07-13-2020 02:44 AM
I have one portal and 3 Gateways. I set up a preferred gateway at HIGHEST based on an active directory group so users connect to their home office. When using Pre-logon since the user is a shared account the connection on a reboot seems to always find the closest gateway. This is OK but when my users log in they stay on that gateway until we refresh the connection. After the manual refresh, the preferred gateway is found and if the user logs off they are still using preferred up until a reboot. The only way I can think to fix this is to have a new portal for each site that sets a preferred gateway for pre-logon. Any thoughts or suggestions?
07-13-2020 03:57 PM
07-18-2020 02:55 PM
I experienced the same issue. This post was helpful thank you for sharing. One other issue I am running into that I configured my Portal and Gateway with different Public IP addresses in the same subnet on the same LAG, the switch between pre-login and the named tunnels takes up to two minutes, it does work and but takes too long. If I change the config so that that external Portal and Gateway are on the same IP the change is very quick. This happens both for Log off and logon. The users notice is at logon because until the tunnel rename they are subject to pre-logon policy.
05-27-2021 09:13 PM
Fabiano's suggestions did not work for me since I was already not using auth cookies. By default, the user's tunnel will be renamed and they will stay on the same gateway. But, perhaps you have a windows user group and you want them to get directed to a 2nd gateway. If you do refresh connection, they will switch, but you want it to happen automatically.
So, consider setting this timeout value for the pre-logon tunnel, under App settings, to 0:
Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)
This setting controls how GlobalProtect handles the pre-logon tunnel that connects an endpoint to the gateway.
A value of -1 means the pre-logon tunnel does not time out after a user logs on to the endpoint; GlobalProtect renames the tunnel to reassign it to the user. However, the tunnel persists even if the renaming fails or if the user does not log in to the GlobalProtect gateway.
A value of 0 means when the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when you set the Connect Method to Pre-logon then On-demand, which forces the user to manually initiate the connection after the initial logon.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
