11-04-2025 07:27 AM
Posted a diagram of what I am trying to accomplish but seem to get road blocks so maybe there is something I am missing.
Company A will use an always on config with cert. So I assume the cert will take priority over the saml auth?
Company B will be using manual/on-demand with no cert. Each company should be able to use the SAME external URL (vpn.doamin.com) But based on global config agent config should use a different gateway that will have different HIP parameters and different policies.
Is there some way you need to redirect them to a different gateway by using the internal gateway config on agent config?
Maybe I am struggling to understand the flow.
User -> connects to portal: vpn.domain dot com-> user auths to some agent config based on AD group membership -> gets sent to corresponding gateway (how does this happen?) -> connects to gateway, passes hip, then proceeds to network policies
11-05-2025 02:55 AM
The Missing Link: Portal Agent Configuration Rules
The mechanism to route users to the correct Gateway is located on the GlobalProtect Portal under the Agent tab, using Configs (Agent Configurations) and Rules.
Your flow: User → connects to portal: https://www.google.com/search?q=vpn.domain.com → user auths to some agent config based on AD group membership → gets sent to corresponding gateway (how does this happen?) → connects to gateway, passes hip, then proceeds to network policies.
1. Define Two Agent Configurations
First, you need to create the two distinct configurations under Network → GlobalProtect → Portals → Your Portal →Agent tab:
2. Create Selection Rules Based on Group Membership
On the same Agent tab of the Portal configuration, you define the rules that match users to these configs:
The Portal processes these rules top-down. When a user successfully authenticates (via Cert or SAML/LDAP) and their identity is resolved to a group, the Portal applies the first matching rule, and the client device downloads that specific Agent Configuration. The downloaded configuration tells the GlobalProtect client to only use the Gateway(s) defined within that specific config.
Authentication Priority for Company A (Cert vs. SAML)
Your assumption about the certificate taking priority is generally correct and is essential for Always-On functionality.
11-05-2025 04:35 AM - edited 11-05-2025 04:39 AM
Certificates are always checked first. Depending on your authentication preference (cert AND auth, or cert OR auth) will take priority and skip SAML, or will be required before going to SAML
Combining both companies on the same portal would require the OR condition, so no SAML for C1
after that first hurdle, the different gateways can be set up by creating an agent profile with a config selection criteria set to for example user groups. tricky thing there is that the C1-certificate-only users wont be able to match a group so you'll need to set the C2 profile on top with the group selection criteria and the C1 profile below with no selection criteria ( which could lead to cross-contamination if a C2 user falls outside the group mapping !)
the above is messy, so might i propose you try something different?
you can run the same URL on different ports and then use destination NAT to run different portals on loopback interfaces
e.g.
vpn.doamin.com:1443 -> DNAT loopback 172.16.0.1:443
vpn.doamin.com:2443 -> DNAT loopback 172.16.0.2:443
that way you can run 2 completely separate portals
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
