https://live.paloaltonetworks.com/t5/general-topics/ldap-server-update-dhcp-from-globalprotect/m-p/66557#M39232 <P>Hi,</P> <P>&nbsp;</P> <P>with v7 you can have GP to assign static ip's.</P> <P><A href="https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/globalprotect-features/static-ip-address-allocation.html" target="_blank">https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/globalprotect-features/static-ip-address-allocation.html</A></P> <P>&nbsp;</P> <P>Do you mean that after users connect to GP they have to join workstation computers to domain?</P> <P>Domain joined computers should update their DNS records correctly themselves so it should not be an issue after workstation is domain joined already.</P> <P>DNS server can be configured to trust DNS record updates from non domain joined computers aswell but if you configure this then anyone can spoof your dns records and not good idea <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 14 Oct 2015 13:37:54 GMT Raido_Rattameister 2015-10-14T13:37:54Z https://live.paloaltonetworks.com/t5/general-topics/ldap-server-update-dhcp-from-globalprotect/m-p/66552#M39231 <P>Hi all,</P> <P>&nbsp;</P> <P>As you may know: &nbsp;When a client is connected on&nbsp;GlobalProtect, they are assigned a dynamic IPv4 Address, not static. &nbsp;</P> <P>&nbsp;</P> <P>In my situation, I have about 100 GlobalProtect clients. &nbsp;When the client connects for the first time, they are required to join my domain (i.e. <A href="http://www.contoso.com)." target="_blank">www.contoso.com).</A> &nbsp;My Domain Controller is behind my PA firewall. &nbsp;The Domain Controller is also my LDAP server that is used for authenticating the GlobalProtect clients.</P> <P>&nbsp;</P> <P>The purpose for connnecting to the domain controller is so we can remotely administer the devices connected on GlobalProtect using their fully qualified domain name (i.e. computer1.contoso.com) instead of having to look up their dynamic address from the firewall.&nbsp;</P> <P>&nbsp;</P> <P>Problem: &nbsp;Since the devices are assigned dynamic addresses, the IPv4 addresses are changing all the time. &nbsp;Therefore, the DNS server (Domain Controller/LDAP server) has associated the correct domain name with an incorrect IPv4 address. &nbsp;</P> <P>&nbsp;</P> <P>I am assuming there is a way to update the records on hte domain controller to pull the correct dynamic addresses from the clients, just do not know if anyone has tried it.</P> <P>&nbsp;</P> <P>Thanks.</P> <P>&nbsp;</P> Wed, 14 Oct 2015 13:20:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-server-update-dhcp-from-globalprotect/m-p/66552#M39231 mmclimans 2015-10-14T13:20:58Z https://live.paloaltonetworks.com/t5/general-topics/ldap-server-update-dhcp-from-globalprotect/m-p/66557#M39232 <P>Hi,</P> <P>&nbsp;</P> <P>with v7 you can have GP to assign static ip's.</P> <P><A href="https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/globalprotect-features/static-ip-address-allocation.html" target="_blank">https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/globalprotect-features/static-ip-address-allocation.html</A></P> <P>&nbsp;</P> <P>Do you mean that after users connect to GP they have to join workstation computers to domain?</P> <P>Domain joined computers should update their DNS records correctly themselves so it should not be an issue after workstation is domain joined already.</P> <P>DNS server can be configured to trust DNS record updates from non domain joined computers aswell but if you configure this then anyone can spoof your dns records and not good idea <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 14 Oct 2015 13:37:54 GMT https://live.paloaltonetworks.com/t5/general-topics/ldap-server-update-dhcp-from-globalprotect/m-p/66557#M39232 Raido_Rattameister 2015-10-14T13:37:54Z