topic Re: Anyone ever use “internal host detection” on GP? in General Topics

Anyone ever use “internal host detection” on GP?

junior_r — Fri, 27 Oct 2017 23:37:53 GMT

Hi,

Anyone ever use “internal host detection” on GP? For some reason it does not try to do the test. I checked the GP services log and did not find an entry there. I am trying to force "enforce GlobalProtect for Network Access" when users are cocnneced to the internet.

Thanks

Re: Anyone ever use “internal host detection” on GP?

Mick_Ball — Sat, 28 Oct 2017 08:06:37 GMT

Works ok for me,

globe displays little house, more like a dogs kennel when connected to lan.

not using enforce option, just always on.

i did have to allow globalprotect connection frm lan to wan for users to get GP config for the first connection attempt.

Re: Anyone ever use “internal host detection” on GP?

junior_r — Sat, 28 Oct 2017 12:56:20 GMT

Hi,

On the Always on option did you get a one time password to work with LDAP? I am not sure how to get OTP working as Windows logon screen only allows user name and password and with SSO enabled it will only carry username and password.

Thansk

Re: Anyone ever use “internal host detection” on GP?

Mick_Ball — Sat, 28 Oct 2017 20:16:16 GMT

I am confused by your reply... never seen otp with ldap...

could you explain in more detail your authentication process.

Re: Anyone ever use “internal host detection” on GP?

junior_r — Sat, 28 Oct 2017 20:53:17 GMT

HI,

Want I want is Global Protect to be set to User-Logon. CLient logs on to Windows 7 SSO takes creds and supplies it to Portal. Then for Gateway it promotes user for RADIUS RSA OTP. I can get this to work without SSO, but I want to use User-Logon SSO. I want it so i promotes user for PIN when they login to the PC. If its added to the main windows logon page then there can be an issue when they are on the local network and GP is not needed.

Thanks

Re: Anyone ever use “internal host detection” on GP?

Mick_Ball — Sat, 28 Oct 2017 21:21:09 GMT

Still not quite sure what you are trying to achieve.

you cannot mix sso with otp. Sso will only use windows credentials.

our users do enter a pin before logon to windows but this is via bitlocker disk encryption.

globalprotect cannot modify the windows logon process.

Re: Anyone ever use “internal host detection” on GP?

junior_r — Sat, 28 Oct 2017 21:28:23 GMT

ok thanks you have answered my question cannot have a mix of both SSO and OTP. Have you gotten "enforce GlobalProtect for Network Access disable when on internal network" and "Internal Host Detection" to work on user-connect method? It is not working for me. When I check the GPS*log it does not show it trying to do the DNS resolution on the internal name I provided.

Re: Anyone ever use “internal host detection” on GP?

junior_r — Sat, 28 Oct 2017 21:29:43 GMT

I have a client that wants to use OTP and always on but I am guessing this is not possible.

Re: Anyone ever use “internal host detection” on GP?

Mick_Ball — Sun, 29 Oct 2017 07:44:31 GMT

Are you saying that the GP client just connects as normal or does it not connect at all.

I only ask this because the GP client needs to make connection when first installed to obtain the settings for internal host detection.

Re: Anyone ever use “internal host detection” on GP?

Mick_Ball — Sun, 29 Oct 2017 09:30:02 GMT

Otp and always on... i dont see why not. But make sure for otp that you configure authentication overide in both portal and gateway config or the gateway will try to use the same otp and fail.

You may be better off by adding this as a new post.

Re: Anyone ever use “internal host detection” on GP?

junior_r — Sun, 29 Oct 2017 10:30:53 GMT

I did connect to portal to pull down new configuration, but it seems "internal host detection" does not work with on-demand method

Re: Anyone ever use “internal host detection” on GP?

Mick_Ball — Sun, 29 Oct 2017 12:12:24 GMT

Ok it may just be that it’s not needed for on demand mode, i suppose you’d need to ask yourself why would you even try to connect when on the local network. In that case i suppose it only works for always on to prevent auto connecting on lan.

somebody else may have the answer here but I’m going to try it on monday/tuesday so if you find the answer, please update this post.

Re: Anyone ever use “internal host detection” on GP?

junior_r — Sun, 29 Oct 2017 15:44:08 GMT

Ok will do.. Pretty much requirment is OTP and to enforce global protect to connect from external network. Internal network does not GP. This works fine with LDAP and user-logon. It does not work with on-demand.

Thanks

Re: Anyone ever use “internal host detection” on GP?

Mick_Ball — Tue, 31 Oct 2017 09:59:25 GMT

to confirm...

internal host detection does not work with "on demand".

i suppose the intention for this is to prevent "always on " from auto connecting when not needed as the user will have no intervention.