>
    Deploy Connect Before Logon Settings in the Windows Registry
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Apps
    4. Deploy App Settings Transparently
    5. Deploy App Settings to Windows Endpoints
    6. Deploy Connect Before Logon Settings in the Windows Registry
    Download PDF
    GlobalProtect

    Deploy Connect Before Logon Settings in the Windows Registry

    Table of Contents

    Deploy Connect Before Logon Settings in the Windows Registry

    Connect Before Logon allows users to log in to the VPN before logging into their Windows endpoints, enabling the deployment of settings and configurations prior to user login.
    You can deploy Connect Before Logon settings to Windows 10 endpoints prior to enabling end users to log in to the VPN before logging into the endpoint by using the Windows Registry. GlobalProtect retrieves the registry keys only once, when the GlobalProtect app initializes.
    Follow these guidelines when deploying the Connect Before Logon settings:
    • The Pre-logon and Pre-logon then On-demand connection methods are not supported simultaneously with Connect Before Logon.
    • If you are using smart card authentication or username/password-based authentication for user login using an authentication service such as LDAP, RADIUS, or OTP, you must configure exclusions for specific fully qualified domain names for the portal and gateway by entering them to
      Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established
       as an app setting in the
      App Configurations
       area of the GlobalProtect portal. If you are using SAML authentication for user login and using the configured SAML identity providers (ldPs) such as Okta, you must also configure exclusions for *okta.com and *oktacdn.com. For other ldPs, you must configure exclusions for the URLs that contain IP addresses or fully qualified domain names only if the Enforcer status is enabled.
    1. Configure the registry keys on the end user Windows endpoints.
      You must change the Windows registry on the end users’ Windows endpoints before you can enable Connect Before Logon. You can automatically add the registry keys or manually add the keys.
      • To automatically add the registry keys for
        PanPlapProvider
         and
        PanPlapProvider.dll
         in
        PanGPS.exe
         (
        C:\Program Files\Palo Alto Networks\GlobalProtect
        ), use the
        -registerplap
         command to run as an administrator by using the following syntax: 
        PanGPS.exe -registerplap
      • To automatically unregister the keys for
        PanPlapProvider
         and
        PanPlapProvider.dll
         in
        PanGPS.exe
         (
        C:\Program Files\Palo Alto Networks\GlobalProtect
        ), use the
        -unregisterplap
         command to run as an administrator by using the following syntax: 
        PanGPS.exe -unregisterplap
      To manually add the registry keys, open the Windows Registry Editor and enter
      regedit
       on the command prompt.
      You must create the
      CLSID
       folder.
      1. In the Windows Registry, go to
        HKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}
        .
        Add the
        PanPlapProvider
         value in the format
        @=PanPlapProvider
        .
      2. In the Windows Registry, go to
        HKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}\InprocServer32@="PanPlapProvider.dll"
        .
        Verify that the
        ThreadingModel
         value is set to
        Apartment
        . This is the default value.
      3. In the Windows Registry, go to
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{20A29589-E76A-488B-A520-63582302A285}@="PanPlapProvider"
        .
        Add the
        PanPlapProvider
         value in the format
        @=PanPlapProvider
        .
    2. (
      Optional
      ) Configure additional portal addresses or names to display.
      If configured, Connect Before Logon will use the default portal address or name in the Windows Registry (
      HKEY_LOCAL_MACHINE\SOFTWARE\PaloAlto Networks\GlobalProtect\PanSetup
       with key
      Portal
      ).
      You can configure additional portal addresses or names that you want to display in the Portal drop-down by changing the registry keys on the end user Windows endpoints. You can add up to five portal addresses or names. You must change the Windows registry on the end users’ Windows endpoints before you can define the portal addresses or names.
      Open the Windows Registry Editor and enter
      regedit
       on the command prompt.
      1. In the Windows Registry, create the
        CBL
         folder under
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
        .
      2. In the Windows Registry, go to
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
        .
      3. Select
        Edit
        New
        String Value
         to create a registry entry for each portal that you want to add.
        You must specify each entry as
        Portal1
        ,
        Portal2
        ,
        Portal3
        ,
        Portal4
        , and
        Portal5
        . Each entry cannot contain spaces.
      4. Right-click the
        portal
         registry value, and then select
        Modify
        .
      5. Enter the IP address or name of the GlobalProtect portal in the
        Value Data
         field, and then click
        OK
        .
      6. Repeat steps 3 and 4 for each portal that you want to add.
    3. (
      Optional
      ) Display the predefined portal addresses or names.
      You must change the Windows registry on the end users’ Windows endpoints before you can display the portal addresses or names.
      Open the Windows Registry Editor and enter
      regedit
       on the command prompt.
      1. In the Windows Registry, create the
        CBL
         folder under
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
        .
      2. In the Windows Registry, go to
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
        .
      3. Select
        Edit
        New
        String Value
         to create a registry entry for
        AlwaysShowPortal
        .
      4. Enter the value as
        yes
         in the
        Value Data
         field, and then click
        OK
        .
        By default, Connect Before Logon does not display the portal address or name if only one portal is defined.
    4. (
      Optional
      ) Enable end users to authenticate using a smart card.
      You must change the Windows registry on the end users’ Windows endpoints before you can enable smart card authentication.
      Open the Windows Registry Editor and enter
      regedit
       on the command prompt.
      1. In the Windows Registry, create the
        CBL
         folder under
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
        .
      2. In the Windows Registry, go to
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
        .
      3. Select
        Edit
        New
        String Value
         to create a registry entry for
        UseSmartCard
        .
      4. Enter the value as
        yes
         in the
        Value Data
         field, and then click
        OK
        .
    5. Reboot the endpoint.
      You must reboot the endpoint in order for the PLAP and Connect Before Logon registry keys to take effect.
    6. Verify the configuration.
      After you have configured the settings in the Windows registry and to use Connect Before Logon starting with GlobalProtect™ app 5.2, choose the authentication method:

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.