topic Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi in General Topics

How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

Jochen.Reinecke — Fri, 19 Oct 2018 06:46:25 GMT

Hey Guys,

i'm currently testing the GlobalProtect App 5 with iOS Deviecs and Airwatch MDM. Everything works great, but it seems like that it isn't important which setting i've selected in the Portal > Agent > App (Settings). I've tried to enforce GlobalProtect for Network Access on iPhone but i can still deselect "connect on demand", so it is possible to access the Internet without GP.

Any Ideas? Does the Agent Settings effect? Anything else to configure espacially in AirWatch?

Thanks and best regards,

Jochen

Re: How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

Mick_Ball — Fri, 19 Oct 2018 09:55:39 GMT

since day one of GP on IOS it has not been possible to force GP...

the user always has the option to disable VPN in the settings menu regardless of app settings.

I use a global proxy to prevent internet browsing when not connected via GP as never found any other way of enforcing this.

Re: How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

OtakarKlier — Fri, 19 Oct 2018 18:40:42 GMT

Hello Mick,

Would be able to get into a bit more detail on the global proxy and how you force mobile devices to use it? I would like to hear how others are solving this solution.

Regards,

Re: How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

Mick_Ball — Sat, 20 Oct 2018 09:46:06 GMT

Of course Mr Klier.
In brief...
we have just under 2k users with ipads. These are managed via mdm.
The global proxy is set via mdm so users cannot change or remove it
It points to a proxy.pac file on tinternet.
The proxy server is 1.2.3.4, this obviously does not exist so any web browsing fails with proxy error...
However....
There are exceptions in the pac file that allows direct access (no proxy) to our portals and gateways.

This allows GlobalProtect to bypass global proxy settings and connect as normal..

There is another statement within the pac file that says “ if connected to corporate network then go direct” (no proxy) so users browse as normal when connected via our internal to external firewalls.

This for some reason also works with captive portal wifi connections... it does something clever to allow captive portal auth prior to applying global proxy. Nothing to do with the pac file, its just an ios thing...

Not everyones cup of tea but has proved a winner for us over many years....

Happy to provide an example pac file if needs be...

We also use similar for windoze devices as the force global protect option just does not play with our users and crams helpdesk with calls regarding the captive portal timeout thingy...

Re: How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

Remo — Sat, 20 Oct 2018 13:00:22 GMT

@Mick_Ball

Nice solution for the iOS devices. Need to keep that in mind 😉

I am also interested in the way you solved the problem on windows. The way I used here is set the captive portal timeout to 1 hour and use simple http websites as default websites in the users browsers. The notifications of global protect are not very useful (not to say useless), but this way the user only has to open the browser to be redirected to whatever captive portal there is. This http website does nothing else than redirecting to the https company website, but as it is http it does not break the captive portal redirect.

Re: How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

Jochen.Reinecke — Mon, 22 Oct 2018 09:16:30 GMT

Hey MickBall,

nice solution, a little through the breast into the eye but still fine! 😉

Maybe the option in the agent settings could be extended with "(Windows only)" as some other options.

Regards,

Jochen

Re: How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

Mick_Ball — Mon, 22 Oct 2018 09:42:55 GMT

@Remo,I'm liking the default default web page to invoke captive portal.

we have an icon on the desktop called "Connect to Public WiFi".

this also points to our corp website and invokes the same response pages but it disables the proxy settings for 3 mins...

eva iva are workable solutions but bear in mind that we were using this way before the option of "GP enforce traffic" was ever introduced and have been using pac files long before the Juniper boxes were re-badged... lol....

so... just sticking to what works for us just now but if needs be i would certainly move towards your solution.. (not sure about the 1 hour timeout)...

Re: How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

Mick_Ball — Mon, 22 Oct 2018 09:52:08 GMT

@Jochen.Reinecke, yes understood but please note my previous response to Mr Remo...

we have been using pac files to restrict laptops since day one of VPN and the GP force traffic option has not been around very long.

so as it was already there then its easier to continue as is...

if we did not have pac files in place then the @Remo solution would certainly suffice...

I think most of the App settings should contain (Windows Only (depending of course what mood your IPad is in and which motion was used when removing it from your laptop bag))

Laters...

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

brianjreed — Mon, 15 Jun 2020 17:04:17 GMT

Hello,

We are beginning to roll out GP for iOS devices and having an issue with this same topic. Are you still using the proxy.pac file? If so, can you share some details on how to do it? I'm not sure where to host this or what format for the file to be.

