Funny you should ask, I've had that question at work earlier this week! :)
WHFB (I'm assuming you want the 'for business' flavor) uses it's own credential provider for logging on, so you must choose for GP or WHFB, they can't coexist for the same logon. this makes SSO problematic since you can then only rely on client certificates to authenticate the GP agent and set up a tunnel.
Not sure what the official stance is from Palo, but you could piece together a plethora of additional measures to account for the decreased security of the authentication for the tunnel, by setting more strict UserID rules on the firewall and adding CaptivePortal or have a UID-Agent scan the GP clients ,...
Funny you should ask, I've had that question at work earlier this week! :)
WHFB (I'm assuming you want the 'for business' flavor) uses it's own credential provider for logging on, so you must choose for GP or WHFB, they can't coexist for the same logon. this makes SSO problematic since you can then only rely on client certificates to authenticate the GP agent and set up a tunnel.
Not sure what the official stance is from Palo, but you could piece together a plethora of additional measures to account for the decreased security of the authentication for the tunnel, by setting more strict UserID rules on the firewall and adding CaptivePortal or have a UID-Agent scan the GP clients ,...