I am having a tough time figuring out how to even get started with this. For signing in, do users authenticate with their windows credentials or via cert? What is the purpose of internal host detection vs internet gateway? Are there any solid guides on setting this up?
If you are doing pre-logon, you can have the client certificate auth before a user logs into the system. Then when the user logons to the system the tunnel will re-auth with user credentials.
You start with requirements. What are you trying to accomplish and what security is needed? Convenience vs security?
Captive portal is a bitch
Always on does not require certificates. You do need to have people manually logon the first time. Pre login is a bit more to setup and does require certificates.
I recommend you test to make sure internal detection works properly.
Always on is only slightly different from manual mode.
The client will connect in its own when the user logs in. That’s it.
I assume you’re also talking about connecting before login, but that is a different feature.
Internal host detection only works in always on mode. The point is to have the client identify that it’s internal already so it won’t initiate the vpn connection. An internal gateway gives you more features such as HIP enforcement, segmentation, etc.
machine certificate*