topic GlobalProtect Gateway behind reverse proxy in GlobalProtect Discussions

GlobalProtect Gateway behind reverse proxy

CLiqr — Fri, 17 Apr 2026 15:30:42 GMT

Is there a way to put the globalprotect gateway behind a reverse proxy for sslvpn only?
I know that technically you can just NAT to the gateway but it is wanted to put the gateway behind a reverse proxy and not use ipsec, only sslvpn.
When I try this, the globalprotect app is allowed but the connection fails nonetheless. I assume this is because the reverse proxy is basically breaking open the connection and in this case is the "meddler in the middle" and is simply not possible because of this?!?

Re: GlobalProtect Gateway behind reverse proxy

reaper — Mon, 20 Apr 2026 08:44:25 GMT

Is the intent to disable IPSec in favor of SSL, because you can simply set that in the GlobalProtect gateway:

It sounds like your reverse proxy may be changing things in the payload of the TLS connection, could it be set to passthrough and not interfere/decrypt ?

Re: GlobalProtect Gateway behind reverse proxy

CLiqr — Mon, 20 Apr 2026 09:47:28 GMT

intent is to allow globalprotect through port 443 as sslvpn in most guest or public networks is not blocked but there is no separate IP
problem is that a reverse proxy is already in place on the only IP
configuring the proxy as stream proxy and then forwarding all but that one SNI to another loopback IP address of the reverse proxy is unfortunately not an option and it seems there is no other option globalprotect likely intentionally doesnt not establish the tunnel if this is detected