global protect internal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

global protect internal

Not applicable

Hi

Can anyone give me some feedback on how to configure my globalprotect client to register/connect when on internal LAN? - so I can help my pan-user agent tag what users are connected

Thanks

9 REPLIES 9

L4 Transporter

Hello,

i think it is the same as an external gateway/portal.

Create a portal and gateway with the authentication you want (uncheck internal host detection), also add a new tunnel interface for the internal gateway. Should work.

L5 Sessionator

This document will help you with the configuration:

Thanks guys - will check it out. This will also work with the external gateway right? - I am just not sure how it will "know" or is it because the check internal option is on the external?

The document only talks about the internal gateway. If you would like to configure both internal and external gateways, make sure to enable internal host detection so that users can connect when they are on LAN

I have the external gateway running now - so the external gateway should have the detect internal or both?

thanks

GP will try to connect to the internal gtwy first and then if it does not it tries connecting to the external gateway.

Refer page 31 of the following doc:-

I can't get it to work.

I have one portal with external and internal gateway and ssl authentication, I created one internal-gateway with no client-configuration. Here is some of the log files:

(T7636) 03/25/13 15:54:39:956 Debug(4707): connect ssl.

(T7636) 03/25/13 15:54:39:956 Debug( 168): nRequestTimeout is 10000

(T7636) 03/25/13 15:54:39:956 Debug(  41): WSAGetLastError() returns 10035

(T7636) 03/25/13 15:54:39:988 Debug(4744): Internal gateway 10.119.20.1 is authenticated.

(T7636) 03/25/13 15:54:39:988 Debug(4751): disconnect ssl.

(T7636) 03/25/13 15:54:39:989 Info (11170): Gateway: 10.119.20.1, client IP: 10.119.20.106

(T7636) 03/25/13 15:54:39:989 Debug(5888): CPanMSService::RetrieveGatewayInfo, cert is 0000000000000000

(T7636) 03/25/13 15:54:39:989 Debug(5890): Pre-login gateway...

(T7636) 03/25/13 15:54:39:989 Debug( 849): Need to check gateway cert for 10.119.20.1

(T7636) 03/25/13 15:54:39:989 Info (14285): IPADDR=10.119.20.1,PORT=443,URL=/ssl-vpn/prelogin.esp,POST=1,POSTDATA="tmp=tmp&clientVer=4100",PROXY_AUTO=0,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=0,ADDITIONAL_CHECK=1

(T7636) 03/25/13 15:54:44:940 Debug(1698): Send response to client for request https_request

(T7636) 03/25/13 15:54:44:977 Debug(14340): winhttpObj, cert error, 16.

(T7636) 03/25/13 15:54:44:977 Info (14427): HTTP_RPC, result is (NULL), len=0

(T7636) 03/25/13 15:54:44:977 Debug(6018): Failed to pre-login to the gateway 10.119.20.1

(T7636) 03/25/13 15:54:44:977 Error(4782): Failed to retrieve info from gateway 10.119.20.1.

(T7636) 03/25/13 15:54:44:977 Debug(4790): close http session.

(T7636) 03/25/13 15:54:44:977 Debug(4798): returns false.

(T7636) 03/25/13 15:54:44:977 Error(8891): NetworkDiscoverThread: failed to discover internal network.

(T7636) 03/25/13 15:54:44:977 Debug(8952): NetworkDiscoverThread: m_nPortalStatus is 1, m_bHasLoggedOnGateway is 0

at some point I got it working, but I had to add the external DNS name with the internal gw in my hosts file - related to some certificate stuff maybe?

Any clues?

Hello,

did you tried to enter the internal IP to the DNS server? CN certificate = DNS name = IP  address.

- Your comman name (also alternative subject name) in your VPN server certificate will be verfied when you dial in with the DNS Name of the gateway. -

  • 4386 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!