PreLogon Tunnel

  • 24 July 2023
  • 7 replies
  • 212 views
P
Badge +1

Hi All

Could someone please shed some light on below queries, we are having issues with Prelogon Tunnel in our environment.

 

  1. Do we need to specify prelogonuser= argument during msi install with 105.0x?
  2. Since Client Configs does not allow  the use of same prelogin account in different Configs , what is expected behavior when different users associated to different client configs login to the perusermode configured machine? Would the prelogon account change to the one defined in client config pulled down by last logged in user?

Especially when logged on users changing their AD passwords, they get the error  “Information could not be read from the domain controller”.

Please advise

Thanks

Parul

7 replies

S
Rank
Userlevel 6
Badge +16

Hello @parulparashar,

1.  Yes. If you want the prelogon tunnel to establish prior to a user logging in and the client enrolling you need to specify a valid prelogon user in the MSI string.  

 

2.  Once a user is logged on and enrolled, the prelogon user will be based on whatever device config that user receives so it may or may not change depending on your configuration.  

 

The error indicates that the prelogon tunnel is either not established or proper access isn't granted via NPA policies to the prelogon user.  You can begin verifying that the prelogon user properly enrolled by using the "Show prelogon users" under the devices page:

https://docs.netskope.com/en/netskope-help/data-security/netskope-private-access/deploy-the-netskope-client-for-netskope-private-access/configure-client-prelogon-connectivity/#device-enrollment

Client logs can be used to verify the connection and entitlements as well but I would suggest opening a support case for assistance reading these logs. 

Sam ShiflettNetskope Solution Architect - North America
P
Badge +1

Thanks Sam for the reply.

I will test the advised.

Thanks Again.

qyost
Userlevel 5
Badge +16

As a followup, is there a recommended path to follow to enable prelogon tunnels for previously deployed devices?   Is it just adding the necessary config to the client config, or does it require a new install of the client with the required parameters?

---Q.
S
Badge +12

Would like to know the answer to @qyost question. Adding on, when the prelogin details from client config are downloaded, do they take effect immediately with out a reboot or service restart? [thinking of multiple client config scenario]

S
Rank
Userlevel 6
Badge +16

@qyost apologies for the delay.  It does not require a new install of the client.  As you mentioned, once you enable the device (client) config and the client checks in then the prelogon tunnel will be enabled for devices where that config applies based on user group or OUs.  

Sam ShiflettNetskope Solution Architect - North America
qyost
Userlevel 5
Badge +16

So, specification in the client install is only used for the "first boot" after install, before the user has registered and received the pushed configuration?

 

---Q.
S
Rank
Userlevel 6
Badge +16

That's correct.  Depending on how many device configurations you have it may remain the same prelogon user but it might change once the device configuration is updated.  

Sam ShiflettNetskope Solution Architect - North America

Reply


Terms & ConditionsCookie settings