Remote Access VPN with Pre-Logon

Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint (not the user) and then enable domain scripts and other tasks of your choice to run as soon as the endpoint powers on. A machine certificate enables the endpoint to have the VPN tunnel to the gateway. A common practice for IT personnel is to install the machine certificate while staging the endpoint for the user.
A pre-logon VPN tunnel has no username association because the user has not logged in. Therefore, to let the endpoint have access to resources in the trust zone, you must create security policies that match the pre-logon user. These policies should allow access to only the basic services for starting up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, or operating system update services.
After the gateway authenticates a Windows user, the VPN tunnel is reassigned to that user (the IP address mapping on the firewall changes from the pre-logon endpoint to the authenticated user).
Mac systems behave differently from Windows systems with pre-logon. With Mac OS, the tunnel created for pre-logon is torn down and a new tunnel created when the user logs in.
When a client requests a new connection, the portal authenticates the client by using an authentication profile. The portal can also use an optional certificate profile that validates the client certificate (if the configuration includes a client certificate). In this case, the client certificate must identify the user.
After authentication, the portal determines if the client’s configuration is current. If the portal’s configuration for the agent has changed, it pushes an updated configuration to the endpoint.
If the configuration on the portal or a gateway includes cookie-based authentication for the client, the portal or gateway installs an encrypted cookie on the client. Subsequently, the portal or gateway uses the cookie to authenticate users and for refreshing the client’s configuration. Also, if an agent configuration profile includes the pre-logon connect method in addition to cookie-authentication, the GlobalProtect components can use the cookie for pre-logon.
If users never log into a device (for example, a headless device) or a pre-logon connection is required on a system that a user has not previously logged into, you can let the endpoint initiate a pre-logon tunnel without first connecting to the portal to download the pre-logon configuration. To do this, you must override the default behavior by creating entries in the Windows registry or Mac plist.
The GlobalProtect client will then connect to the portal specified in the configuration and authenticate the endpoint by using its machine certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel.
When the end user subsequently logs in to the machine and if single sign-on (SSO) is enabled in the client configuration, the username and password are captured while the user logs in and used to authenticate to the gateway and so that the tunnel can be renamed (Windows). If SSO is not enabled in the client configuration or of SSO is not supported on the endpoint (for example, it is a Mac OS endpoint) the users’ credentials must be stored in the agent (that is, the Save User Credentials option must be set to Yes). After successful authentication to the gateway the tunnel will be renamed (Windows) or rebuilt (Mac) and user- and group-based policy can be enforced.
gp-pre-logon.png
This example uses the GlobalProtect topology shown in Figure: GlobalProtect VPN for Remote Access.
  1. Create Interfaces and Zones for GlobalProtect.
    Use the default virtual router for all interface configurations to avoid having to create inter-zone routing.
    • For this example, select NetworkInterfacesEthernet and then:
    • Select ethernet1/2.
    • For its interface type, select Layer 3.
    • Assign interface to: default virtual router, default virtual system, and l3-untrust security zone.
    • Select IPv4 and Add.
    • Select the address 203.0.113.1 (or the object that maps 203.0.113.1) or add a New Address to create a new object and address mapping. (Leave the address type as Static.)
    • Create a DNS “A” record that maps IP address 203.0.113.1 to gp.acme.com.
    • Select NetworkInterfacesTunnel.
    • Add a tunnel.2 interface to a new zone called corp-vpn. Assign it to the default virtual router.
    • Enable User Identification on the corp-vpn zone.
  2. Create the security policy rules.
    This configuration requires the following policies (PoliciesSecurity):
    1. Create a rule that enables pre-logon user access to basic services that are required for the computer to come up, such as authentication services, DNS, DHCP, and Microsoft Updates.
    2. Create a rule to deny pre-logon user access to all other destinations and applications.
    3. Create any additional rules to enable access to specific destinations and applications for specific users or user groups. Follow the Best Practice Internet Gateway Security Policy recommendations for creating these rules.
  3. Use one of the following methods to obtain a server certificate for the interface that is hosts the GlobalProtect portal and gateway:
    Select DeviceCertificate ManagementCertificates to manage certificates with the following criteria:
    • Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
    • The CN of the certificate must match the FQDN, gp.acme.com.
    • To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
  4. Generate a machine certificate for each endpoint that will connect to GlobalProtect and import them into the personal certificate store on each machine.
    Although you could generate self-signed certificates for each endpoint, as a best practice, use your own public-key infrastructure (PKI) to issue and distribute certificates to your clients.
    1. Issue client certificates to GlobalProtect clients and endpoints. This enables the GlobalProtect portal and gateways to validate that the device belongs to your organization.
    2. Install certificates in the personal certificate store on the endpoints. (Local Computer store on Windows or System Keychain on Mac OS)
  5. Import the trusted root CA certificate from the CA that issued the machine certificates onto the portal and gateway(s).
    You do not have to import the private key.
