topic Re: Global Protect External Gateways and Azure Traffic Manager - Potential configuration issues. in GlobalProtect Discussions

Global Protect External Gateways and Azure Traffic Manager - Potential configuration issues.

David_Godwin — Wed, 03 Feb 2021 09:07:17 GMT

Hi All,

We have been experiencing some odd behavior with our Global Protect Client VPN and I wanted to better understand what our design should look like and if we had conflict somewhere.

Our organisation currently uses Azure Traffic Manager to distribute requests for vpn.organisation.com to geographically separated Palo Alto Gateways (based on a priority setting in azure rather than geo).

We have 3 external gateways configured:

External Gateway 1 - europe-vpn.organisation.com
External Gateway 2 - australia1-vpn.organisation.com
External Gateway 3 - australia2-vpn.organisation.com

I have been investigating the each of the 3 external gateways configuration and noticed the following:
GlobalProtect Portal Configuration --> Agent --> Configs

Each site appears to have 2 x external gateways configured, for example:

External Gateway 1
europe-vpn.organisation.com
vpn.organisation.com

External Gateway 2
australia1-vpn.organisation.com
vpn.organisation.com

External Gateway 3
australia2-vpn.organisation.com
vpn.organisation.com

Ultimately my question is as follows:

Will using Azure Traffic Manager along with each External gateway having the configuration as described above, cause a conflict in the way that the gateways operate?

I suspect that the individual external gateways 1/2/3 are using their own selection criteria and conflicting with what Azure Traffic Manager is doing.

From some positive testing results, it looks like the external gateways 1/2/3 only need to have themselves configured so that the Azure Traffic Manager can do what it's supposed to do.

Thanks in advance for any advice, if I haven't explained clearly enough, please let me know.

Re: Global Protect External Gateways and Azure Traffic Manager - Potential configuration issues.

admin.mbashir — Thu, 11 Nov 2021 17:49:29 GMT

Hi David,

Did you manage to resolve the issue? I have the same situation.

Re: Global Protect External Gateways and Azure Traffic Manager - Potential configuration issues.

David_Godwin — Mon, 15 Nov 2021 02:37:27 GMT

Hey mate,

Yes we did actually. It turns out that using ATM was not the issue. For each of our external Gateways, we only ended up specifying itself as a gateway. As far as I know that means they aren't aware of the other External Gateways in our environment allowing ATM to handle the decision making effectively.

When a client hits "vpn.organisation.com" in Azure Traffic Manager, it redirects the request to the relevant External Gateway (europe-vpn.organisation.com, australia1-vpn.organisation.com or australia2-vpn.organisation.com) based on our selection criteria. We haven't had any issues with this so far and fail-over has been tested.

I think when I posted this query I was having issues with the GP Client "Stealing Focus" and trying to find Gateways whilst on a corporate network..... That side of the issue was solved by enabling "Internal Host Detection". That enables the GP Client to figure out its on a corp/internal network and chill out.

Hope this helps.

Re: Global Protect External Gateways and Azure Traffic Manager - Potential configuration issues.

W.Principe183231 — Mon, 27 Jan 2025 21:14:34 GMT

Hi, I hope you're doing well. It's been almost four years now, and I just wanted to check in to see how you're managing the certificate for your GlobalProtect.

We have a SAML certificate installed on every gateway, but pointing the main domin host to ATM caused some certificate errors for us.

Thanks!