Multiple Gateways and Pre-logon

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multiple Gateways and Pre-logon

L1 Bithead

I have one portal and 3 Gateways.  I set up a preferred gateway at HIGHEST based on an active directory group so users connect to their home office. When using Pre-logon since the user is a shared account the connection on a reboot seems to always find the closest gateway.  This is OK but when my users log in they stay on that gateway until we refresh the connection.  After the manual refresh, the preferred gateway is found and if the user logs off they are still using preferred up until a reboot.   The only way I can think to fix this is to have a new portal for each site that sets a preferred gateway for pre-logon.  Any thoughts or suggestions?

3 REPLIES 3

L0 Member
Hi,
 
It Happens normally when you use cookie. Try to disable cookie both on Portal and Gateways and use a Machine Certificate for Pre-Logon and a User Certificate(or user/pass here). It might solve your issue. It solved mine.
 
Other thing that you may try is use 2 Portal Configurations, one for Pre-Logon(user = Pre-logon) with Connect Method = Pre-Logon(Always on) , and other with user=any with Connect Method = Pre-Logon then on-Demand.
 
Try it and let me know if solves your problem.
 
Best Regards,
 
Fabiano Pereira

 

 

PCNSC, PCNSE, PSE Platform, PSE Endpoint
CYBERFORCE Guardian and Hero

I experienced the same issue. This post was helpful thank you for sharing.  One other issue I am running into that I configured my Portal and Gateway with different Public IP addresses in the same subnet on the same LAG, the switch between pre-login and the named tunnels takes up to two minutes, it does work and but takes too long.   If I change the config so that that external Portal and Gateway are on the same IP the change is very quick.  This happens both for Log off and logon.  The users notice is at logon because until the tunnel rename they are subject to pre-logon policy.  

 

 

L3 Networker

Fabiano's suggestions did not work for me since I was already not using auth cookies. By default, the user's tunnel will be renamed and they will stay on the same gateway. But, perhaps you have a windows user group and you want them to get directed to a 2nd gateway. If you do refresh connection, they will switch, but you want it to happen automatically.

 

So, consider setting this timeout value for the pre-logon tunnel, under App settings, to 0:

 

Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)

 

This setting controls how GlobalProtect handles the pre-logon tunnel that connects an endpoint to the gateway.
A value of -1 means the pre-logon tunnel does not time out after a user logs on to the endpoint; GlobalProtect renames the tunnel to reassign it to the user. However, the tunnel persists even if the renaming fails or if the user does not log in to the GlobalProtect gateway.
A value of 0 means when the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when you set the Connect Method to Pre-logon then On-demand, which forces the user to manually initiate the connection after the initial logon.

  • 4169 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!