Remote Access VPN with Pre-Logon

Pre-logon
is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint (not the user) and then enable domain scripts and other tasks of your choice to run as soon as the endpoint powers on. A machine certificate enables the endpoint to have the VPN tunnel to the gateway. A common practice for IT personnel is to install the machine certificate while staging the endpoint for the user.
A pre-logon VPN tunnel has no username association because the user has not logged in. Therefore, to let the endpoint have access to resources in the trust zone, you must create security policies that match the pre-logon user. These policies should allow access to only the basic services for starting up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, or operating system update services.
After the gateway authenticates a Windows user, the VPN tunnel is reassigned to that user (the IP address mapping on the firewall changes from the pre-logon endpoint to the authenticated user).
Mac systems behave differently from Windows systems with pre-logon. With Mac OS, the tunnel created for pre-logon is torn down and a new tunnel created when the user logs in.
When a client requests a new connection, the portal authenticates the client by using an authentication profile. The portal can also use an optional certificate profile that validates the client certificate (if the configuration includes a client certificate). In this case, the client certificate must identify the user.
After authentication, the portal determines if the client’s configuration is current. If the portal’s configuration for the agent has changed, it pushes an updated configuration to the endpoint.
If the configuration on the portal or a gateway includes cookie-based authentication for the client, the portal or gateway installs an encrypted cookie on the client. Subsequently, the portal or gateway uses the cookie to authenticate users and for refreshing the client’s configuration. Also, if an agent configuration profile includes the pre-logon connect method in addition to cookie-authentication, the GlobalProtect components can use the cookie for pre-logon.
If users never log into a device (for example, a headless device) or a pre-logon connection is required on a system that a user has not previously logged into, you can let the endpoint initiate a pre-logon tunnel without first connecting to the portal to download the pre-logon configuration. To do this, you must override the default behavior by creating entries in the Windows registry or Mac plist.
The GlobalProtect endpoint will then connect to the portal specified in the configuration and authenticate the endpoint by using its machine certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel.
When the end user subsequently logs in to the machine and if single sign-on (SSO) is enabled in the client configuration, the username and password are captured while the user logs in and used to authenticate to the gateway and so that the tunnel can be renamed (Windows). If SSO is not enabled in the client configuration or of SSO is not supported on the client system (for example, it is a Mac OS system) the users’ credentials must be stored in the agent (that is, the
Save User Credentials
option must be set to
Yes
). After successful authentication to the gateway the tunnel will be renamed (Windows) or rebuilt (Mac) and user- and group-based policy can be enforced.
gp-pre-logon.png
This example uses the GlobalProtect topology shown in GlobalProtect VPN for Remote Access.
  1. Use the
    default
    virtual router for all interface configurations to avoid having to create inter-zone routing.
    • For this example, select
      Network
      Interfaces
      Ethernet
      and then:
    • Select
      ethernet1/2
      .
    • For its interface type, select
      Layer 3
      .
    • Assign interface to
      : default virtual router, default virtual system, and
      l3-untrust
      security zone.
    • Select
      IPv4
      and
      Add
      .
    • Select the address
      203.0.113.1
      (or the object that maps
      203.0.113.1
      ) or add a
      New Address
      to create a new object and address mapping. (Leave the address type as
      Static
      .)
    • Create a DNS “A” record that maps IP address
      203.0.113.1
      to
      gp.acme.com
      .
    • Select
      Network
      Interfaces
      Tunnel
      .
    • Add
      a tunnel.2 interface to a new zone called
      corp-vpn
      . Assign it to the default virtual router.
    • Enable User Identification on the corp-vpn zone.
  2. Create the security policy rules.
    This configuration requires the following policies (
    Policies
    Security
    ):
    1. Create a rule that enables pre-logon user access to basic services that are required for the computer to come up, such as authentication services, DNS, DHCP, and Microsoft Updates.
    2. Create a rule to deny pre-logon user access to all other destinations and applications.
    3. Create any additional rules to enable access to specific destinations and applications for specific users or user groups. Follow the Best Practice Internet Gateway Security Policy recommendations for creating these rules.
  3. Use one of the following methods to obtain a server certificate for the interface that is hosts the GlobalProtect portal and gateway:
    Select
    Device
    Certificate Management
    Certificates
    to manage certificates with the following criteria:
    • Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
    • The CN of the certificate must match the FQDN,
      gp.acme.com
      .
    • To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
  4. Generate a machine certificate for each client system that will connect to GlobalProtect and import them into the personal certificate store on each machine.
    Although you could generate self-signed certificates for each client system, as a best practice, use your own public-key infrastructure (PKI) to issue and distribute certificates to your clients.
  5. Import the trusted root CA certificate from the CA that issued the machine certificates onto the portal and gateway(s).
    You do not have to import the private key.
    1. Download the CA certificate in Base64 format.
    2. Import the certificate onto each firewall that hosts a portal or gateway, as follows:
      1. Select
        Device
        Certificate Management
        Certificates
        Device Certificates
        and click
        Import
        .
      2. Enter a
        Certificate Name
        that identifies the certificate as your client CA certificate.
