Remote Access VPN with Pre-Logon
Pre-logonis a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint (not the user) and then enable domain scripts and other tasks of your choice to run as soon as the endpoint powers on. A machine certificate enables the endpoint to have the VPN tunnel to the gateway. A common practice for IT personnel is to install the machine certificate while staging the endpoint for the user.
A pre-logon VPN tunnel has no username association because the user has not logged in. Therefore, to let the endpoint have access to resources in the trust zone, you must create security policies that match the pre-logon user. These policies should allow access to only the basic services for starting up the system, such as DHCP, DNS, Active Directory (for example, to change an expired password), antivirus, or operating system update services.
After the gateway authenticates a Windows user, the VPN tunnel is reassigned to that user (the IP address mapping on the firewall changes from the pre-logon endpoint to the authenticated user).
Mac systems behave differently from Windows systems with pre-logon. With Mac OS, the tunnel created for pre-logon is torn down and a new tunnel created when the user logs in.
When a client requests a new connection, the portal authenticates the client by using an authentication profile. The portal can also use an optional certificate profile that validates the client certificate (if the configuration includes a client certificate). In this case, the client certificate must identify the user.
After authentication, the portal determines if the client’s configuration is current. If the portal’s configuration for the agent has changed, it pushes an updated configuration to the endpoint.
If the configuration on the portal or a gateway includes cookie-based authentication for the client, the portal or gateway installs an encrypted cookie on the client. Subsequently, the portal or gateway uses the cookie to authenticate users and for refreshing the client’s configuration. Also, if an agent configuration profile includes the pre-logon connect method in addition to cookie-authentication, the GlobalProtect components can use the cookie for pre-logon.
If users never log into a device (for example, a headless device) or a pre-logon connection is required on a system that a user has not previously logged into, you can let the endpoint initiate a pre-logon tunnel without first connecting to the portal to download the pre-logon configuration. To do this, you must override the default behavior by creating entries in the Windows registry or Mac plist.
The GlobalProtect endpoint will then connect to the portal specified in the configuration and authenticate the endpoint by using its machine certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel.
When the end user subsequently logs in to the machine and if single sign-on (SSO) is enabled in the client configuration, the username and password are captured while the user logs in and used to authenticate to the gateway and so that the tunnel can be renamed (Windows). If SSO is not enabled in the client configuration or of SSO is not supported on the client system (for example, it is a Mac OS system) the users’ credentials must be stored in the agent (that is, the
Save User Credentialsoption must be set to
Yes). After successful authentication to the gateway the tunnel will be renamed (Windows) or rebuilt (Mac) and user- and group-based policy can be enforced.
This example uses the GlobalProtect topology shown in GlobalProtect VPN for Remote Access.
- Use thedefaultvirtual router for all interface configurations to avoid having to create inter-zone routing.
- For this example, selectand then:NetworkInterfacesEthernet
- For its interface type, selectLayer 3.
- Assign interface to: default virtual router, default virtual system, andl3-untrustsecurity zone.
- Select the address203.0.113.1(or the object that maps203.0.113.1) or add aNew Addressto create a new object and address mapping. (Leave the address type asStatic.)
- Create a DNS “A” record that maps IP address203.0.113.1togp.acme.com.
- Adda tunnel.2 interface to a new zone calledcorp-vpn. Assign it to the default virtual router.
- Enable User Identification on the corp-vpn zone.
- Create the security policy rules.This configuration requires the following policies ():PoliciesSecurity
- Create a rule that enables pre-logon user access to basic services that are required for the computer to come up, such as authentication services, DNS, DHCP, and Microsoft Updates.
- Create a rule to deny pre-logon user access to all other destinations and applications.
- Create any additional rules to enable access to specific destinations and applications for specific users or user groups. Follow the Best Practice Internet Gateway Security Policy recommendations for creating these rules.
- Use one of the following methods to obtain a server certificate for the interface that is hosts the GlobalProtect portal and gateway:Selectto manage certificates with the following criteria:DeviceCertificate ManagementCertificates
- Obtain a server certificate. Because the portal and gateway are on the same interface, the same server certificate can be used for both components.
- The CN of the certificate must match the FQDN,gp.acme.com.
- To enable clients to connect to the portal without receiving certificate errors, use a server certificate from a public CA.
- Generate a machine certificate for each client system that will connect to GlobalProtect and import them into the personal certificate store on each machine.Although you could generate self-signed certificates for each client system, as a best practice, use your own public-key infrastructure (PKI) to issue and distribute certificates to your clients.
- Install certificates in the personal certificate store on the endpoints. (Local Computer store on Windows or System Keychain on Mac OS)
- Import the trusted root CA certificate from the CA that issued the machine certificates onto the portal and gateway(s).You do not have to import the private key.
- Download the CA certificate in Base64 format.
- Import the certificate onto each firewall that hosts a portal or gateway, as follows:
- Selectand clickDeviceCertificate ManagementCertificatesDevice CertificatesImport.
- Enter aCertificate Namethat identifies the certificate as your client CA certificate.
- Browseto theCertificate Fileyou downloaded from the CA.
- SelectBase64 Encoded Certificate (PEM)as theFile Formatand then clickOK.
- Select the certificate you just imported on theDevice Certificatestab to open it.
- SelectTrusted Root CAand then clickOK.