    1. Download the CA certificate in Base64 format.
    2. Import the certificate onto each firewall that hosts a portal or gateway, as follows:
      1. Select DeviceCertificate ManagementCertificatesDevice Certificates and click Import.
      2. Enter a Certificate Name that identifies the certificate as your client CA certificate.
      3. Browse to the Certificate File you downloaded from the CA.
      4. Select Base64 Encoded Certificate (PEM) as the File Format and then click OK.
      5. Select the certificate you just imported on the Device Certificates tab to open it.
      6. Select Trusted Root CA and then click OK.
  6. On each firewall that hosts a GlobalProtect gateway, create a certificate profile to identify the CA certificate for validating the machine certificates.
    Optionally, if you plan to use client certificate authentication to authenticate users when they log in to the system, make sure that the CA certificate that issues the client certificates is referenced in the certificate profile in addition to the CA certificate that issued the machine certificates if they are different.
    1. Select DeviceCertificatesCertificate ManagementCertificate Profile.
    2. Click Add and enter a Name to uniquely identify the profile, such as PreLogonCert.
    3. Set UsernameField to None.
    4. (Optional) If you will also use client certificate authentication to authenticate users upon login, add the CA certificate that issued the client certificates if it is different from the one that issued the machine certificates.
    5. In the CA Certificates field, click Add, select the Trusted Root CA certificate you imported in 5 and then click OK.
    6. Click OK to save the profile.
  7. Configure a GlobalProtect Gateway.
    See the topology diagram shown in Figure: GlobalProtect VPN for Remote Access.
    Although you must create a certificate profile for pre-logon access to the gateway, you can use either client certificate authentication or authentication profile-based authentication for logged in users. In this example, the same LDAP profile is used that is used to authenticate users to the portal.
    1. Select NetworkGlobalProtectGateways and add the following configuration:
      Interfaceethernet1/2
      IP Address203.0.113.1
      Server CertificateGP-server-cert.pem issued by GoDaddy
      Certificate ProfilePreLogonCert
      Authentication ProfileCorp-LDAP
      Tunnel Interfacetunnel.2
      IP Pool10.31.32.3 - 10.31.32.118
    2. Commit the gateway configuration.
  8. Configure the GlobalProtect Portal.
    Configure Device details (networking parameters, the authentication service profile, and the certificate for the authentication server).
    Interfaceethernet1/2
    IP Address203.0.113.1
    Server CertificateGP-server-cert.pem issued by GoDaddy
    Certificate Profile—None
    Authentication ProfileCorp-LDAP
  9. Define the GlobalProtect Agent Configurations for pre-logon users and for logged in users.
    Use a single agent configuration if you want pre-logon users to access the same gateways before and after they log in.
    Otherwise, to direct pre-logon users to different gateways before and after they log in, create two agent configuration profiles. In this first agent configuration’s User/User Group, select the pre-logon filter. With pre-logon, the portal first authenticates the endpoint, not the user, to set up a VPN (even though the pre-logon parameter is associated with users). Subsequently, the portal authenticates the user when he or she logs in.
    After the portal authenticates the user, it deploys the second agent configuration. In this case, User/User Group is any.
    As a best practice, enable SSO in the second agent configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the Agent settings panel is used.
    Select Agent and specify one of the following configurations:
    • Use the same gateway before and after pre-logon users log in:
      Use single sign-onenabled
      Connect Methodpre-logon
      External Gateway Addressgp1.acme.com
      User/User Groupany
      Authentication Override—Cookie authentication for transparently authenticating users and for configuration refresh
    • Use separate gateways for pre-logon users before and after they log in:
      First Agent Configuration:
      Connect Methodpre-logon
      External Gateway Addressgp.acme.com
      User/User Grouppre-logon
      Authentication Override—Cookie authentication for transparently authenticating users and for configuration refresh
      Second Agent Configuration:
      Use single sign-onenabled
      Connect Methodpre-logon
      External Gateway Addressgp.acme.com
      User/User Groupany
      Authentication Override—Cookie authentication for transparently authenticating users and for configuration refresh
    Make sure the pre-logon client configuration is first in the list of configurations. If it is not, select it and click Move Up.
  10. Save the GlobalProtect configuration.
    Click Commit.
  11. (Optional) If users will never log into a device (for example, a headless device) or a pre-logon connection is required on a system that a user has not previously logged into, create the Prelogon registry entry on the endpoint.
    You must also pre-deploy additional agent settings such as the default portal IP address and connect method.
    For more information about registry settings, see Deploy Agent Settings Transparently.
    1. Locate the GlobalProtect settings in the registry:
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
      Code copied to clipboard
      Unable to copy due to lack of browser support.
    2. Create a DWORD named Prelogon with a value of 1 in the Value data field and Hexadecimal as the Base. This setting enables GlobalProtect to initiate a VPN connection before the user logs into the laptop.
    3. Create a String Value named Portal that specifies the IP address or hostname of the default portal for the GlobalProtect client.
    4. Create a String Value named connect-method with a value of pre-logon in the Value data field. This setting enables GlobalProtect to initiate a VPN tunnel before a user logs in to the device and connects to the GlobalProtect portal.

Related Documentation