Global protect and Outlook 2016

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global protect and Outlook 2016

Recently we observed an issue for users on GP and using outlook.

When the GP is etablished and if the user launches Outlook in less than 1 min the outlook throws the error

"we are unable to connect right now. please check your network and try again later"

The same user once connected to GP and tried to launch post 1 min the outlook works fine

I am unable to link to GP or generic Outlook behaviour, any pointed from the community is highly appreciated.


L1 Bithead

We have the same issue, but only if we use a full Globalprotect VPN and not if we use a split tunnel (default here).

I found out the reason is that the GlobalProtect network interface has no default gateway, but only routes are pushed.

Because of this, the Network Location Awareness service does not attempt to check if there is a connection to the internet.


Office programs rely on the NLA service and don't check themselves if they are online. Because of this, the apps assume they are offline when you are connected via GlobalProtect.


Other VPN service also have the same problem:


Our clients are asking if they can use the full VPN more and more, but with this problem we can't provide them with it..

Thanks for those pointers, we have this pushing with MS again, lets see how it turns out with NIC level modifications for the apps to work as expected.

Has anyone found a fix for this? I can confirm, with full tunnel VPN MS Office thinks there is no internet.  With split tunnel VPN MS Office can see that there is an internet connection.

L2 Linker

Hi All


I had the similar issue and was able to to trace it down NCSI causing the problem, the probe HTTP was failing for me. You can check windows event logs to see if you are facing the same issue - Microsoft-Windows-NCSI/Operational


This is logged in the event it was failing:

Capability change on {57a83755-d89b-4a01-a72d-d4786875d856} (0x6008009000000 Family: V4 Capability: None ChangeReason: ActiveHttpProbeFailedButDnsSucceeded)


I need to allow "" this site access in pre-logon policy.


For more info check this blog



I hope this helps fix your guys issue



Yes, we had similar tweak done under the Enforce GlobalProtect Connection for Network Access option under app in the GP agent profile by excluding the NLSA lookup DNS IP of Microsoft. We are still testing it though.

Split tunneling would eliminate this issue completely again, the above option we are testing with is very much in line with split tunneling 🙂

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!