- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-16-2023 02:16 PM - edited 03-16-2023 02:18 PM
As @BPry says, yes it is easily accomplished using the 'Always On" feature. We do this currently - required to always use the VPN at home/away with no local traffic (certain explicit FQDNs allowed for remote control/management even if the user isn't connected to the VPN). When the user shows up at the office they detect the internal network and connect directly.
You will need to determine a couple things first:
1) How do you want the external VPN to connect, "Always-On User-Login" or "Always-On Pre-Login"? The former will immediately prompt the user to log into the VPN when they log into the PC. The later will attempt to connect to the VPN with a machine credential (typically certificate) before the user has ever logged in, switching to user authentication after the user logs in.
2) How do you want to authenticate the user? Either by userID/password (which may point to a MFA resource) and/or certificate. The certificate has the advantage that it doesn't prompt the use so it can take place automatically. (The GP client will also save user/pass credentials and try to reuse those on the next connection if you don't deny that in the app options.) There are 2 places where authentication is required:
a) the Portal where the GP client gets it's configuration and list of Gateways to connect to
b) the Gateway where the GP client connects to actually pass the VPN data
If you use a certificate for the Portal authentication and user/pass for the Gateway authentication, then it makes the user experience much better as the GP client can automatically connect and get its configuration (without user interaction) to determine if it should connect to a Gateway and prompt for a login, or connect to directly to an internal network without prompts. The basic way you set this up is:
- Create a GP Portal and set the Portal Authentication to use a Certificate Profile, either a user certificate or a machine certificate that is recognized by your internal CA authority.
- Set the Agent client configuration to Always-On (in the Agent App tab settings, along with options for the user to disable).
- Set the Agent client configuration to enable Internal Host Detection (in the Agent Internal tab settings). This will perform a rDNS query for a specified IP and compare the result to the specified FQDN (this should be an internal-only host name and the result is case sensitive).
- Create a GP Gateway for external connections and configure as desired (probably with the Authentication set to a user/password profile, with or without MFA).
- You do not need to create an internal Gateway unless you want to collect HIP check information from internally connected GP clients.
After an initial setup, the client will automatically try to connect to the Portal using a certificate whenever the user logs into the PC or the network changes. The client will download its configuration and test to see if it is on an internal company network. If it is, it will automatically connect to the internal network without further user action. If it is not connected internally the GP client will connect to the external Gateway and prompt the user for authentication details.