Hardware reference guide
158 GlobalProtect Administrator’s Guide
Remote Access VPN with Pre-Logon GlobalProtect Quick Configs
Step 8 Configure the GlobalProtect Portal.
For this configuration, create two client
configurations: one that will be pushed to
the agent when the user is not logged in
(User/User Group is pre-logon) and one
that will be pushed when the user is
logged in (User/User Group is any). You
may want to limit gateway access to a
single gateway for pre-logon users, while
providing access to multiple gateways for
logged in users.
As a best practice, enable SSO in
the second client configuration to
ensure that the correct username is
reported to the gateway
immediately when the user logs in
to the machine. If SSO is not
enabled the username saved in the
GlobalProtect agent settings panel
will be used.
Select
Network > GlobalProtect > Portals and add the following
configuration:
1. Set Up Access to the Portal:
Interface—ethernet1/2
IP Address—199.21.7.42
Server Certificate—GP-server-cert.pem issued by Go Daddy
Certificate Profile—None
Authentication Profile—Corp-LDAP
2. Create a GlobalProtect Client Configuration for pre-logon users
and for logged in users:
First Client Configuration:
Connect Method—pre-logon
External Gateway Address—gp.acme.com
User/User Group—pre-logon
Authentication Modifier—Cookie authentication for config
refresh
Second Client Configuration:
Use single sign-on—enabled
Connect Method—pre-logon
External Gateway Address—gp.acme.com
User/User Group—any
Authentication Modifier—Cookie authentication for config
refresh
3. Make sure the pre-logon client configuration is first in the list of
configurations. If it is not, select it and click
Move Up.
Step 9 Save the GlobalProtect configuration. Click
Commit.
Quick Config: Remote Access VPN with Pre-Logon (Continued)