Embedded Browser Support for Captive Portal [Windows]

In environments where "Enforce GlobalProtect for Network Access" is enabled, GlobalProtect blocks almost all network access until GlobalProtect is connected, ensuring proper traffic inspection (as per configured policies).

• Public environments (airports, cafes, hotspots) often require authenticating to Captive Portal landing page before allowing internet access needed to establish GlobalProtect connection. For this reason administrators are configuring Captive Portal exception timeout to allow full network access when Captive Portal is detected on the network.
• GlobalProtect for Windows can open Captive Portal landing page both in system default browser (default setting) or in embedded browser (webview) starting with versions 6.2.8-c233 (6.2.8-h1) and 6.3.3 (ref. GlobalProtect Admin Guide).

Using default browser for captive portal is challenging as admins need to configure "Captive Portal Exception Timeout" and/or enforcer exceptions to allow specific FQDNs/IPs. Longer exception hampers security as enforcer is disabled during the time-period and user has unrestricted internet access. Creating enforcer exception is tedious and may require changes over time depending on the pages that needs to be allowed.

The benefits of using embedded browser for Captive Portal are:

• Improved security: there is no need to completely disable an enforcer when Captive Portal is detected. Embedded browser CP traffic is implicitly allowed as a process spawned by GlobalProtect Agent.
• For the same reason, there is no need to define enforcer exceptions (IP based or FQDN based) for Captive Portal related traffic or associated pages. This also saves the number of (limited) entries for enforcer exceptions.
• Better user experience: embedded browser opens in front of the user's screens prompting for action (compared to default browser which can open "yet another tab" in a browser).
• There is no concern for CP exception timeout expiry and the need to complete the authentication within pre-configured interval.

Embedded browser for Captive Portal is supported for Windows GlobalProtect client starting with:

• Content version 8966-9398,
• GlobalProtect App version 6.2.8-c233 (6.2.8-h1) and 6.3.3 or later.

Embedded Browser for Captive Portal Configuration Steps:
(under: GlobalProtect Portal > Agent > App tab)

• Set "Use Default Browser for Captive Portal" to "No"
• Set "Display Captive Portal Detection Message" to "Yes" (current limitation)
• Set "Captive Portal Exception Timeout (sec)" to "0" (embedded browser for captive portal traffic is implicitly allowed by enforcer as a process spawned by GlobalProtect Agent; For security purposes and better user experience, exception should be set to 0).

Note that setting "Automatically Launch Webpage in Default Browser Upon Captive Portal Detection" is optional. Starting with GlobalProtect 6.2.4 and 6.3.1, we are opening a URL returned in REDIRECT message. If no URL is returned, we will use the URL configured under "Automatically Launch Webpage in Default Browser Upon Captive Portal Detection". If no URL is configured we will use Apple's captive portal URL.

Feature Demo Video:

macOS GlobalProtect leverages native OS mechanism CNA to perform Captive Portal login (Apple's Captive Network Assistant).
In case CNA isn't invoked, GlobalProtect for macOS can launch the default browser for CP purposes.