This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Anyone ever use “internal host detection” on GP?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Anyone ever use “internal host detection” on GP?

junior_r
L3 Networker

‎10-27-2017 04:37 PM

Hi,

 

Anyone ever use “internal host detection” on GP? For some reason it does not try to do the test. I checked the GP services log and did not find an entry there. I am trying to force "enforce GlobalProtect for Network Access" when users are cocnneced to the internet.

 

Thanks

0 Likes Likes
13 REPLIES 13

Mick_Ball
L7 Applicator

‎10-28-2017 01:06 AM

Works ok for me, 

globe displays little house, more like a dogs kennel when connected to lan.

 

not using enforce option, just always on.

 

i did have to allow globalprotect connection frm lan to wan for users to get GP config for the first connection attempt.

 

 

0 Likes Likes

junior_r
L3 Networker
In response to Mick_Ball

‎10-28-2017 05:56 AM

Hi,

 

On the Always on option did you get a one time password to work with LDAP? I am not sure how to get OTP working as Windows logon screen only allows user name and password and with SSO enabled it will only carry username and password.


Thansk

0 Likes Likes

Mick_Ball
L7 Applicator
In response to junior_r

‎10-28-2017 01:16 PM

I am confused by your reply...  never seen otp with ldap...

could you explain in more detail your authentication process.

0 Likes Likes

junior_r
L3 Networker
In response to Mick_Ball

‎10-28-2017 01:53 PM

HI,

 

Want I want is Global Protect to be set to User-Logon. CLient logs on to Windows 7 SSO takes creds and supplies it to Portal. Then for Gateway it promotes user for RADIUS RSA OTP. I can get this to work without SSO, but I want to use User-Logon SSO. I want it so i promotes user for PIN when they login to the PC. If its added to the main windows logon page then there can be an issue when they are on the local network and GP is not needed.

 

 

Thanks

0 Likes Likes

Mick_Ball
L7 Applicator
In response to junior_r

‎10-28-2017 02:21 PM

Still not quite sure what you are trying to achieve.

 

you cannot mix sso with otp. Sso will only use windows credentials.

 

our users do enter a pin before logon to windows but this is via bitlocker disk encryption.

 

globalprotect cannot modify the windows logon process.

 

0 Likes Likes

junior_r
L3 Networker
In response to Mick_Ball

‎10-28-2017 02:28 PM

ok thanks you have answered my question cannot have a mix of both SSO and OTP. Have you gotten "enforce GlobalProtect for Network Access disable when on internal network" and "Internal Host Detection" to work on user-connect method? It is not working for me. When I check the GPS*log it does not show it trying to do the DNS resolution on the internal name I provided. 

 

 

0 Likes Likes

junior_r
L3 Networker
In response to Mick_Ball

‎10-28-2017 02:29 PM

I have a client that wants to use OTP and always on but I am guessing this is not possible.

0 Likes Likes

Mick_Ball
L7 Applicator
In response to junior_r

‎10-29-2017 12:44 AM

Are you saying that the GP client just connects as normal or does it not connect at all.

 

I only ask this because the GP client needs to make connection when first installed to obtain the settings for internal host detection.

0 Likes Likes

Mick_Ball
L7 Applicator
In response to junior_r

‎10-29-2017 02:30 AM

Otp and always on... i dont see why not. But make sure for otp that you configure authentication overide in both portal and gateway config or the gateway will try to use the same otp and fail.

 

You may be better off by adding this as a new post.

0 Likes Likes

junior_r
L3 Networker
In response to Mick_Ball

‎10-29-2017 03:30 AM

I did connect to portal to pull down new configuration, but it seems "internal host detection" does not work with on-demand method

0 Likes Likes

Mick_Ball
L7 Applicator
In response to junior_r

‎10-29-2017 05:12 AM

Ok it may just be that it’s not needed for on demand mode, i suppose you’d need to ask yourself why would you even try to connect when on the local network. In that case i suppose it only works for always on to prevent auto connecting on lan.

 

somebody else may have the answer here but I’m going to try it on monday/tuesday so if you find the answer, please update this post.

0 Likes Likes

junior_r
L3 Networker
In response to Mick_Ball

‎10-29-2017 08:44 AM

Ok will do.. Pretty much requirment is OTP and to enforce global protect to connect from external network. Internal network does not GP. This works fine with LDAP and user-logon. It does not work with on-demand.

 

Thanks

0 Likes Likes

Mick_Ball
L7 Applicator
In response to junior_r

‎10-31-2017 02:59 AM

to confirm...

 

internal host detection does not work with "on demand".

 

i suppose the intention for this is to prevent "always on " from auto connecting when not needed as the user will have no intervention.

0 Likes Likes
  • 3942 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks