- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-20-2022 09:31 AM
My company has been greatly affected by the pandemic, we went from running over a dozen call centers to almost completely WFH.
An issue we have been experiencing is that our own operations staff refuse to send equipment from terminated coordinators back to IT for refurbishment/reimaging, they give it to the next person hired (because the turnaround isn't fast enough for them). We use Windows and Active Directory, so to set up the AD profile we use Global Protect to connect as a pre-logon VPN whenever we send a newly-reimaged laptop out. The problem is if the computer is *NOT* reimaged the pre-logon option is unavailable as we have it turned off after a successful login.
Our operations management is adamant: find a way to connect to the WAN without sending computers back.
We have a very clumsy workaround involving Microsoft LAPS to log in as local admin and resetting the password afterwards so the users cannot install unauthorized software, but it does not work if the computer in question loses its AD account (we periodically purge inactive computer accounts).
I have been thinking, is there a portable router available that has the GlobalProtect client in its firmware so that it would connect automatically to the VPN? Any computer connecting to it would be connected to the WAN w/o installing and connecting the GlobalProtect client on the computer itself. It would allow me to ship a portable device (ideally with an Ethernet cable so no fooling around with WiFi) so the user can connect the computer and be on the WAN. I can then do my thing using tools like SCCM to get them up and running.
Obviously I need to examine the security behind such a box as it is a potential security risk if UPS lost it.
Does anyone know of a vendor providing GlobalProtect support at the firmware level of their routers?
Thanks in advance!
01-20-2022 09:48 AM
Is there any reason that your actually disabling pre-logon once the user has logged on? Seems like a very simple fix would be to stop doing that and leaving pre-logon functional.
As for your direct question, if you setup a simple IPSec tunnel you can configure it directly on a number of consumer routers can be configured to automatically bring the tunnel online and functional. Additionally you could utilize PA-220s for something like this without any issue, however depending on the number of units you would need it could be more expensive than what you are looking for. Setup Ethernet1/1 as the DHCP ISP connection and Ethernet1/8 as the host connection and it would be simple enough to walk a user through getting things connected.
Alternatively if you are using Prisma Access you could utilize the new Okyo Garde to form a tunnel for any connected device easily. This again isn't going to be the cheapest solution and I would be concerned about getting them to ship things back if you are already struggling getting equipment returned. It also requires that you have Prisma Access to get that functionality.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!