02-08-2012 01:46 AM
Seeing since there is no support to push down client proxy settings via GP - does anyone know if we can set up a DHCP scope for SSL VPN clients that has/allows for option 252 WPAD support?
Thanks
Rod
02-10-2012 11:50 AM
Within GP, you can push the default route 0.0.0.0/0 to the clients and all traffic will be routed back to the GP gateway. If you want port 80 traffic to hit your WebSense, you could configure Policy Based Forwarding (PBF) on the PA device to send port 80 traffic to WebSense. Thanks.
02-09-2012 12:30 AM
You mean having the PAN acting as a DHCP-server for your clients?
02-09-2012 01:49 AM
Hi - Thanks for responding.
Yes having an option for wpad that's configurable via the dhcp or IP pool option.
For example we have a laptop that connects via GP or Cisco VPN client. The laptop gets an IP address from the IP pool however the laptop doesn't know the correct proxy address and therfore can't access the interent via our internal network.
With CIsco ASA's and PIX's you could specify an address for the proxy that was downloaded to the client. There is no feature with GP that supports this funciton.
Thanks
Rod
02-09-2012 01:55 AM
I dont know if the built in dhcpserver of PAN have support for option 252 today. Sounds like you should contact your sales rep with a feature request regarding this.
Another method to inform the client of which proxy to use is to send this info through an AD-policy if you use AD for your internal network.
02-10-2012 06:16 AM
Hi
Thanks for your response.
I've contacted our sales rep and requested this feature to be included in future updates.
Re AD - there is no way to achieve this without invoking some sort of trigger to run the AD policy on the remote clients. This is something I want to stay clear off.
Regards
Rod
02-10-2012 10:26 AM
GlobalProtect doesn't provide this option at this point. We also don't use DHCP to assign IP addresses or any other network parameters to the GlobalProtect Agents. Just out of curiousity, why do you need to proxy remote access connections to your intranet? If it is for access control, I suppose App-ID and user authentication would give you the tools needed.
02-10-2012 11:43 AM
Hi
Thanks for the reply. I need to assign a proxy to all remote clients so that all Internet traffic (when connected through GP) is routed via in internal Websense server. Split tunnelling isn't an option and all http traffic must pass though the WEbsense box.
As we use WEbsense and external radius servers for authentication we haven't needed to use user authentication.
I've asked our reseller to pass this onto PA as a feature request,
Rod
02-10-2012 11:50 AM
Within GP, you can push the default route 0.0.0.0/0 to the clients and all traffic will be routed back to the GP gateway. If you want port 80 traffic to hit your WebSense, you could configure Policy Based Forwarding (PBF) on the PA device to send port 80 traffic to WebSense. Thanks.
02-10-2012 12:24 PM
Fantastic, thanks for the advice. Will try it out on Monday.
Rod
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
