This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global protect and Outlook 2016

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global protect and Outlook 2016

Go to solution
KarthikRamalingam
L2 Linker

‎09-04-2019 06:07 AM

Recently we observed an issue for users on GP and using outlook.

When the GP is etablished and if the user launches Outlook in less than 1 min the outlook throws the error

"we are unable to connect right now. please check your network and try again later"

The same user once connected to GP and tried to launch post 1 min the outlook works fine

I am unable to link to GP or generic Outlook behaviour, any pointed from the community is highly appreciated.

6 people had this problem.
27 REPLIES 27

Go to solution
KarthikRamalingam
L2 Linker
In response to MickBall

‎09-04-2019 07:16 AM

Yes, outlook is cloud based hybrid connections. logically the connection would take a min to be established post GP is connected and outbound access is user-id specific.

does user-id mapping takes close to a min to complete? i ran fw tests under a min trying to launch outlook and it does fail.

But the version on GP reminded with no recent upgrade, all i can pin is the latest office update the end user machine team did.

0 Likes Likes

Go to solution
MickBall
L7 Applicator
In response to KarthikRamalingam

‎09-04-2019 07:25 AM

user ID is almost instant...  but it will not take place until an event such as a drive mapping or domain authentication takes place.

this triggers an event to be written to the AD security log which includes the AD user ID and his/her/it's IP address. this is what the agent collects.

 

there are other options like device probing WMI stuff but i cannot help with this...  

 

we allow access to all microsoft URL's without user ID required, that may be one option, or perhaps run a post VPN script that is included with GP such as GPUpdate...   thats assuming mapping latency is the issue here...

 

also...     set your mapping timeout higher... some suggest 8 to 12 hours but we use 24. 

 

Go to solution
KarthikRamalingam
L2 Linker
In response to MickBall

‎09-04-2019 09:08 AM

Well, i did test the connection to Microsoft URL's as a non user-id specific connection with a dedicated rule with source user group.

 The status is remaining the same, post GP connection comes live, the outlook once launched works fine post 1 min of GP establishment, but fails to authenticate outlook and prompts password if attemted within 1 min of GP coming up.

p.s. taken off any SSL decryption that were currently in place assuming decryption was playing any part.

0 Likes Likes

Go to solution
MickBall
L7 Applicator
In response to KarthikRamalingam

‎09-04-2019 09:13 AM

is this new..

 

"and prompts password if attemted within 1 min of GP coming up."

 

as this was not mentioned in your first post...

0 Likes Likes

Go to solution
KarthikRamalingam
L2 Linker
In response to MickBall

‎09-04-2019 10:50 AM

Yes, if outlook launched within 1 min of GP coming up the outlook says its offine and needs password (i.e., AD logon) to pass through

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks