Global protect and Outlook 2016

Reply
Highlighted

Global protect and Outlook 2016

Recently we observed an issue for users on GP and using outlook.

When the GP is etablished and if the user launches Outlook in less than 1 min the outlook throws the error

"we are unable to connect right now. please check your network and try again later"

The same user once connected to GP and tried to launch post 1 min the outlook works fine

I am unable to link to GP or generic Outlook behaviour, any pointed from the community is highly appreciated.

Tags (1)

Accepted Solutions
Highlighted
L1 Bithead

Karthik,

 

Would be interested to see how that option goes when configured under the app agent... did you just put the domain url in there of you had to type in http://<website>

 

For me adding that domain to split tunnel did not resolve the issue, it only worked once i added to pre-logon policies.

 

RJ

View solution in original post


All Replies
Highlighted
L7 Applicator

are you using user-ID mapping?

Highlighted

Yes, GP auth then user-id maping for the same.

Highlighted
L7 Applicator

is part of your outlook config cloud based...   if so then it may be denying traffic as user ip mapping is not yet complete.

Highlighted
L7 Applicator

if a user disconnects and then reconnects immediately, does it still take 1 min ?

Highlighted

Yes, outlook is cloud based hybrid connections. logically the connection would take a min to be established post GP is connected and outbound access is user-id specific.

does user-id mapping takes close to a min to complete? i ran fw tests under a min trying to launch outlook and it does fail.

But the version on GP reminded with no recent upgrade, all i can pin is the latest office update the end user machine team did.

Highlighted
L7 Applicator

user ID is almost instant...  but it will not take place until an event such as a drive mapping or domain authentication takes place.

this triggers an event to be written to the AD security log which includes the AD user ID and his/her/it's IP address. this is what the agent collects.

 

there are other options like device probing WMI stuff but i cannot help with this...  

 

we allow access to all microsoft URL's without user ID required, that may be one option, or perhaps run a post VPN script that is included with GP such as GPUpdate...   thats assuming mapping latency is the issue here...

 

also...     set your mapping timeout higher... some suggest 8 to 12 hours but we use 24. 

 

Highlighted

Well, i did test the connection to Microsoft URL's as a non user-id specific connection with a dedicated rule with source user group.

 The status is remaining the same, post GP connection comes live, the outlook once launched works fine post 1 min of GP establishment, but fails to authenticate outlook and prompts password if attemted within 1 min of GP coming up.

p.s. taken off any SSL decryption that were currently in place assuming decryption was playing any part.

Highlighted
L7 Applicator

is this new..

 

"and prompts password if attemted within 1 min of GP coming up."

 

as this was not mentioned in your first post...

Highlighted

Yes, if outlook launched within 1 min of GP coming up the outlook says its offine and needs password (i.e., AD logon) to pass through

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!