User-Initiated Pre-Logon Connection

You can now enable end users to initiate the GlobalProtect pre-logon connection manually on Windows 10 endpoints.
Software Support
: Starting with GlobalProtect™ App 5.0.3
OS Support
: Windows 10
You can now enable end users to initiate the GlobalProtect pre-logon connection manually on Windows 10 endpoints. User-initiated pre-logon requires that you
Use Single Sign-On
in your portal configuration. With user-initiated pre-logon, the pre-logon connection no longer starts as soon as users boot up their endpoint. Instead, users can initiate the pre-logon connection only when their endpoint requires access to the corporate network before login, such as when new employees connect to the network remotely for the first time or when administrators must remotely connect and troubleshoot issues on the endpoint. To initiate the pre-logon connection, users must
Start GlobalProtect Connection
from the GlobalProtect credential provider logon screen after the endpoint boots up.
If users are unable to establish the pre-logon connection using this option, the pre-logon connection status remains
Disconnected
.
When users log out of their endpoint, the VPN tunnel is not renamed from the user tunnel back to the pre-logon tunnel. Instead, the tunnel disconnects.
Use the following steps to enable users to initiate the pre-logon connection manually:
You can configure this option only in the Windows Registry. This configuration can be done either manually after GlobalProtect is installed or pre-deployed as part of the Windows image that includes the GlobalProtect software.
  1. Configure remote access VPN with pre-logon.
    Use one of the following options to configure remote access VPN with pre-logon:
    • If your end user will be connecting to the GlobalProtect portal before using this feature (for example, an existing employee who has previously connected to GlobalProtect), you can configure remote access VPN with pre-logon from your firewall.
      To enable users to initiate the pre-logon connection manually, you must configure the following options in your portal configuration:
      • Specify a portal
        IP address
        (
        Network
        GlobalProtect
        Portals
        <portal-config>
        General
        ).
      • Set the GlobalProtect
        Connect Method
        to
        Pre-logon (Always On)
        or
        Pre-logon then On-demand
        (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Agent
        <agent-config>
        App
        ).
      • Set the
        Use Single Sign-On
        option to
        Yes
        to enable GlobalProtect to use Windows login credentials to automatically authenticate users upon Active Directory login (
        Network
        GlobalProtect
        Portals
        <portal-config>
        Agent
        <agent-config>
        App
        ).
    • If your end user will not be connecting to the GlobalProtect portal before using this feature (for example, a new employee who is connecting to the network remotely for the first time), you must pre-deploy the pre-logon settings in the Windows Registry:
      1. From your Windows endpoint, launch the Command Prompt.
      2. Enter
        regedit
        to open the Windows Registry.
      3. In the Windows Registry, go to:
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup\
        .
      4. Specify a portal address:
        1. From the list of PanSetup options, right-click
          Portal
          and then select
          Modify...
          to update the portal address.
          registry-modify.png
        2. Enter the portal address in the
          Value data
          field.
          registry-portal-address.png
        3. Click
          OK
          to save your changes.
      5. Enable pre-logon:
        1. From the list of PanSetup options, right-click
          Prelogon
          and then select
          Modify...
          .
        2. To enable pre-logon, set the
          Value data
          to
          1
          .
          registry-enable-prelogon.png
          To disable pre-logon, set the
          Value data
          to
          0
          .
        3. Click
          OK
          to save your changes.
      6. Enable single sign-on (SSO):
        When you enable single sign-on, GlobalProtect uses Windows login credentials to automatically authenticate users upon Active Directory login.
        1. Select
          Edit
          New
          String Value
          to add the option to use single sign-on.
          registry-new-string.png
        2. When prompted, set the
          Name
          to
          use-sso
          .
        3. Right-click
          Use-SSO
          and then select
          Modify...
          to update the single sign-on settings.
        4. To enable single sign-on, set the
          Value data
          to
          yes
          registry-enable-sso.png
          To disable single sign-on, set the
          Value data
          to
          no
          .
        5. Click
          OK
          to save your changes.
  2. From the Windows Registry, enable the option to display the
    Start GlobalProtect Connection
    button on the GlobalProtect credential provider logon screen.
    1. From your Windows endpoint, launch the Command Prompt.
    2. Enter
      regedit
      to open the Windows Registry.
    3. In the Windows Registry, go to:
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup\
      .
    4. Select
      Edit
      New
      String Value
      to add the button display option.
      registry-new-string.png
    5. When prompted, set the
      Name
      to
      ShowPrelogonButton
      .
    6. Right-click
      ShowPrelogonButton
      and then select
      Modify...
      to update the button display settings.
    7. To enable the GlobalProtect credential provider to display the
      Start GlobalProtect Connection
      button, set the
      Value data
      to
      yes
      .
      registry-show-prelogon-button.png
      To disable the
      ShowPrelogonButton
      option, set the
      Value data
      to
      no
      . Alternatively, you can right-click
      ShowPrelogonButton
      to
      Delete
      the option.
    8. Click
      OK
      to save your changes.
  3. Verify that the GlobalProtect credential provider displays the
    Start GlobalProtect Connection
    button so users can initiate the pre-logon connection manually.
    Depending on which option you used to configure remote access VPN with pre-logon (step 1), use one of the following options to verify that the GlobalProtect credential provider displays the
    Start GlobalProtect Connection
    button:
    • If you configured remote access VPN with pre-logon on your firewall, use the following steps to verify that the button is displayed:
      1. From you Windows endpoint, launch the GlobalProtect app.
      2. Connect
        to GlobalProtect to download the portal agent configuration that you configured in step 1.
      3. Reboot your Windows endpoint.
      4. When the GlobalProtect credential provider logon screen appears, ensure that the
        Start GlobalProtect Connection
        button is displayed and the pre-logon connection status is
        Disconnected
        .
        user-initiated-prelogon.png
    • If you pre-deployed the pre-logon settings in the Windows Registry, use the following steps to verify that the button is displayed:
      1. Reboot your Windows endpoint.
      2. When the GlobalProtect credential provider logon screen appears, ensure that the
        Start GlobalProtect Connection
        button is displayed and the pre-logon connection status is
        Disconnected
        .
        user-initiated-prelogon.png

Recommended For You