11-04-2023 03:15 PM
Hello everyone! My environment only has one public IPv4 so I'm trying to make the most of it. We already run a number of web services on port 80/443 behind an Nginx reverse proxy. I'm trying to add GlobalProtect to the mix. I have my portal and gateway running on the same IP. When I forward the ports (80, 443, 4501) the portal seems to work correctly but the gateway just fails. Everything in my FW GP logs says success and my client logs just have a generic "no route" error. Sometimes they connect and can't pass traffic. I've done. Bunch of testing and what I've found is that port 443 needs to be forwarded/streamed directly to the FW otherwise clients fail. Does anyone know why this is or what setting I need to tweak to get the gateway to work behind Nginx?
11-04-2023 11:08 PM
You don't need to run GlobalProtect portal and gateway on WAN interface.
You can run them on DMZ interface for example and use NAT.
In this case you can DNAT any port and don't need to use defaults (portal tcp/443 and gateway udp/4501).
11-06-2023 07:25 AM
Found the second issue. I was testing external user access from a T-Moblie internet connection. Apparently T-Mobile requires lowering the GlobalProtect MTU. For anyone coming across this in the future, I lowered it to 1280 for the time being. I may try raising/tweaking it again later.
11-04-2023 11:08 PM
You don't need to run GlobalProtect portal and gateway on WAN interface.
You can run them on DMZ interface for example and use NAT.
In this case you can DNAT any port and don't need to use defaults (portal tcp/443 and gateway udp/4501).
11-05-2023 07:30 AM
Thanks for the reply. This is a good idea to eliminate the reverse proxy (which I'm a fan of). I gave it a try this morning and maybe I have something else going on but it didn't quite work either. I have the portal using 80/443 behind the reverse proxy (which in my testing so far hasn't been an issue) and I have the gateway DNAT'd from 8443 to 443 and 4501 to 4501. I can connect immedeatly but then the VPN doesn't allow TCP traffic. ICMP and DNS work fine but websites all get err_time_out and this is consistant to external and internal IPs. I can see the traffic coming through in the traffic logs and being allowed without any errors or anything. The logs don't seem to have any errors. Any ideas?
11-06-2023 07:25 AM
Found the second issue. I was testing external user access from a T-Moblie internet connection. Apparently T-Mobile requires lowering the GlobalProtect MTU. For anyone coming across this in the future, I lowered it to 1280 for the time being. I may try raising/tweaking it again later.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
