Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-04-2019 06:07 AM
Recently we observed an issue for users on GP and using outlook.
When the GP is etablished and if the user launches Outlook in less than 1 min the outlook throws the error
"we are unable to connect right now. please check your network and try again later"
The same user once connected to GP and tried to launch post 1 min the outlook works fine
I am unable to link to GP or generic Outlook behaviour, any pointed from the community is highly appreciated.
04-07-2020 08:08 AM
Karthik,
Would be interested to see how that option goes when configured under the app agent... did you just put the domain url in there of you had to type in http://<website>
For me adding that domain to split tunnel did not resolve the issue, it only worked once i added to pre-logon policies.
RJ
09-04-2019 06:59 AM
are you using user-ID mapping?
09-04-2019 07:01 AM
Yes, GP auth then user-id maping for the same.
09-04-2019 07:03 AM
is part of your outlook config cloud based... if so then it may be denying traffic as user ip mapping is not yet complete.
09-04-2019 07:07 AM
if a user disconnects and then reconnects immediately, does it still take 1 min ?
09-04-2019 07:16 AM
Yes, outlook is cloud based hybrid connections. logically the connection would take a min to be established post GP is connected and outbound access is user-id specific.
does user-id mapping takes close to a min to complete? i ran fw tests under a min trying to launch outlook and it does fail.
But the version on GP reminded with no recent upgrade, all i can pin is the latest office update the end user machine team did.
09-04-2019 07:25 AM
user ID is almost instant... but it will not take place until an event such as a drive mapping or domain authentication takes place.
this triggers an event to be written to the AD security log which includes the AD user ID and his/her/it's IP address. this is what the agent collects.
there are other options like device probing WMI stuff but i cannot help with this...
we allow access to all microsoft URL's without user ID required, that may be one option, or perhaps run a post VPN script that is included with GP such as GPUpdate... thats assuming mapping latency is the issue here...
also... set your mapping timeout higher... some suggest 8 to 12 hours but we use 24.
09-04-2019 09:08 AM
Well, i did test the connection to Microsoft URL's as a non user-id specific connection with a dedicated rule with source user group.
The status is remaining the same, post GP connection comes live, the outlook once launched works fine post 1 min of GP establishment, but fails to authenticate outlook and prompts password if attemted within 1 min of GP coming up.
p.s. taken off any SSL decryption that were currently in place assuming decryption was playing any part.
09-04-2019 09:13 AM
is this new..
"and prompts password if attemted within 1 min of GP coming up."
as this was not mentioned in your first post...
09-04-2019 10:50 AM
Yes, if outlook launched within 1 min of GP coming up the outlook says its offine and needs password (i.e., AD logon) to pass through
09-04-2019 11:04 AM
Are you still getting this message
"we are unable to connect right now. please check your network and try again later"
09-04-2019 11:09 AM
Yes, that's the error, tested it with ruleset permitting any generic users as suspected user-id mapping was causing anykind of slownes, but the status remains the same.
09-04-2019 11:20 AM
So do you still have a source user group in the policy. If so then set the source user to any and test again.
09-09-2019 03:37 AM
Yes, we did tried with a rule set having no source user/group attached, but no luck hence had escalated with MS Outlook if there are any latest bus on their office updates.
10-31-2019 01:00 PM
Any resolution to this issue? We are running into this same issue with Prisma.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
