GlobalProtect
Use Connect Before Logon
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1 (EoL)
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- 6.1
- 6.0
- 5.1
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
Use Connect Before Logon
To use Connect Before Logon, choose the authentication method.
You cannot use the Pre-logon and Pre-logon then On-demand connection methods simultaneously with
Connect Before Logon.
You cannot use Connect Before Logon to connect to an internal gateway.
To simplify the login process and improve your experience, GlobalProtect offers Connect Before
Logon to allow you to establish the VPN connection to the corporate network before
logging in to the Windows 10 endpoint using a Smart card, authentication service
such as LDAP, RADIUS, or Security Assertion Markup Language (SAML),
username/password-based authentication, or one-time password (OTP) authentication.
Your GlobalProtect administrator could have enabled Connect Before Logon to onboard
you as a new GlobalProtect user on an endpoint that does not yet have a local user
profile or user account. Connect Before Logon is disabled by default. When the
administrator enables Connect Before Logon, you can launch the GlobalProtect app
credential provider and connect to the corporate network before logging in to
Windows endpoint. After Connect Before Logon establishes a VPN connection, you can
use the Windows logon screen to log in to the Windows endpoint. GlobalProtect can
act as a Pre-Login Access Provider (PLAP) credential provider to provide access to
your organization before logging in to Windows.
Because Connect Before Logon prompts you to authenticate twice on the portal and gateway when
logging in to the Windows endpoint for the first time, the Authentication
Override cookie isn't working as expected.
To use Connect Before Logon, the administrator must deploy the settings in the Windows
registry and you choose the authentication method:
Connect Before Logon Using Smart Card Authentication
Connect Before Logon supports smart card authentication. The
administrator must import the Root CA certificate that issued the
certificates contained on the smart card onto the portal and gateway.
The administrator can apply the certificate profile and that Root
CA to your portal or gateway configuration to enable use of the
smart card in the authentication process. You can authenticate to
GlobalProtect prior to logging into the Windows endpoint using a
smart card. When prompted, insert your smart card to verify that
smart card authentication is successful. If smart card authentication
is successful, GlobalProtect will connect to the portal or gateway
specified in the configuration.
- Before you can use Connect Before Logon, the administrator must have completed the following tasks:
- Deploy Connect Before Logon Settings in the Windows registry.Set up the smart card for two-factor authentication.Assign the certificate profile to the GlobalProtect portal.Configure the gateway to authenticate end users based on a smart card.Log in to the Windows endpoint using Connect Before Logon.
- Click the Network Sign-In (If the VPN connection is successful, the Disconnect ((Optional) If you are logging in to the endpoint for the first time and the portals have not been predefined by the administrator, enter the FQDN or IP address of the GlobalProtect portal, and Submit.(Optional) If you are logging in to the endpoint for the first time and the portals have been predefined by the administrator, select a portal from the Portal drop-down, and click the arrow to submit.Select the client certificate from a list of valid certificates on the endpoint to authenticate with the portal or gateway, and click the arrow to submit.Enter the Personal Identification Number (PIN) of the smart card, and click the arrow to submit.If authentication is successful, the connection status displays Connected upon successful VPN connection. Click Back to display the Windows logon screen.Verify that you are connected to the GlobalProtect gateway.
- Log in to the Windows endpoint again. Click the Network Sign-In (The status panel opens. By default, you are automatically connected to the Best Available gateway.
Connect Before Logon Using SAML Authentication
Connect Before Logon supports SAML authentication for user login. You can authenticate to GlobalProtect prior to logging into the Windows endpoint using the configured SAML identity providers (ldPs) such as Onelogin or Okta. If SAML authentication is successful, GlobalProtect will connect to the portal or gateway specified in the configuration.Connect Before Logon with SAML authentication method is supported on all GlobalProtect versions when using the older embedded webview (oew). However, blank screen and JavaScript errors may be intermittently displayed when loading certain external IdP URLs in the Connect Before Logon mode. This issue arises from the fact that the older embedded webview uses the legacy IE browser, which has been deprecated in Windows 11. The alternative Edge browser-based WebView2 does not support Connect Before Logon method. GlobalProtect will continue to use the legacy IE-based older embedded webview (oew) with the above limitation.- Before you can use Connect Before Logon, the administrator must have completed the following tasks:
- Deploy Connect Before Logon Settings in the Windows registry.Set up SAML authentication to authenticate end users.
- Create a server profile with settings to the SAML authentication service.
- Create an authentication profile that refers to the SAML server profile.
Specify SAML authentication for the GlobalProtect gateway.Specify a SAML authentication for the client (see Define the GlobalProtect Client Authentication Configurations).When Enforce GlobalProtect Connections for Network Access mode is enabled for the GlobalProtect app, you must add the fully qualified domains (FQDNs) of the SAML authentication page to the exclusion list in the app settings of the GlobalProtect portal configuration.Log in to the Windows endpoint using Connect Before Logon.- Click the Network Sign-In (If the VPN connection is successful, the Disconnect ((Optional) If you are logging in to the endpoint for the first time and the portals have not been predefined by the administrator, enter the FQDN or IP address of the GlobalProtect portal, and click the arrow to submit.(Optional) If you are logging in to the endpoint for the first time and the portals have been predefined by the administrator, select a portal from the Portal drop-down, and click the arrow to submit.Enter the username and password to authenticate to the ldP, and then click Sign In.If authentication is successful, the connection status displays Connected upon successful VPN connection. Click Back to display the Windows logon screen.Verify that you are connected to the GlobalProtect gateway.
- Log in to the Windows endpoint again. Click the Network Sign-In (The status panel opens. By default, you are automatically connected to the Best Available gateway.
Connect Before Logon Using Username/Password-Based Authentication
Connect Before Logon supports username/password-based authentication for user login using an authentication service such as LDAP, RADIUS, or OTP. You can authenticate to GlobalProtect prior to logging into the Windows endpoint using the username and password credentials. If username/password-based authentication is successful, GlobalProtect will connect to the portal or gateway specified in the configuration.- Before you can use Connect Before Logon, the administrator must have completed the following tasks:
- Deploy Connect Before Logon Settings in the Windows registry.Set up access to the GlobalProtect portal to authenticate end users to the portal using their credentials.Configure a GlobalProtect gateway to authenticate end users to the gateway using their credentials.Connect Before Logon does not support a custom authentication message.Log in to the Windows endpoint using Connect Before Logon.
- Click the Network Sign-In (If the VPN connection is successful, the Disconnect ((Optional) If you are logging in to the endpoint for the first time and the portals have not been predefined by the administrator, enter the FQDN or IP address of the GlobalProtect portal, and click the arrow to submit.(Optional) If you are logging in to the endpoint for the first time and the portals have been predefined by the administrator, select a portal from the Portal drop-down, and click the arrow to submit.Enter the username and password, and click the arrow to submit.If authentication is successful, the connection status displays Connected upon successful VPN connection. Click Back to display the Windows logon screen.Verify that you are connected to the GlobalProtect gateway.
- Log in to the Windows endpoint again. Click the Network Sign-In (The status panel opens. By default, you are automatically connected to the Best Available gateway.