Globalprotect pre-logon VPN and Azure AD Hybrid join

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Globalprotect pre-logon VPN and Azure AD Hybrid join

L1 Bithead

Hello everyone,

We are looking at using GP for the purposes of joining offsite computers to our domain via a process called offsite Azure Hybrid AD join. More details:

 

https://oofhours.com/2020/05/23/digging-into-hybrid-azure-ad-join/

https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-which-vpn-clients...


The basic premise is that the GP establishes a connection before login and then the user simply logs in, as if they were on the LAN.

I have set this up and it works well, but there is one problem that probably scuppers the whole thing: in order to work, the computer needs BOTH a computer certificate and a user cerficicate. This is a problem because the VPN needs to connect BEFORE the user logs in, so there will be no user certificate available. I spoke to Palo support and they told me this is by design and pre-logon needs both certificates.

 

This seems strange to me...surely this can work with only computer certificates?

 

Settings

Portal:

  • Certificate profile containing internal PKI root and subordinate
  • Authentication profile: points at an internal Radius server
  • Cookies enabled for authentication override
  • Config selection criteria: "any" user/user group
  • Single external gateway
  • Connect method: Pre-logon (always on)

Gateway:

  • Certificate profile containing internal PKI root and subordinate
  • Authentication profile: points at an internal Radius server
  • Cookies enabled for authentication override

If anyone can offer any advise as to how to get this to work with only computer certificates that would be great.

 

Thanks, Brian

 

 

 

1 accepted solution

Accepted Solutions

L1 Bithead

It actually looks like this configuration is correct. I reset my test laptop back to factory defaults and now it just works with only the machine certificate.

 

Thanks,

 

 

Brian

View solution in original post

3 REPLIES 3

L1 Bithead

It actually looks like this configuration is correct. I reset my test laptop back to factory defaults and now it just works with only the machine certificate.

 

Thanks,

 

 

Brian

How did you push the device cert using Intune? I'm trying to do the same thing, have pre-logon VPN working with Global Protect for existing computers by using a device certificate that is generated from our domain controller and pushed out via group policy. Not sure  how to get the certificate onto the device during autopilot since it seems like Global Protect only accepts the cert if it is issued to the hostname of the device trying to use it, so I can't push a generic trusted cert using Intune. 

Hi there.

 

We had a consultant do this bit for us. But I don't think it is very difficult and it is quite well documented.

 

You need an NDES server and you also need to install the Intune certificate connector on that server.

You need to create an appropriate certificate template on your internal CA server. You have to give "enrol" rights to the NDES server account.

Then you will need a certificate profile in Intune for handing certificates to Autopilot machines.

 

See more at these links: 

https://oofhours.com/2020/04/05/intune-certificates-something-everyone-should-set-up/

https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure

 

Cheers

 

 

Brian

  • 1 accepted solution
  • 10716 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!