Global protect and Outlook 2016

cancel
Showing results for 
Search instead for 
Did you mean: 

Global protect and Outlook 2016

Recently we observed an issue for users on GP and using outlook.

When the GP is etablished and if the user launches Outlook in less than 1 min the outlook throws the error

"we are unable to connect right now. please check your network and try again later"

The same user once connected to GP and tried to launch post 1 min the outlook works fine

I am unable to link to GP or generic Outlook behaviour, any pointed from the community is highly appreciated.

27 REPLIES 27

Karthik,

 

Would be interested to see how that option goes when configured under the app agent... did you just put the domain url in there of you had to type in http://<website>

 

For me adding that domain to split tunnel did not resolve the issue, it only worked once i added to pre-logon policies.

 

RJ

View solution in original post

Under the app option, we will be able to override addresses as IP based only (e.g. 1.2.3.4/32, 10.1.2.0/24).

Our initial tests suggested improved connectivity towards MS NLSA DNS resolutions www.msftconnecttest.com, we aren't convinced with the solution yet as extensive users on GP were impacted due to this it has to be tested widely to see as a workable solution.

 

p.s., TAC suggested a list of IP or IP's can be to a certain limit only 32 I reckon I do not have that in writing, unfortunately.

Thank you @rajjair 

 

I've lost count of the number of hours I had sent researching this and trying to understand how I would resolve this issue.  The articles you linked explained the technology well.

 

I too had to create the pre-logon rule allowing access to just that website, after that all works perfectly.  Thanks again for sharing this solution.

 

IT Professional

Well we had to do the same on all our vsys, spinning a new pre rule to permit pre logon GP users to connect back to www.msftconencttest.com over 80 & 443 and it started to work

I'm experiencing the same issue, but I'm not getting resolution on this. Its also a random issue, not everyone is experiencing the issue. Any one else have any success? When you said pre login rules, where is that located? Just the regular Policy section? I've checked and googled and I'm not seeing any pre login policy locations.

L1 Bithead

I am having the same issue- it is random- Users are able to connect to GP and access everything except Outlook and Skype for business. No resolution yet as to what the issue is.

Did you see the Post in this thread earlier from Rajjair?  This was the fix for me, I needed pre-logon policies allowing access to www.msftconnecttest.com.   Looking at my rule I've also added account.microsoft.com, can't remember if that also related to this issue.

 

I'll repost the text below since it also explains the issue well, credit to Rajjair.

 

______

had the similar issue and was able to to trace it down NCSI causing the problem, the probe HTTP was failing for me. You can check windows event logs to see if you are facing the same issue - Microsoft-Windows-NCSI/Operational

 

This is logged in the event it was failing:

Capability change on {57a83755-d89b-4a01-a72d-d4786875d856} (0x6008009000000 Family: V4 Capability: None ChangeReason: ActiveHttpProbeFailedButDnsSucceeded)

 

I need to allow "www.msftconnecttest.com" this site access in pre-logon policy.

 

For more info check this blog

https://support.microsoft.com/en-us/help/4494446/an-internet-explorer-or-edge-window-opens-when-your...

https://www.ghacks.net/2014/02/07/disable-customize-windows-internet-connection-test-improve-privacy...

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766017(v=ws.10)?re...

IT Professional

Thanks so much Crostron76. 

 

I will apply proposed solution and test it with my users. I will post results once issue fully resolved. Awsome!!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!