Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Global protect and Outlook 2016

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect and Outlook 2016

Recently we observed an issue for users on GP and using outlook.

When the GP is etablished and if the user launches Outlook in less than 1 min the outlook throws the error

"we are unable to connect right now. please check your network and try again later"

The same user once connected to GP and tried to launch post 1 min the outlook works fine

I am unable to link to GP or generic Outlook behaviour, any pointed from the community is highly appreciated.

27 REPLIES 27

L1 Bithead

We have the same issue, but only if we use a full Globalprotect VPN and not if we use a split tunnel (default here).

I found out the reason is that the GlobalProtect network interface has no default gateway, but only routes are pushed.

Because of this, the Network Location Awareness service does not attempt to check if there is a connection to the internet.

 

Office programs rely on the NLA service and don't check themselves if they are online. Because of this, the apps assume they are offline when you are connected via GlobalProtect.

 

Other VPN service also have the same problem: https://superuser.com/questions/1447783/why-do-windows-10-apps-and-office-outlook-word-onedrive-etc-...

 

Our clients are asking if they can use the full VPN more and more, but with this problem we can't provide them with it..

Thanks for those pointers, we have this pushing with MS again, lets see how it turns out with NIC level modifications for the apps to work as expected.

Has anyone found a fix for this? I can confirm, with full tunnel VPN MS Office thinks there is no internet.  With split tunnel VPN MS Office can see that there is an internet connection.

L2 Linker

Hi All

 

I had the similar issue and was able to to trace it down NCSI causing the problem, the probe HTTP was failing for me. You can check windows event logs to see if you are facing the same issue - Microsoft-Windows-NCSI/Operational

 

This is logged in the event it was failing:

Capability change on {57a83755-d89b-4a01-a72d-d4786875d856} (0x6008009000000 Family: V4 Capability: None ChangeReason: ActiveHttpProbeFailedButDnsSucceeded)

 

I need to allow "www.msftconnecttest.com" this site access in pre-logon policy.

 

For more info check this blog

https://support.microsoft.com/en-us/help/4494446/an-internet-explorer-or-edge-window-opens-when-your...

https://www.ghacks.net/2014/02/07/disable-customize-windows-internet-connection-test-improve-privacy...

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766017(v=ws.10)?re...

 

 

I hope this helps fix your guys issue

 

RJ

Yes, we had similar tweak done under the Enforce GlobalProtect Connection for Network Access option under app in the GP agent profile by excluding the NLSA lookup DNS IP of Microsoft. We are still testing it though.

Split tunneling would eliminate this issue completely again, the above option we are testing with is very much in line with split tunneling 🙂

Karthik,

 

Would be interested to see how that option goes when configured under the app agent... did you just put the domain url in there of you had to type in http://<website>

 

For me adding that domain to split tunnel did not resolve the issue, it only worked once i added to pre-logon policies.

 

RJ

Under the app option, we will be able to override addresses as IP based only (e.g. 1.2.3.4/32, 10.1.2.0/24).

Our initial tests suggested improved connectivity towards MS NLSA DNS resolutions www.msftconnecttest.com, we aren't convinced with the solution yet as extensive users on GP were impacted due to this it has to be tested widely to see as a workable solution.

 

p.s., TAC suggested a list of IP or IP's can be to a certain limit only 32 I reckon I do not have that in writing, unfortunately.

Thank you @rajjair 

 

I've lost count of the number of hours I had sent researching this and trying to understand how I would resolve this issue.  The articles you linked explained the technology well.

 

I too had to create the pre-logon rule allowing access to just that website, after that all works perfectly.  Thanks again for sharing this solution.

 

IT Professional

Well we had to do the same on all our vsys, spinning a new pre rule to permit pre logon GP users to connect back to www.msftconencttest.com over 80 & 443 and it started to work

I'm experiencing the same issue, but I'm not getting resolution on this. Its also a random issue, not everyone is experiencing the issue. Any one else have any success? When you said pre login rules, where is that located? Just the regular Policy section? I've checked and googled and I'm not seeing any pre login policy locations.

L2 Linker

I am having the same issue- it is random- Users are able to connect to GP and access everything except Outlook and Skype for business. No resolution yet as to what the issue is.

Did you see the Post in this thread earlier from Rajjair?  This was the fix for me, I needed pre-logon policies allowing access to www.msftconnecttest.com.   Looking at my rule I've also added account.microsoft.com, can't remember if that also related to this issue.

 

I'll repost the text below since it also explains the issue well, credit to Rajjair.

 

______

had the similar issue and was able to to trace it down NCSI causing the problem, the probe HTTP was failing for me. You can check windows event logs to see if you are facing the same issue - Microsoft-Windows-NCSI/Operational

 

This is logged in the event it was failing:

Capability change on {57a83755-d89b-4a01-a72d-d4786875d856} (0x6008009000000 Family: V4 Capability: None ChangeReason: ActiveHttpProbeFailedButDnsSucceeded)

 

I need to allow "www.msftconnecttest.com" this site access in pre-logon policy.

 

For more info check this blog

https://support.microsoft.com/en-us/help/4494446/an-internet-explorer-or-edge-window-opens-when-your...

https://www.ghacks.net/2014/02/07/disable-customize-windows-internet-connection-test-improve-privacy...

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766017(v=ws.10)?re...

IT Professional

Thanks so much Crostron76. 

 

I will apply proposed solution and test it with my users. I will post results once issue fully resolved. Awsome!!

  • 22843 Views
  • 27 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!