Any help would be appreciated.

Brian

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

Mick_Ball — Mon, 15 Jun 2020 17:24:52 GMT

Hi @brianjreed .

of course ... no problemo....

the pac file needs to be available to ipads outside the vpn tunnel. So a website somewhere...

the pac file just says,,,, in laymans terms,,, Send all traffic to a duff proxy apart from the global protect connection traffic, and if connected to the private network, cancel the duff proxy...

this blocks all browser traffic by sending it to a proxy that does not exist. But it allows gp connection. When gp is connected it drops the proxy settings so all traffic goes down tunnel.

it reverts if tunnel fails. You actually dont need a proxy, just a pac file of a few lines of text.

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

brianjreed — Mon, 15 Jun 2020 18:10:36 GMT

Thanks. Any chance you could share your (or a sample) pac file? I can successfully block all traffic with the pac but cannot allow any specific websites/urls/domains.

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

Mick_Ball — Mon, 15 Jun 2020 18:28:39 GMT

Yes of course but it may be easier understood if you postvwhat you have, and inwill edit for the purpose, youbwill then better understand the process.

if not then i will just send an example...

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

brianjreed — Mon, 15 Jun 2020 18:33:37 GMT

Sure, I've tried a few samples I've found online. Really I just want to allow "direct" to my GW (filter.tesd.net) and push all to a fake proxy.

function FindProxyForURL(url, host) {

// If the hostname matches, send direct.
if (dnsDomainIs(host, "filter.tesd.net") ||
shExpMatch(host, "(*.tesd.net|tesd.net)"))
return "DIRECT";

// If the requested website is hosted within the internal network, send direct.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local*") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0")
return "DIRECT";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 4.5.6.7:8080; PROXY 7.8.9.10:8080";

}

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

Mick_Ball — Tue, 16 Jun 2020 13:16:37 GMT

K a chopped file and some notes below...

function FindProxyForURL(url, host) {
var proxy="PROXY 1.2.3.9:9354";

if (isInNet(host, "x.x.x.x", "255.255.248.0") ||
isInNet(host, "x.x.x.x", "255.255.255.192") ||
isInNet(host, "x.x.x.x", "255.255.255.128") ||
isInNet(host, "x.x.x.x", "255.255.255.224") ||
shExpMatch(host, "*.manage.microsoft.com") ||
isInNet(dnsResolve("any.internal.web.server"), "10.250.1.56", "255.255.255.255")) {
return "DIRECT";
}

return proxy
}

we do not use proxy for GP when connected so proxy address is duff.... if you have internal proxies then can include.

the x.x.x.x subnets are all of our ISP addresses as we use most of these for portals, gateways and some basic web help files ava to the outside world.

the dns resolve, when connected is a good way of removing proxy settings but you may prefer to use subnets as in your example.

HTH.

Edit. and the match host is for InTune as this is how we manage IOS profiles. so if it blows up we can still download a new profile to device,

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

brianjreed — Wed, 17 Jun 2020 17:02:49 GMT

Thank you so much! Exactly what I needed.

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

Sec101 — Fri, 04 Sep 2020 02:23:13 GMT

@Mick_Ball Very cool resolution to this problem.

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

Sec101 — Fri, 04 Sep 2020 16:09:26 GMT

@Mick_Ball

I have to ask, if the file doesn't exist on the internet, how is the IPAD reading that file? Is it locally pushed down somewhere?

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

Mick_Ball — Fri, 04 Sep 2020 16:19:29 GMT

Hi @Sec101 .

for ios it needs to be on interweb.

http:\\yourserver.com\nameofpacfile.pac

on windoze you can use local file location, but that may have recently changed but you would be better using file on web as any change will be picked up by all clients immediately.

hth.

mick.

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

Sec101 — Wed, 30 Sep 2020 00:57:20 GMT

@Mick_Ball

When your ipads are internal, are you tunneling those devices? I'm having some issues getting user-id to populate usernames if the ipad is internal only without a tunnel. The tunnel works as expected though...

Re: How to enforce GlobalProtect Connection for Network Access on iPhone wi

Mick_Ball — Wed, 30 Sep 2020 05:04:15 GMT

@Sec101 . Hi.

they are never internal. Our office based users (ipad) just connect to our public wifi service.

The outgoing wifi palo has a link to GP palo save hairpin/trombone across isp. Sorry not much help for you.

There are some options for ios to auth on a domain for file share but was not for us.