topic Re: Auto Sign-In for Harmony SASE in SASE and Remote Access

Auto Sign-In for Harmony SASE

thelmer — Tue, 11 Feb 2025 20:44:12 GMT

Hello,

We are inquiring on the ability to force users to sign into the Harmony SASE application once they are logged into Windows.
With our last VPN solution, we had the capabilities to lock down our users' ability to do anything other than authenticate themselves and connect to the VPN.

As of right now, our users are able to access the internet BEFORE connecting to the SASE gateway due to them having to click "Sign-In to Private Access" to start the process.

We have "Always On VPN" enabled but that only seems to function AFTER they are signed in, during the allotted timeframe we have set in the SASE User Profile (12 hours).

We currently use Harmony Browse as well which does allow us to enforce threat prevention and DLP policies while our users are off the VPN, but we do not see a way to lock down sites before users get connected to the VPN.

Please advise.

Thank you!

Re: Auto Sign-In for Harmony SASE

PhoneBoy — Tue, 11 Feb 2025 23:26:08 GMT

In the relevant User Profile, what settings are set under Agent Configuration > General Settings?

Also, did you use the Kill Switch with Always-On?
This seems like it'd be required for your desired use case.

Re: Auto Sign-In for Harmony SASE

the_rock — Wed, 12 Feb 2025 00:09:28 GMT

I believe what Phoneboy gave you is indeed what you need to do. P81 support gave me the same when my colleague and I did POC for the customer last year for Harmony Sase. Not sure if there are any additional settings now, but thats what fixed it for us.

Andy

Re: Auto Sign-In for Harmony SASE

thelmer — Thu, 13 Feb 2025 17:02:29 GMT

Thank you @PhoneBoy and @the_rock

Currently, Always On and the Killswitch are enabled.
Attached is a screenshot of the pertinent settings.

While these settings do auto-connect to the specified VPN, and the killswitch does function correctly, it seems to occur ONLY if the current user is already signed into the application.
Because we have an auto sign-out of the application set for 12 hours, when our staff begin work the next day, they are required to sign into the app again.
The issue is that before they manually click Sign In, they have free range access to the internet.

We are thinking this can be circumvented if we increase the amount of time before the automatic sign out, but ultimately we would like our staff to authenticate themselves (Azure + DUO 2FA) each time they attempt to connect to the VPN.

Re: Auto Sign-In for Harmony SASE

the_rock — Thu, 13 Feb 2025 17:15:07 GMT

In that case, I would open case with P81 support. Not sure how it works these days,as few months ago when I called TAC, they asked me to simply email support@perimeter81.com and they then gave me a reference number, though it was only via email. I could not find phone number to call them anywhere and TAC did not have it either.

Best,

Andy

Re: Auto Sign-In for Harmony SASE

the_rock — Fri, 14 Feb 2025 00:14:28 GMT

@thelmer

One other thing I forgot to say, if you do end up emailing them, they will eventually ask for access to the portal, so you may be required to provide that.

Andy