Gotcha. You could change the connection method to on-demand, but I'm guessing that will mess with things when the users are on network. While I know you said you prefer not to run the portal on a public interface, I'll offer this as one option to consider. You could configure the portal w/ a different authentication method (LDAP, local, SAML, whatever), and set a long cookie timeout (365 days for example). This would essentially let your machines authenticate with the portal once, and be done with it for a year (or longer, if you also allow the gateway logins to generate a cookie). If you wish, you could further secure this accdss using a certificate profile, and requiring machines to have a cert trusted by the firewall. Then, you could run your internal gateway on an internal interface w/ the kerberos SSO authentication. Then the machines will only attempt kerberos auth via SSO to the gateway when they detect that they are inside your corporate network using internal host detection. Sorry, I know that isn't quite what you're looking for, but I don't know of a way to suppress the notifications other than these two suggestions. If GlobalProtect doesn't meet your needs in this area, captive portal might be a good way to capture user-id. We do this for some of our Mac users.
... View more