      3. Browse
        to the
        Certificate File
        you downloaded from the CA.
      4. Select
        Base64 Encoded Certificate (PEM)
        as the
        File Format
        and then click
        OK
        .
      5. Select the certificate you just imported on the
        Device Certificates
        tab to open it.
      6. Select
        Trusted Root CA
        and then click
        OK
        .
  6. On each firewall that hosts a GlobalProtect gateway, create a certificate profile to identify the CA certificate for validating the machine certificates.
    Optionally, if you plan to use client certificate authentication to authenticate users when they log in to the system, make sure that the CA certificate that issues the client certificates is referenced in the certificate profile in addition to the CA certificate that issued the machine certificates if they are different.
    1. Select
      Device
      Certificates
      Certificate Management
      Certificate Profile
      .
    2. Click
      Add
      and enter a
      Name
      to uniquely identify the profile, such as
      PreLogonCert
      .
    3. Set
      Username
      Field
      to
      None
      .
    4. (
      Optional
      ) If you will also use client certificate authentication to authenticate users upon login, add the CA certificate that issued the client certificates if it is different from the one that issued the machine certificates.
    5. In the
      CA Certificates
      field, click
      Add
      , select the Trusted Root CA certificate you imported in 5 and then click
      OK
      .
    6. Click
      OK
      to save the profile.
  7. See the topology diagram shown in GlobalProtect VPN for Remote Access.
    Although you must create a certificate profile for pre-logon access to the gateway, you can use either client certificate authentication or authentication profile-based authentication for logged in users. In this example, the same LDAP profile is used that is used to authenticate users to the portal.
    1. Select
      Network
      GlobalProtect
      Gateways
      and add the following configuration:
      Interface
      ethernet1/2
      IP Address
      203.0.113.1
      Server Certificate
      GP-server-cert.pem issued by GoDaddy
      Certificate Profile
      PreLogonCert
      Authentication Profile
      Corp-LDAP
      Tunnel Interface
      tunnel.2
      IP Pool
      10.31.32.3 - 10.31.32.118
    2. Commit
      the gateway configuration.
  8. Configure the GlobalProtect Portals.
    Configure
    Device
    details (networking parameters, the authentication service profile, and the certificate for the authentication server).
    Select
    Network
    GlobalProtect
    Portals
    and specify the following configuration:
    Interface
    ethernet1/2
    IP Address
    203.0.113.1
    Server Certificate
    GP-server-cert.pem issued by GoDaddy
    Certificate Profile
    None
    Authentication Profile
    Corp-LDAP
  9. Define the GlobalProtect Agent Configurations for pre-logon users and for logged in users.
    Use a single agent configuration if you want pre-logon users to access the same gateways before and after they log in.
    Otherwise, to direct pre-logon users to different gateways before and after they log in, create two agent configuration profiles. In this first agent configuration’s
    User/User Group
    , select the
    pre-logon
    filter. With pre-logon, the portal first authenticates the endpoint, not the user, to set up a VPN (even though the pre-logon parameter is associated with users). Subsequently, the portal authenticates the user when he or she logs in.
    After the portal authenticates the user, it deploys the second agent configuration. In this case,
    User/User Group
    is
    any
    .
    As a best practice, enable SSO in the second agent configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in the
    Agent
    settings panel is used.
    Select
    Agent
    and specify one of the following configurations:
    • Use the same gateway before and after pre-logon users log in:
    Use single sign-on
    enabled
    Connect Method
    pre-logon
    External Gateway Address
    gp1.acme.com
    User/User Group
    any
    Authentication Override
    —Cookie authentication for transparently authenticating users and for configuration refresh
    • Use separate gateways for pre-logon users before and after they log in:
    First Agent Configuration:
    Connect Method
    pre-logon
    External Gateway Address
    gp1.acme.com
    User/User Group
    pre-logon
    Authentication Override
    —Cookie authentication for transparently authenticating users and for configuration refresh
    Second Agent Configuration:
    Use single sign-on
    enabled
    Connect Method
    pre-logon
    External Gateway Address
    gp2.acme.com
    User/User Group
    any
    Authentication Override
    —Cookie authentication for transparently authenticating users and for configuration refresh
    Make sure the pre-logon client configuration is first in the list of configurations. If it is not, select it and click
    Move Up
    .
  10. Save the GlobalProtect configuration.
    Click
    Commit
    .
  11. (
    Optional
    ) If users will never log into a device (for example, a headless device) or a pre-logon connection is required on a system that a user has not previously logged into, create the
    Prelogon
    registry entry on the client system.
    You must also pre-deploy the default portal IP address.
    For more information about registry settings, see Deploy Agent Settings Transparently.
    1. Locate the GlobalProtect settings in the registry:
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
    2. Select
      Edit
      New
      String Value
      to create the following registry entries:
      • Create a
        String Value
        named
        Prelogon
        with a value of
        1
        . This setting enables GlobalProtect to initiate a connection before the user logs in to the endpoint.
      • Create a
        String Value
        named
        Portal
        that specifies the IP address or hostname of the default portal for the GlobalProtect endpoint.

Related Documentation