Update on GlobalProtect's Embedded Web-Views With IE 11 Getting Deprecated by MSFT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter

globalprotect-msft.jpg

 

As of June 15, 2022, IE 11 is getting deprecated by Microsoft Edge. Customers are concerned about the use of embedded web-view within GlobalProtect (it relies on IE 11 SDK) well beyond June 15, 2022.

 

Palo Alto Networks’ GlobalProtect team has tested GlobalProtect’s features that require embedded web-view in 5.1.X, 5.2.X, and 6.0.X release trains.

 

Customers are advised to review the testing matrix to understand the impact of Microsoft deprecating IE 11 on GlobalProtect’s embedded web-views.

 

 

GlobalProtect Version

Windows Version

Use-Case Results

SAML Authentication in User-logon/On-Demand mode

SAML Authentication in Connect Before Logon

Welcome Page

Help Page

Link in HIP Notification

5.1.X (5.1.11)

Windows 10

Opens in embedded web-view

N/A

Opens in embedded web-view

Opens in user selected default system browser

Opens in IE

5.1.X (5.1.11)

Windows 11 Home

Opens in embedded web-view

N/A

Opens in embedded web-view

Opens in user selected default system browser

Opens in Edge

5.2.X (5.2.12)

Windows 10

Opens in embedded web-view

Opens in embedded web-view

Opens in embedded web-view

Opens in user selected default system browser

Opens in IE

5.2.X (5.2.12)

Windows 11 Home

Opens in embedded web-view

Opens in embedded web-view

Opens in embedded web-view

Opens in user selected default system browser

Opens in Edge

6.0.X

Windows 10

Opens in embedded web-view

Opens in embedded web-view

Opens in user selected system default browser

Opens in user selected system default browser

Opens in IE

6.0.X

Windows 11 Home

Opens in embedded web-view



Opens in embedded web-view

Opens in user selected system default browser

Opens in user selected system default browser

Opens in Edge

 

 

Note: This April 2022 article from Microsoft, "Disable Internet Explorer 11," was used as a referenced.

 

4 Comments
L1 Bithead

After deprecated IE11, does Windows still support the "embedded web-view within GlobalProtect (it relies on IE 11 SDK)"?

 

If any of the SAML vendor rollout .js script that cannot be interpreted by the "embedded web-view (it relies on IE 11 SDK)" if the customer is using CBL (which not supported using Default Browser), how we are able to fix the issue?

L0 Member

Hi, 

 

Was running into an issue with the CBL function when using the aws sso as my IDP for the globalprotect authentication. I raised a case to TAC, but was told that they are unable to do anything about this as the update by aws sso team that cause the issue was rolled back. Not sure if Palo alto can confirm that the CBL that is using IE11 SDK can work for all IDP or is this a time bomb that Palo alto is ok with for the customer suffer the consequence.

L1 Bithead


Please check new features for GP " Embedded Browser Framework Upgrade " as part of GP 6.2.3. (Released on 2024-04-10)

https://docs.paloaltonetworks.com/globalprotect/6-2/globalprotect-app-release-notes/features-introdu...

 

Starting with GlobalProtect 6.2.3, the embedded browser framework for SAML authentication has been upgraded to Microsoft Edge WebView2 (Windows) and WebKit (macOS). This provides a consistent experience between the embedded browser and the GlobalProtect client. WebView2 and WebKit are also compatible with FIDO2-based authentication methods. For more information, see the Microsoft Edge WebView2 documentation.

By default, tenants using SAML authentication are configured to utilize the embedded WebView2 (Windows) or WebKit (macOS) instead of relying on the system's default browser. With this enhancement, there's no need for end users to configure a SAML landing page, eliminating the necessity to manually close the browser. This streamlines the authentication process.

In a Microsoft entra-joined environment with SSO enabled, users are not required to enter their credentials in order to authenticate to Prisma Access using GlobalProtect. This seamless experience is true whether the user is logging in to their environment for the first time or whether they have logged in before. If there is an error during the authentication, it is displayed in the embedded browser. This authentication process works across all device states.

In a non entra-joined environment with SSO enabled, users must enter their credentials during the initial login. On subsequent logins, the credentials are auto-filled as long as the SAML identity provider (IdP) session is active and has not timed out.

GlobalProtect 

L0 Member

Has anyone tested 6.2.3 and 6.2.4?  I've tested connectbeforelogon in a Windows Autopilot scenario and it doesn't work.  looking at the logs is still requesting IE rather than edge.

  • 9730 Views
  • 4 comments
  • 0 Likes
Register or Sign-in
Labels