topic Re: To force client to switch to internal network in General Topics

To force client to switch to internal network

Radmin_85 — Wed, 14 Nov 2018 08:53:47 GMT

Hello all

we have mobile clients with GP which use corporate notebooks at home .It was configured user logon option to force the notebook to connect through GP when it connects to home WI-FI

When the same worker comes back to workplace and plugged in the ethernet cable they still use the same GP network

Is there any way to force the client notebook to recognize the internal network and dont use GP with user logon option in place?

Re: To force client to switch to internal network

Rajesh12 — Wed, 14 Nov 2018 09:00:10 GMT

Hello @Radmin_85

You can configure internal gateway (without tunnel mode) and make use of 'Internal Host Detection' in agent configuration to determine if host is within the network or outside the network.

You can find more information in the below link.

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab

Re: To force client to switch to internal network

Radmin_85 — Wed, 14 Nov 2018 10:51:40 GMT

hello @Rajesh12

Yes we did it but the problem is when PA try to connect to that gateway (without tunnel mode) it asks for certificate and we use the same certificate (company certificate) which we use to connect to PA outside network (which is ok) it says Bad request

So as i understand the host could not reach to portal even to see the internal host identification and that is why can not recognize internal network

Re: To force client to switch to internal network

Mick_Ball — Wed, 14 Nov 2018 10:56:47 GMT

can you post a screen shot of your agent/gateways setting.

Re: To force client to switch to internal network

Mick_Ball — Wed, 14 Nov 2018 11:11:34 GMT

sorry just read all your post. do you know why your getting the cert error.

yesy the client still connects to the portal befor internal host detection.

Re: To force client to switch to internal network

Radmin_85 — Wed, 14 Nov 2018 12:02:49 GMT

@Mick_Ball

i guess i even can not connect to Portal too

Because normally when i type in browser the internal gateway i must get into the page where i usually download the GP agent app.But i even can not do it.It ask for certificate and then when i use certificate it says bad request

IT is everything ok when i do it outside the network,But the problem is when i try to connect inside the corporate network

Re: To force client to switch to internal network

Mick_Ball — Wed, 14 Nov 2018 12:08:43 GMT

Not sure what you mean by internal gateway! you do not need one for internal host detection.

here is my setup.

Re: To force client to switch to internal network

Radmin_85 — Wed, 14 Nov 2018 12:17:42 GMT

@Mick_Ball

you have not give the address pool?

Re: To force client to switch to internal network

Mick_Ball — Wed, 14 Nov 2018 12:24:57 GMT

you do not need one for internal host detection.

Re: To force client to switch to internal network

Radmin_85 — Wed, 14 Nov 2018 12:31:34 GMT

@Mick_Ball

I created an extra internal gateway without tunnel mode.That is what i mean

Re: To force client to switch to internal network

Mick_Ball — Wed, 14 Nov 2018 12:38:32 GMT

so do you actually use internal gateways. or are you just adding them for internal host detection

Re: To force client to switch to internal network

Radmin_85 — Wed, 14 Nov 2018 13:55:21 GMT

@Mick_Ball just added it for internal host detection

Re: To force client to switch to internal network

Mick_Ball — Wed, 14 Nov 2018 14:00:19 GMT

you do not need it for internal host detection. remove it.

Re: To force client to switch to internal network

Radmin_85 — Wed, 14 Nov 2018 19:10:35 GMT

@Mick_Ball

The problem is that

In GP application there is an option which says that when the user takes the corporate notebook and go home to connect to home Wi fi and to work he must connect the to GP portal first otherwise you can not get access to anything even Internet from home

When that user comes back to office and connect his Notebook to corporate LAN he get the local network ip address but at the same time tries to connect to GP portal (because of user logon).So it can not connect to outside IP and that is why the user can not get access to anywhere even though it got the local ip address from DHCP

So there must be some mechanism when user connect his laptop to internal lan in the office it must recognize the local network and must connect to other gateway.i guess that must be internal gateway

Re: To force client to switch to internal network

Mick_Ball — Wed, 14 Nov 2018 19:18:53 GMT

Why cant your users connect to the portal (outside ip) when they are connected to the internal lan. Are you blockng it.

Re: To force client to switch to internal network

Rajesh12 — Thu, 15 Nov 2018 03:09:07 GMT

Please do verify if you have any routing issues/firewall block with in internal network for connecting to your portal public IP. Access to GP portal will work irrespective of client location (either internal network or from internet) until it is reachable.

Re: To force client to switch to internal network

Radmin_85 — Thu, 15 Nov 2018 06:34:55 GMT

@Rajesh12

@Mick_Ball

So in order to connect to outside IP i have to configure it as gateway under internal host detection ?

Re: To force client to switch to internal network

Mick_Ball — Thu, 15 Nov 2018 07:25:04 GMT

No, the internal host detection should be something that is on your internal network an resolvable by DNS.

so if you have a domain controller called ad.mynet.com and its address is 10.10.10.1 then put it in the internal host detection settings.

it does not have to be a server, anything that exists on your lan will suffice.

but you need to confirm you can srill see external portal address from lan.

can you browse to it from your lan.

Re: To force client to switch to internal network

Radmin_85 — Thu, 15 Nov 2018 19:37:40 GMT

@Mick_Ball

Mike i guess we must configure split DNS in order to connect to the same FQDN whether we are inside the LAN or outside

It is not best practice to connect to your outside ip through your gateway device.

In GP there is internal Gateway.I guess the internal gateway is the method by which you can connect to portal through your internal gateway

Re: To force client to switch to internal network

Mick_Ball — Fri, 16 Nov 2018 06:46:56 GMT

When you use internal host detection you do not need to connect to a gateway.

you only connect to the portal to get your portal config..

when you get your portal configuration from your external address the GP clien does a quick test on the settings you have for internal host detection.

if it detects the internal host Then GP client stops trying to connect and you get a little house in your GP icon.

so to confirm.... you do not need internal gateways for internal host detection.

you do not need split DNS. What happens when you browse to your external portal address from your lan.