VPN - User-Login (Always ON) Configuration

Happy Friday all!

New Palo admin here. I need some help understanding how VPN configurations work. Currently, we have an On-demand Agent config, for any user and any OS at connect.%companyname.com This is working great.

We have a newish type of employees that we will be hiring here in the next six month, all of whom will be remote and traveling. This type of work is new to our company, and we need to put in place an Always ON VPN solution for these remote employees. From my initial research, it looks like we will need a VPN agent with the authentication method “User-Login (Always ON)”

Our current client needs to function for everyone whos not these new employees.

My questions for the experts of /r/paloaltonetworks is as follows.

  1. Do i need a new hostname like remoteconnect.%companyname.com or can I keep the existing connect.%companyname.com
  2. If i need a new hostname, i’m assuming i’ll need a new public IP attached to the firewall (not a problem)
  3. If i can keep my hostname, do i go to the current portal config and just add the new agent with a profile containing an AD group of target users, as well as setting the “user-login”. (assuming i’ll need to scope the On-Demand users into a group as well instead of “All”

Thank you everyone for your help… if you need more info from me i’ll be happy to provide.

If you are going to have the new hires in an AD group, that you can use, then you can create a new agent configuration, specifying the AD group as a match criteria and using always-on on the App settings.

Agent configurations are applied from top to bottom, so you can use the new agent config on top of the existing one. Basically it will apply always-on to those users and on-demand for everybody else.

Be aware that if you are using SAML authentication for your existing users, you’ll need to use SAML for the new hires as well. SAML does not support an authentication sequence like radius then ldap.

Pretty good question curious to know the answer, unfortunately I don’t have anything to help you.
But I am really curious about the remote and travelling work scope in this market if possible could you share some light on it(ik that it’s too much to ask lol)