- On each firewall that hosts a GlobalProtect gateway, create a certificate profile to identify the CA certificate for validating the machine certificates.Optionally, if you plan to use client certificate authentication to authenticate users when they log in to the system, make sure that the CA certificate that issues the client certificates is referenced in the certificate profile in addition to the CA certificate that issued the machine certificates if they are different.
- Select.DeviceCertificatesCertificate ManagementCertificate Profile
- ClickAddand enter aNameto uniquely identify the profile, such asPreLogonCert.
- (Optional) If you will also use client certificate authentication to authenticate users upon login, add the CA certificate that issued the client certificates if it is different from the one that issued the machine certificates.
- In theCA Certificatesfield, clickAdd, select the Trusted Root CA certificate you imported in 5 and then clickOK.
- ClickOKto save the profile.
- See the topology diagram shown in GlobalProtect VPN for Remote Access.Although you must create a certificate profile for pre-logon access to the gateway, you can use either client certificate authentication or authentication profile-based authentication for logged in users. In this example, the same LDAP profile is used that is used to authenticate users to the portal.
- Selectand add the following configuration:NetworkGlobalProtectGatewaysInterface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—PreLogonCertAuthentication Profile—Corp-LDAPTunnel Interface—tunnel.2IP Pool—10.31.32.3 - 10.31.32.118
- Committhe gateway configuration.
- Configure the GlobalProtect Portals.ConfigureDevicedetails (networking parameters, the authentication service profile, and the certificate for the authentication server).Selectand specify the following configuration:NetworkGlobalProtectPortalsInterface—ethernet1/2IP Address—203.0.113.1Server Certificate—GP-server-cert.pem issued by GoDaddyCertificate Profile—NoneAuthentication Profile—Corp-LDAP
- Define the GlobalProtect Agent Configurations for pre-logon users and for logged in users.Use a single agent configuration if you want pre-logon users to access the same gateways before and after they log in.Otherwise, to direct pre-logon users to different gateways before and after they log in, create two agent configuration profiles. In this first agent configuration’sUser/User Group, select thepre-logonfilter. With pre-logon, the portal first authenticates the endpoint, not the user, to set up a VPN (even though the pre-logon parameter is associated with users). Subsequently, the portal authenticates the user when he or she logs in.After the portal authenticates the user, it deploys the second agent configuration. In this case,User/User Groupisany.As a best practice, enable SSO in the second agent configuration so that the correct username is immediately reported to the gateway when the user logs in to the endpoint. If SSO is not enabled, the saved username in theAgentsettings panel is used.SelectAgentand specify one of the following configurations:
Use single sign-on—enabledConnect Method—pre-logonExternal Gateway Address—gp1.acme.comUser/User Group—anyAuthentication Override—Cookie authentication for transparently authenticating users and for configuration refresh
- Use the same gateway before and after pre-logon users log in:
First Agent Configuration:Connect Method—pre-logonExternal Gateway Address—gp1.acme.comUser/User Group—pre-logonAuthentication Override—Cookie authentication for transparently authenticating users and for configuration refreshSecond Agent Configuration:Use single sign-on—enabledConnect Method—pre-logonExternal Gateway Address—gp2.acme.comUser/User Group—anyAuthentication Override—Cookie authentication for transparently authenticating users and for configuration refreshMake sure the pre-logon client configuration is first in the list of configurations. If it is not, select it and clickMove Up.
- Use separate gateways for pre-logon users before and after they log in:
- Save the GlobalProtect configuration.ClickCommit.
- (Optional) If users will never log into a device (for example, a headless device) or a pre-logon connection is required on a system that a user has not previously logged into, create thePrelogonregistry entry on the client system.You must also pre-deploy the default portal IP address.For more information about registry settings, see Deploy Agent Settings Transparently.
- Locate the GlobalProtect settings in the registry:HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\PanSetup
- Selectto create the following registry entries:EditNewString Value
- Create aString ValuenamedPrelogonwith a value of1. This setting enables GlobalProtect to initiate a connection before the user logs in to the endpoint.
- Create aString ValuenamedPortalthat specifies the IP address or hostname of the default portal for the GlobalProtect endpoint.
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: Certificate Usage Issuing ...
GlobalProtect Portals Authentication Configuration Tab
GlobalProtect Portals Authentication Configuration Tab Select Network GlobalProtect Portals Authentication to configure several different types of GlobalProtect portal settings: An SSL/TLS service profile that the ...
Client Certificate Authentication
Client Certificate Authentication For enhanced security, you can configure the portal or gateway to use a client certificate to obtain the username and authenticate the ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
How Does the Agent Know Which Certificate to Supply?
How Does the Agent Know Which Certificate to Supply? When you configure GlobalProtect to use client certificates for authentication on Mac or Windows endpoints, GlobalProtect ...
Remote Access VPN (Certificate Profile)
Remote Access VPN (Certificate Profile) With certificate authentication, the client must present a valid client certificate that identifies the user to the GlobalProtect portal or ...
GlobalProtect Portals Agent Authentication Tab
GlobalProtect Portals Agent Authentication Tab Select Network GlobalProtect Portals Agent Authentication to configure the authentication settings that apply to the agent configuration. GlobalProtect Portal Client ...
Remote Access VPN (Authentication Profile)
Remote Access VPN (Authentication Profile) In the GlobalProtect VPN for Remote Access , the GlobalProtect portal and gateway are configured on ethernet1/2, so this is ...
Remote Access VPN with Two-Factor Authentication
Remote Access VPN with Two-Factor Authentication If you configure a GlobalProtect portal or gateway with an authentication profile and a certificate profile (which together can ...