Basic-GlobalProtect-configuration-with-Pre-Logon-then-On-Demand
Objective
This document will explain the GlobalProtect Pre-Logon then On-Demand connect method and the basic configuration required
Environment
- GlobalProtect Infrastructure
- Endpoint with supported OS
Procedure
The Pre-logon then On-Demand is a new hybrid connect method which combines both Pre-logon capabilities to authenticate the user before they log into the endpoint, and the on-demand capability to allow users to establish a connection with external gateways manually for subsequent connections.
This is useful when users forget their password or work with their help-desk to change their password and require network access over a pre-logon VPN tunnel to log into their system.
Please follow the steps below to configure the Portal's agent configuration using the pre-logon then On-Demand connect method:
- Authentication
- Give any name to this client config
- Client certificate - leave it to none, this will only be needed if we want to push any client certificate to the client for authentication purposes.
- Save user credential - Yes (default)
- (Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of 'Certificate to Encrypt/Decrypt Cookie'.
Note: One of the following 3 conditions must be met for pre-logon to work:
i. Portal contains ‘certificate profile’ but ‘no’ auth cookies
Note: When Portal/Gateway are on the same IP, the Gateway Cert Profile will take precedence over Portal Cert Profile. If Portal Cert Profile is required, Portal/Gateway must be on different IP.
ii. Portal does ‘not’ contain ‘certificate profile’ but has ‘auth cookies’.
(In this case, the very first GP connection must be made by a user, which will create two cookies one for the ‘user’ and other for ‘pre-logon’. From then on the pre-logon will work.)
(Attempting ‘pre-logon’ in the very first time without having a user connected to GP previously will not work in this case since the ‘pre-logon’ cookie will only get generated after a user is logged in the first time.)
iii. Portal contains both ‘certificate profile’ and ‘auth cookies’.
- Config Selection Criteria
- Select 'pre-logon' from drop-down menu
- External
- Under 'External gateways', click Add. Give any name to it.
- Address - Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) . In this example we enter 'gp.portal-gw01.local'
- App
- Under "Connect Method" drop down select "Pre-Logon then On-Demand"
- 'Use single sign-on' config is optional here.
- Configure "Pre-Logon Tunnel Rename Timeout(sec) (Windows Only)" value to '0'. A value of 0 means when the user logs on to the endpoint, GlobalProtect immediately terminates the pre-logon tunnel instead of renaming it. In this case, GlobalProtect initiates a new tunnel for the user instead of allowing the user to connect over the pre-logon tunnel. Typically, this setting is most useful when we set the connect method to Pre-logon then On-demand, which forces the user to manually initiate the connection after the initial logon.
Note: The following steps are required only if you need to add a new client configuration that differs from the one previously created.
- Authentication
- Give any name to this client config
- Client certificate- leave it to none, this will only be needed if we want to push any client certificate to the client for authentication purposes.
- Save user credential - Yes (default)
- (Optional) Authentication override: Check the boxes for 'Generate cookie for authentication override' and 'Accept cookie for authentication override'. This cookie can be encrypted/decrypted using any certificate that is selected from the drop down of 'Certificate to Encrypt/Decrypt Cookie'.
- Config Selection Criteria
- Select 'any' from the drop-down or add specific user/user groups.
- External
- Under 'External gateways', click Add. Give any name to it.
- Address - Enter the IP address or FQDN which was referenced in the certificate Common Name(CN) or Subject Alternate Name(SAN) . In this example we enter 'gp.portal-gw01.local'
- App
- Under "Connect Method" drop down select "Pre-Logon then On-Demand"
- As a best practice, enable SSO in the second agent configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent setting panel is used.
- Select OK and commit your changes
Additional Information
- For Pre-logon then On-Demand connect method admin guide, please refer to the document here
- For Documentation regarding the full configuration required for Pre-Logon, please refer to the following document: