GlobalProtect
Deploy Connect Before Logon Settings in the Windows Registry
Table of Contents
Deploy Connect Before Logon Settings in the Windows Registry
Connect Before Logon allows users to log in to the VPN before logging into their
Windows endpoints, enabling the deployment of settings and configurations prior to user
login.
You can deploy Connect Before Logon settings
to Windows 10 endpoints prior to enabling end users to log in to
the VPN before logging into the endpoint by using the Windows Registry.
GlobalProtect retrieves the registry keys only once, when the GlobalProtect
app initializes.
Follow these guidelines when deploying
the Connect Before Logon settings:
- The Pre-logon and Pre-logon then On-demand connection methods are not supported simultaneously with Connect Before Logon.
- If you are using smart card authentication or username/password-based authentication for user login using an authentication service such as LDAP, RADIUS, or OTP, you must configure exclusions for specific fully qualified domain names for the portal and gateway by entering them to Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established as an app setting in the App Configurations area of the GlobalProtect portal. If you are using SAML authentication for user login and using the configured SAML identity providers (ldPs) such as Okta, you must also configure exclusions for *okta.com and *oktacdn.com. For other ldPs, you must configure exclusions for the URLs that contain IP addresses or fully qualified domain names only if the Enforcer status is enabled.
- Configure the registry keys on the end user Windows endpoints.You must change the Windows registry on the end users’ Windows endpoints before you can enable Connect Before Logon. You can automatically add the registry keys or manually add the keys.
- To automatically add the registry keys for PanPlapProvider and PanPlapProvider.dll in PanGPS.exe ( C:\Program Files\Palo Alto Networks\GlobalProtect), use the -registerplap command to run as an administrator by using the following syntax:PanGPS.exe -registerplapTo automatically unregister the keys for PanPlapProvider and PanPlapProvider.dll in PanGPS.exe ( C:\Program Files\Palo Alto Networks\GlobalProtect), use the -unregisterplap command to run as an administrator by using the following syntax:PanGPS.exe -unregisterplapTo manually add the registry keys, open the Windows Registry Editor and enter regedit on the command prompt.You must create the CLSID folder.
- In the Windows Registry, go to HKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}.Add the PanPlapProvider value in the format @=PanPlapProvider.In the Windows Registry, go to HKEY_CLASSES_ROOT\CLSID\{20A29589-E76A-488B-A520-63582302A285}\InprocServer32@="PanPlapProvider.dll".Verify that the ThreadingModel value is set to Apartment. This is the default value.In the Windows Registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{20A29589-E76A-488B-A520-63582302A285}@="PanPlapProvider".Add the PanPlapProvider value in the format @=PanPlapProvider.(Optional) Configure additional portal addresses or names to display.If configured, Connect Before Logon will use the default portal address or name in the Windows Registry (HKEY_LOCAL_MACHINE\SOFTWARE\PaloAlto Networks\GlobalProtect\PanSetup with key Portal).You can configure additional portal addresses or names that you want to display in the Portal drop-down by changing the registry keys on the end user Windows endpoints. You can add up to five portal addresses or names. You must change the Windows registry on the end users’ Windows endpoints before you can define the portal addresses or names.Open the Windows Registry Editor and enter regedit on the command prompt.
- In the Windows Registry, create the CBL folder under HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect.In the Windows Registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL.Select to create a registry entry for each portal that you want to add.You must specify each entry as Portal1, Portal2, Portal3, Portal4, and Portal5. Each entry cannot contain spaces.Right-click the portal registry value, and then select Modify.Enter the IP address or name of the GlobalProtect portal in the Value Data field, and then click OK.Repeat steps 3 and 4 for each portal that you want to add.(Optional) Display the predefined portal addresses or names.You must change the Windows registry on the end users’ Windows endpoints before you can display the portal addresses or names.Open the Windows Registry Editor and enter regedit on the command prompt.
- In the Windows Registry, create the CBL folder under HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect.In the Windows Registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL.Select to create a registry entry for AlwaysShowPortal.Enter the value as yes in the Value Data field, and then click OK.By default, Connect Before Logon does not display the portal address or name if only one portal is defined.(Optional) Enable end users to authenticate using a smart card.You must change the Windows registry on the end users’ Windows endpoints before you can enable smart card authentication.Open the Windows Registry Editor and enter regedit on the command prompt.
- In the Windows Registry, create the CBL folder under HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect.In the Windows Registry, go to HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL.Select to create a registry entry for UseSmartCard.Enter the value as yes in the Value Data field, and then click OK.Reboot the endpoint.You must reboot the endpoint in order for the PLAP and Connect Before Logon registry keys to take effect.Verify the configuration.After you have configured the settings in the Windows registry and to use Connect Before Logon starting with GlobalProtect™ app 5.2, choose the authentication method:
