09-21-2020 06:13 AM
Hello everyone,
We are looking at using GP for the purposes of joining offsite computers to our domain via a process called offsite Azure Hybrid AD join. More details:
https://oofhours.com/2020/05/23/digging-into-hybrid-azure-ad-join/
The basic premise is that the GP establishes a connection before login and then the user simply logs in, as if they were on the LAN.
I have set this up and it works well, but there is one problem that probably scuppers the whole thing: in order to work, the computer needs BOTH a computer certificate and a user cerficicate. This is a problem because the VPN needs to connect BEFORE the user logs in, so there will be no user certificate available. I spoke to Palo support and they told me this is by design and pre-logon needs both certificates.
This seems strange to me...surely this can work with only computer certificates?
Settings
Portal:
Gateway:
If anyone can offer any advise as to how to get this to work with only computer certificates that would be great.
Thanks, Brian
09-24-2020 09:50 AM
It actually looks like this configuration is correct. I reset my test laptop back to factory defaults and now it just works with only the machine certificate.
Thanks,
Brian
09-24-2020 09:50 AM
It actually looks like this configuration is correct. I reset my test laptop back to factory defaults and now it just works with only the machine certificate.
Thanks,
Brian
12-17-2020 06:59 PM
How did you push the device cert using Intune? I'm trying to do the same thing, have pre-logon VPN working with Global Protect for existing computers by using a device certificate that is generated from our domain controller and pushed out via group policy. Not sure how to get the certificate onto the device during autopilot since it seems like Global Protect only accepts the cert if it is issued to the hostname of the device trying to use it, so I can't push a generic trusted cert using Intune.
12-18-2020 12:54 AM
Hi there.
We had a consultant do this bit for us. But I don't think it is very difficult and it is quite well documented.
You need an NDES server and you also need to install the Intune certificate connector on that server.
You need to create an appropriate certificate template on your internal CA server. You have to give "enrol" rights to the NDES server account.
Then you will need a certificate profile in Intune for handing certificates to Autopilot machines.
See more at these links:
https://oofhours.com/2020/04/05/intune-certificates-something-everyone-should-set-up/
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
Cheers
Brian
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
