Manualshelf

Hardware reference guide

ManualsBrandsAlto ManualsComputer equipmentBEXT 100H
161162163164165166167168169170
GlobalProtect Administrator’s Guide 155
GlobalProtect Quick Configs Remote Access VPN with Pre-Logon
Remote Access VPN with Pre-Logon
The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent
and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the
user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs
in instead of using cached credentials.
Prior to user login there is no username associated with the traffic. Therefore, to enable the client system to
access resources in the trust zone you must create security policies that match the pre-logon user. These policies
should only allow access to basic services required to start up the system, such as DHCP, DNS, Active Directory
(for example, to change an expired password), antivirus, and/or operating system update services. Then, after
the user logs in to the system and authenticates, the VPN tunnel is renamed to include the username so that
user- and group-based policy can be enforced.
With pre-logon, when an agent connects to the portal for the first time, the end user must authenticate (either
via an authentication profile or a certificate profile configured to validate a client certificate containing a
username). After authentication succeeds, the portal pushes the client configuration to the agent along with a
cookie that will be used for portal authentication to receive a configuration refresh. Then, when a client system
attempts to connect in pre-logon mode, it will use cookie to authenticate to the portal and receive its pre-logon
client configuration. Then, it will connect to the gateway specified in the configuration and authenticate using
its machine certificate (as specified in a certificate profile configured on the gateway) and establish the VPN
tunnel.
When the end user subsequently logs in to the machine, if single sign-on (SSO) is enabled in the client
configuration, the username will immediately be reported to the gateway so that the tunnel can be renamed and
user- and group-based policy can be enforced. If SSO is not enabled in the client configuration or of SSO is not
supported on the client system (for example, it is a Mac OS system) the users’ credentials must be stored in the
agent (that is, the
Remember Me check box must be selected within the agent).
Windows systems and Mac systems behave differently in a pre-logon configuration. Unlike the
Windows behavior described above, on Mac OS systems the tunnel is disconnected when the
user logs in and then a new tunnel is established.