Global protect and Outlook 2016

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global protect and Outlook 2016

Recently we observed an issue for users on GP and using outlook.

When the GP is etablished and if the user launches Outlook in less than 1 min the outlook throws the error

"we are unable to connect right now. please check your network and try again later"

The same user once connected to GP and tried to launch post 1 min the outlook works fine

I am unable to link to GP or generic Outlook behaviour, any pointed from the community is highly appreciated.

1 accepted solution

Accepted Solutions

Karthik,

 

Would be interested to see how that option goes when configured under the app agent... did you just put the domain url in there of you had to type in http://<website>

 

For me adding that domain to split tunnel did not resolve the issue, it only worked once i added to pre-logon policies.

 

RJ

View solution in original post

27 REPLIES 27

L7 Applicator

are you using user-ID mapping?

Yes, GP auth then user-id maping for the same.

is part of your outlook config cloud based...   if so then it may be denying traffic as user ip mapping is not yet complete.

if a user disconnects and then reconnects immediately, does it still take 1 min ?

Yes, outlook is cloud based hybrid connections. logically the connection would take a min to be established post GP is connected and outbound access is user-id specific.

does user-id mapping takes close to a min to complete? i ran fw tests under a min trying to launch outlook and it does fail.

But the version on GP reminded with no recent upgrade, all i can pin is the latest office update the end user machine team did.

user ID is almost instant...  but it will not take place until an event such as a drive mapping or domain authentication takes place.

this triggers an event to be written to the AD security log which includes the AD user ID and his/her/it's IP address. this is what the agent collects.

 

there are other options like device probing WMI stuff but i cannot help with this...  

 

we allow access to all microsoft URL's without user ID required, that may be one option, or perhaps run a post VPN script that is included with GP such as GPUpdate...   thats assuming mapping latency is the issue here...

 

also...     set your mapping timeout higher... some suggest 8 to 12 hours but we use 24. 

 

Well, i did test the connection to Microsoft URL's as a non user-id specific connection with a dedicated rule with source user group.

 The status is remaining the same, post GP connection comes live, the outlook once launched works fine post 1 min of GP establishment, but fails to authenticate outlook and prompts password if attemted within 1 min of GP coming up.

p.s. taken off any SSL decryption that were currently in place assuming decryption was playing any part.

is this new..

 

"and prompts password if attemted within 1 min of GP coming up."

 

as this was not mentioned in your first post...

Yes, if outlook launched within 1 min of GP coming up the outlook says its offine and needs password (i.e., AD logon) to pass through

Are you still getting this message

 

"we are unable to connect right now. please check your network and try again later"

Yes, that's the error, tested it with ruleset permitting any generic users as suspected user-id mapping was causing anykind of slownes, but the status remains the same.

So do you still have a source user group in the policy. If so then set the source user to any and test again.

Yes, we did tried with a rule set having no source user/group attached, but no luck hence had escalated with MS Outlook if there are any latest bus on their office updates.

L0 Member

Any resolution to this issue?  We are running into this same issue with Prisma.

  • 1 accepted solution
  • 20371 Views
  • 27 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!