global protect internal

Reply
felixn
Not applicable

global protect internal

Hi

Can anyone give me some feedback on how to configure my globalprotect client to register/connect when on internal LAN? - so I can help my pan-user agent tag what users are connected

Thanks

Hithead
L4 Transporter

Hello,

i think it is the same as an external gateway/portal.

Create a portal and gateway with the authentication you want (uncheck internal host detection), also add a new tunnel interface for the internal gateway. Should work.

zarina
L5 Sessionator

This document will help you with the configuration:

felixn
Not applicable

Thanks guys - will check it out. This will also work with the external gateway right? - I am just not sure how it will "know" or is it because the check internal option is on the external?

zarina
L5 Sessionator

The document only talks about the internal gateway. If you would like to configure both internal and external gateways, make sure to enable internal host detection so that users can connect when they are on LAN

felixn
Not applicable

I have the external gateway running now - so the external gateway should have the detect internal or both?

thanks

sraghunandan
L5 Sessionator

GP will try to connect to the internal gtwy first and then if it does not it tries connecting to the external gateway.

Refer page 31 of the following doc:-

felixn
Not applicable

I can't get it to work.

I have one portal with external and internal gateway and ssl authentication, I created one internal-gateway with no client-configuration. Here is some of the log files:

(T7636) 03/25/13 15:54:39:956 Debug(4707): connect ssl.

(T7636) 03/25/13 15:54:39:956 Debug( 168): nRequestTimeout is 10000

(T7636) 03/25/13 15:54:39:956 Debug(  41): WSAGetLastError() returns 10035

(T7636) 03/25/13 15:54:39:988 Debug(4744): Internal gateway 10.119.20.1 is authenticated.

(T7636) 03/25/13 15:54:39:988 Debug(4751): disconnect ssl.

(T7636) 03/25/13 15:54:39:989 Info (11170): Gateway: 10.119.20.1, client IP: 10.119.20.106

(T7636) 03/25/13 15:54:39:989 Debug(5888): CPanMSService::RetrieveGatewayInfo, cert is 0000000000000000

(T7636) 03/25/13 15:54:39:989 Debug(5890): Pre-login gateway...

(T7636) 03/25/13 15:54:39:989 Debug( 849): Need to check gateway cert for 10.119.20.1

(T7636) 03/25/13 15:54:39:989 Info (14285): IPADDR=10.119.20.1,PORT=443,URL=/ssl-vpn/prelogin.esp,POST=1,POSTDATA="tmp=tmp&clientVer=4100",PROXY_AUTO=0,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=0,ADDITIONAL_CHECK=1

(T7636) 03/25/13 15:54:44:940 Debug(1698): Send response to client for request https_request

(T7636) 03/25/13 15:54:44:977 Debug(14340): winhttpObj, cert error, 16.

(T7636) 03/25/13 15:54:44:977 Info (14427): HTTP_RPC, result is (NULL), len=0

(T7636) 03/25/13 15:54:44:977 Debug(6018): Failed to pre-login to the gateway 10.119.20.1

(T7636) 03/25/13 15:54:44:977 Error(4782): Failed to retrieve info from gateway 10.119.20.1.

(T7636) 03/25/13 15:54:44:977 Debug(4790): close http session.

(T7636) 03/25/13 15:54:44:977 Debug(4798): returns false.

(T7636) 03/25/13 15:54:44:977 Error(8891): NetworkDiscoverThread: failed to discover internal network.

(T7636) 03/25/13 15:54:44:977 Debug(8952): NetworkDiscoverThread: m_nPortalStatus is 1, m_bHasLoggedOnGateway is 0

felixn
Not applicable

at some point I got it working, but I had to add the external DNS name with the internal gw in my hosts file - related to some certificate stuff maybe?

Any clues?

Hithead
L4 Transporter

Hello,

did you tried to enter the internal IP to the DNS server? CN certificate = DNS name = IP  address.

- Your comman name (also alternative subject name) in your VPN server certificate will be verfied when you dial in with the DNS Name of the gateway. -

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!