Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

DHCP Option 252 WPAD

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DHCP Option 252 WPAD

L3 Networker

Seeing since there is no support to push down client proxy settings via GP - does anyone know if we can set up a DHCP scope for SSL VPN clients that has/allows for option 252 WPAD support?

Thanks

Rod

1 accepted solution

Accepted Solutions

Within GP, you can push the default route 0.0.0.0/0 to the clients and all traffic will be routed back to the GP gateway.  If you want port 80 traffic to hit your WebSense, you could configure Policy Based Forwarding (PBF) on the PA device to send port 80 traffic to WebSense.  Thanks.

View solution in original post

8 REPLIES 8

L6 Presenter

You mean having the PAN acting as a DHCP-server for your clients?

Hi - Thanks for responding.

Yes having an option for wpad that's configurable via the dhcp or IP pool option.

For example we have a laptop that connects via GP or Cisco VPN client. The laptop gets an IP address from the IP pool however the laptop doesn't know the correct proxy address and therfore can't access the interent via our internal network.

With CIsco ASA's and PIX's you could specify an address for the proxy that was downloaded to the client. There is no feature with GP that supports this funciton.

Thanks

Rod

I dont know if the built in dhcpserver of PAN have support for option 252 today. Sounds like you should contact your sales rep with a feature request regarding this.

Another method to inform the client of which proxy to use is to send this info through an AD-policy if you use AD for your internal network.

Hi

Thanks for your response.

I've contacted our sales rep and requested this feature to be included in future updates.

Re AD - there is no way to achieve this without invoking some sort of trigger to run the AD policy on the remote clients. This is something I want to stay clear off.

Regards

Rod

Palo Alto Networks Guru

GlobalProtect doesn't provide this option at this point. We also don't use DHCP to assign IP addresses or any other network parameters to the GlobalProtect Agents. Just out of curiousity, why do you need to proxy remote access connections to your intranet? If it is for access control, I suppose App-ID and user authentication would give you the tools needed.

Hi

Thanks for the reply. I need to assign a proxy to all remote clients so that all Internet traffic (when connected through GP) is routed via in internal Websense server. Split tunnelling isn't an option and all http traffic must pass though the WEbsense box.

As we use WEbsense and external radius servers for authentication we haven't needed to use user authentication.

I've asked our reseller to pass this onto PA as a feature request,

Rod

Within GP, you can push the default route 0.0.0.0/0 to the clients and all traffic will be routed back to the GP gateway.  If you want port 80 traffic to hit your WebSense, you could configure Policy Based Forwarding (PBF) on the PA device to send port 80 traffic to WebSense.  Thanks.

Fantastic, thanks for the advice. Will try it out on Monday.

Rod

  • 1 accepted solution
  • 6519 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!