Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-21-2013 01:00 AM
Hi
Can anyone give me some feedback on how to configure my globalprotect client to register/connect when on internal LAN? - so I can help my pan-user agent tag what users are connected
Thanks
03-21-2013 07:14 AM
Hello,
i think it is the same as an external gateway/portal.
Create a portal and gateway with the authentication you want (uncheck internal host detection), also add a new tunnel interface for the internal gateway. Should work.
03-21-2013 09:43 AM
Thanks guys - will check it out. This will also work with the external gateway right? - I am just not sure how it will "know" or is it because the check internal option is on the external?
03-21-2013 01:34 PM
The document only talks about the internal gateway. If you would like to configure both internal and external gateways, make sure to enable internal host detection so that users can connect when they are on LAN
03-21-2013 01:41 PM
I have the external gateway running now - so the external gateway should have the detect internal or both?
thanks
03-25-2013 08:11 AM
I can't get it to work.
I have one portal with external and internal gateway and ssl authentication, I created one internal-gateway with no client-configuration. Here is some of the log files:
(T7636) 03/25/13 15:54:39:956 Debug(4707): connect ssl.
(T7636) 03/25/13 15:54:39:956 Debug( 168): nRequestTimeout is 10000
(T7636) 03/25/13 15:54:39:956 Debug( 41): WSAGetLastError() returns 10035
(T7636) 03/25/13 15:54:39:988 Debug(4744): Internal gateway 10.119.20.1 is authenticated.
(T7636) 03/25/13 15:54:39:988 Debug(4751): disconnect ssl.
(T7636) 03/25/13 15:54:39:989 Info (11170): Gateway: 10.119.20.1, client IP: 10.119.20.106
(T7636) 03/25/13 15:54:39:989 Debug(5888): CPanMSService::RetrieveGatewayInfo, cert is 0000000000000000
(T7636) 03/25/13 15:54:39:989 Debug(5890): Pre-login gateway...
(T7636) 03/25/13 15:54:39:989 Debug( 849): Need to check gateway cert for 10.119.20.1
(T7636) 03/25/13 15:54:39:989 Info (14285): IPADDR=10.119.20.1,PORT=443,URL=/ssl-vpn/prelogin.esp,POST=1,POSTDATA="tmp=tmp&clientVer=4100",PROXY_AUTO=0,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=0,ADDITIONAL_CHECK=1
(T7636) 03/25/13 15:54:44:940 Debug(1698): Send response to client for request https_request
(T7636) 03/25/13 15:54:44:977 Debug(14340): winhttpObj, cert error, 16.
(T7636) 03/25/13 15:54:44:977 Info (14427): HTTP_RPC, result is (NULL), len=0
(T7636) 03/25/13 15:54:44:977 Debug(6018): Failed to pre-login to the gateway 10.119.20.1
(T7636) 03/25/13 15:54:44:977 Error(4782): Failed to retrieve info from gateway 10.119.20.1.
(T7636) 03/25/13 15:54:44:977 Debug(4790): close http session.
(T7636) 03/25/13 15:54:44:977 Debug(4798): returns false.
(T7636) 03/25/13 15:54:44:977 Error(8891): NetworkDiscoverThread: failed to discover internal network.
(T7636) 03/25/13 15:54:44:977 Debug(8952): NetworkDiscoverThread: m_nPortalStatus is 1, m_bHasLoggedOnGateway is 0
03-25-2013 08:27 AM
at some point I got it working, but I had to add the external DNS name with the internal gw in my hosts file - related to some certificate stuff maybe?
Any clues?
03-26-2013 02:26 AM
Hello,
did you tried to enter the internal IP to the DNS server? CN certificate = DNS name = IP address.
- Your comman name (also alternative subject name) in your VPN server certificate will be verfied when you dial in with the DNS Name of the gateway. -
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
