for the quick response. Not as simple as I would have thought after all, that's unfortunate. I'll work on trying to get an internal Portal with some DNS trickery to point them to it.
03-04-2024 03:29 PM
Hello, I finally got around to trying some of your suggestions.
I attempted the internal DNS trick, but since our GP clients use on-prem DNS rather than the cloud, it pretty much bricked everyone who was remotely connected.....or at least that is what appeared to happen as the connected user count began rapidly decreasing as their clients would refresh.
So I went with a hairpin approach + internal portal. If you are on the corp network and your traffic is trying to go to our prisma portal it hairpins it to a loopback on a PA that has an internal portal configured with the internal host detection settings. Basically same thing just a different method of redirect.
While not the prettiest it is the best I could come up without being able to predefine that IHD during the install or with regkeys.
Thanks again for your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
