I have two separate portal/gateways on two separate PANs. Call them gp1.acme.com and gp2.acme.com. If I wanted to make the gateway on gp2 be primary for laptops hitting gp1.acme.com portal - what happens at the network level? I presume I add a second gateway to portal gp1.acme.com. When the GP client reaches gp1.acme.com does it inform that client to go directly to gp2.acme.com. Does the client bypass the portal auth on gp2.acme.com when directed from gp1 portal to go to gp2 gateway?
So... at a network level, the portal and gateway are separate*. The GP client connects to the portal address, authenticates and downloads the GP client config, and then disconnects. The GP client then looks at the gateway addresses designated in the config (Network->GlobalProtect->Portals->[portal]->Agent->[cfg]->External Gateways), picks the best, and then tries to connect and authenticate against a designated gateway address. Most people have a one-to-one portal-gateway relationship, but you can have a one-to-many relationship as well.
* - The portal and gateway can run on the same IP, different IPs on the same PA, or completely separate PAs. There are a few gotchas depending on how its separated.
I am currently running 2 PAs, 2 WAN interfaces on each PA, 4 portals and 4 gateways total. GP clients connects to any portal, authenticates, then goes to any of the 4 gateways (I have depreferenced the gateway on our main portal address, that almost everyone initially connects to, so they nearly always get shuffled to a gateway on a different WAN/PA with less traffic).
If you already have a gateway on gp1.acme.com, you don't need to add a second gateway to receive clients from gp2.acme.com. Just change the portal "External Gateways" client config on gp2.acme.com to point to gp1.acme.com (or point to both gp1 and gp2 with a priority setting).
For authentication, both the portal and gateway have authentication setups. Depending on how you have setup your auth, you may need to make some changes. A few examples: 1) If you are using automatic SSO you probably won't notice any difference. 2) If you are using user/pass on the portal and generating an auth cookie for auto-login to the gateway (no second user/pass prompt), you will need to make sure gp1. and gp2. have the same trusted root cert used to generate/verify the cookie (also make sure they are time synced). 3) If you are using cert authentication you need to ensure you have the same certificates on both**.
** - I found a bug/caveat that I can't find documented anywhere. If you have the portal and gateway on the same IP, the gateway server SSL/TLS Profile and authentication Client/Certificate Profile overwrites a portion of the portal profiles... So if you try to do certificate authentication on the portal and user/pass authentication on the gateway, it will never work.... You have to have portal and gateway on separate IPs if you want to do certificate authentication on one and user/pass authentication on the other.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!