GlobalProtect VPN and third-party application installed on user's machine (Windows 10)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect VPN and third-party application installed on user's machine (Windows 10)

L1 Bithead

Hi there,

 

Being a vendor, I'm having a hard time deplyoing my Windows 10 UWP application on client's machines.

The application needs access to the internet in order to operate. It loads a login webpage inside webview, using HTTPS (port 443). No other ports or protocols.

 

The problem is that the app fails to load login page on client's machine when VPN is enabled and sucessfully loads it when VPN is disabled. At the same time, when the login page URL is opened in browser or simply curl-ed in Powershell with VPN enabled it sucessfully loads.

 

Client has GlobalProtect VPN configred on end users machines. I don't know what topology is being used or any specific configuration details unfortunately.

 

I was told by client's IT department that FQDN and port application is using to load the login page is whitelisted in their firewall. But the application clearly doesn't have access to the Internet when VPN is enabled. I was also told that there are no records in client's firewall for any packets blocked.

 

I wonder if the application should be explicitly whitelisted in the GlobalProtect configuration in order for it to have access to the Internet through HTTPS. While I don't have access to client's VPN configuration, if anyone can give me an idea of where to point the IT department to resolve the problem I would highly appreciate it. In general, do you need to perform any additional steps in GlobalProtect software to allow a third-party Windows 10 UWP application to have access to the Internet via HTTPS?

 

 

1 accepted solution

Accepted Solutions

L7 Applicator

This could have something to do with windows NLA. Network location awareness...

it all seems to get confused as the GP vpn client, and others... do not offer a default gateway to the win engine.

 

Win 10 therefore assumes it has no route to cloudy stuff and explodes....

 

take a look here, this may be of some help and you may be able to test it on a local device if you have admin access....

 

https://live.paloaltonetworks.com/t5/General-Topics/Unable-to-access-Windows-Store-Windows-10-GP-3-0...

View solution in original post

4 REPLIES 4

L7 Applicator

This could have something to do with windows NLA. Network location awareness...

it all seems to get confused as the GP vpn client, and others... do not offer a default gateway to the win engine.

 

Win 10 therefore assumes it has no route to cloudy stuff and explodes....

 

take a look here, this may be of some help and you may be able to test it on a local device if you have admin access....

 

https://live.paloaltonetworks.com/t5/General-Topics/Unable-to-access-Windows-Store-Windows-10-GP-3-0...

Thanks a lot. I will find a way to play with this on my test machine to see if I can replicate the problem with other VPN, since I don't have GP as my customer does. 

ok good luck and please post any results...

 

you could also look into split tunneling as an option.

 

we kinda had some success with this but our co' policy does not allow this option for security reasons so we gave up on it...

 

I'm pretty sure similiar issues were found with cisco and juniper vpn clients but google "windows store vpn" for some good info..

 

 

 

Found the issue. The UWP application was missing privateNetworkClientServer capability, which turns out is required to have access to Internet over VPN. Which makes sense after all.

 

MickBall's answer pointed me into right direction - thank you very much sir! Although it wasn't exactly the same problem in my case, I'm marking MickBall's answer as a solution.

  • 1 accepted solution
  • 4293 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!