BTG-charlie, The creating of these profiles is possible all within the same Global Protect Portal and Global Protect Gateway. We are doing this. Domain users - full tunnel, limited internal network access, HIP checks, OS based Domain admins - full tunnel, all internal networks access, HIP checks, OS based Domain vendors - split tunnel, specific internal network access, no HIP checks, OS based Firewall user vendors - split tunnel, specific internal network access, no HIP checks, OS based Mobile domain users - split tunnel, specific internal access, HIP checks, iOS based (each of these groups is provided a separate 1918 space IP range for easier Security Policy management) The only part that you stated that worries me is doing different connection types with the same users. We are basing this on OS type and user credentials (security groups, firewall groups, or specific users). You will not be able to have one user that can log in using the same computer/device and the same user credentials to different VPN groups/profiles on the same IP using one portal/gateway or multiple portals/gateways. A HIP check will also not help with this as it is a pass/fail criteria and does not allow you to move down to the next connection in the list. If you go to Network -> Global Protect -> Portals -> GP_Profile -> Agent -> this is where you will create all the profiles I listed above. The same is the case for Network -> Global Protect -> Gateways -> GP_Profile -> Agent -> Client Settings -> match the profiles created in the Portals. Once both of those are created you will use Security Policies to control the access that the VPN clients get. Again we do this based on VPN IP, Domain Security Groups, Firewall Groups, Users, and HIP checks. Hope that is helpful. Brian
... View more