1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Apps
    5. Deploy App Settings Transparently
    6. Deploy App Settings to Windows Endpoints
    7. Deploy Connect Before Logon Settings in the Windows Registry

    Deploy Connect Before Logon Settings in the Windows Registry

    Enable the deployment of Connect Before Logon settings to Windows endpoints.
    You can deploy Connect Before Logon settings to Windows 10 endpoints prior to enabling end users to log in to the VPN before logging into the endpoint by using the Windows Registry. GlobalProtect retrieves the registry keys only once, when the GlobalProtect app initializes.
    The Pre-logon and Pre-logon then On-demand connection methods are not supported simultaneously with Connect Before Logon.
    1. Configure the registry keys on the end user Windows endpoints.
      You must change the Windows registry on the end users’ Windows endpoints before you can enable Connect Before Logon. You can automatically add the registry keys or manually add the keys.
      • To automatically add the registry keys for
        PanPlapProvider
         and
        PanPlapProvider.dll
         in
        PanGPS.exe
         (
        C:\Program Files\Palo Alto Networks\GlobalProtect
        ), use the
        -registerplap
         command to run as an administrator by using the following syntax: 
        PanGPS.exe -registerplap
      • To automatically unregister the keys for
        PanPlapProvider
         and
        PanPlapProvider.dll
         in
        PanGPS.exe
         (
        C:\Program Files\Palo Alto Networks\GlobalProtect
        ), use the
        -unregisterplap
         command to run as an administrator by using the following syntax: 
        PanGPS.exe -unregisterplap
      To manually add the registry keys, open the Windows Registry Editor and enter
      regedit
       on the command prompt.
      You must create the
      CLSID
       folder.
      1. In the Windows Registry, go to
        HKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}
        .
        Add the
        PanPlapProvider
         value in the format
        @=PanPlapProvider
        .
      2. In the Windows Registry, go to
        HKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}\InprocServer32@="PanPlapProvider.dll"
        .
        Verify that the
        ThreadingModel
         value is set to
        Apartment
        . This is the default value.
      3. In the Windows Registry, go to
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{20A29589-E76A-488B-A520-63582302A285}@="PanPlapProvider"
        .
        Add the
        PanPlapProvider
         value in the format
        @=PanPlapProvider
        .
    2. (
      Optional
      ) Configure additional portal addresses or names to display.
      If configured, Connect Before Logon will use the default portal address or name in the Windows Registry (
      HKEY_LOCAL_MACHINE\SOFTWARE\PaloAlto Networks\GlobalProtect\PanSetup
       with key
      Portal
      ).
      You can configure additional portal addresses or names that you want to display in the Portal drop-down by changing the registry keys on the end user Windows endpoints. You can add up to five portal addresses or names. You must change the Windows registry on the end users’ Windows endpoints before you can define the portal addresses or names.
      Open the Windows Registry Editor and enter
      regedit
       on the command prompt.
      1. In the Windows Registry, create the
        CBL
         folder under
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
        .
      2. In the Windows Registry, go to
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
        .
      3. Select
        Edit
        New
        String Value
         to create a registry entry for each portal that you want to add.
        You must specify each entry as
        Portal1
        ,
        Portal2
        ,
        Portal3
        ,
        Portal4
        , and
        Portal5
        . Each entry cannot contain spaces.
      4. Right-click the
        portal
         registry value, and then select
        Modify
        .
      5. Enter the IP address or name of the GlobalProtect portal in the
        Value Data
         field, and then click
        OK
        .
      6. Repeat steps 3 and 4 for each portal that you want to add.
    3. (
      Optional
      ) Display the predefined portal addresses or names.
      You must change the Windows registry on the end users’ Windows endpoints before you can display the portal addresses or names.
      Open the Windows Registry Editor and enter
      regedit
       on the command prompt.
      1. In the Windows Registry, create the
        CBL
         folder under
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
        .
      2. In the Windows Registry, go to
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
        .
      3. Select
        Edit
        New
        String Value
         to create a registry entry for
        AlwaysShowPortal
        .
      4. Enter the value as
        yes
         in the
        Value Data
         field, and then click
        OK
        .
        By default, Connect Before Logon does not display the portal address or name if only one portal is defined.
    4. (
      Optional
      ) Enable end users to authenticate using a smart card.
      You must change the Windows registry on the end users’ Windows endpoints before you can enable smart card authentication.
      Open the Windows Registry Editor and enter
      regedit
       on the command prompt.
      1. In the Windows Registry, create the
        CBL
         folder under
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect
        .
      2. In the Windows Registry, go to
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
        .
      3. Select
        Edit
        New
        String Value
         to create a registry entry for
        UseSmartCard
        .
      4. Enter the value as
        yes
         in the
        Value Data
         field, and then click
        OK
        .
    5. Reboot the endpoint.
      You must reboot the endpoint in order for the PLAP and Connect Before Logon registry keys to take effect.
    6. Verify the configuration.
      After you have configured the settings in the Windows registry and to use Connect Before Logon starting with GlobalProtect™ app 5.2, choose the authentication method:

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo