MS Outlook 2010 not conecting to the server, when connected via GlobalProtect Always-On VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

MS Outlook 2010 not conecting to the server, when connected via GlobalProtect Always-On VPN

L2 Linker

Hi,

 

I have GP Always-On VPN configured and my test Windows 10 machine connects to the gateway and accesses internal LAN resources fine. MS Outlook 2010 doesn't seem to connect when I am connected via the GP client. Outlook just keeps saying 'Trying to connect to server'. On one occasion, the MS Outlook prompt did appear for me to enter my password. This was done, but it was still saying 'Trying to connect to server'. When I left the machine for some time, Outlook looked it connected, as my mailbox contained the latest emails. Our Exchange mail is hosted externally, as we are part of National Health sector in the UK.

 

I configured the Windows Defender firewall on my Windows 10 machine to allow the GlobalProtect client through the firewall, but made no difference.

 

Has anyone else experienced this with MS Outlook connected via GlobalProtect? 

 

Regards,

 

Robert

11 REPLIES 11

Cyber Elite
Cyber Elite

I think you would need to look at your security policies AND your traffic logs to help you determine what the issue is, specifically.

 

The GP software allows the user to connect (and appear) as a local user, in whatever zone (Source Zone or SZ) (trusted/internal/GP) you define. So look for traffic from the SZ to the DZ, matching your Outlook traffic.

 

I guess... if  all other traffic (as you mentioned... Always On is enabled) is working fine, with the exception of this, then I think it is more a security policy/profile than specifically a GP related issue.   Presumption is that users are configured for the proper internal DNS/WINS, and dns suffix is registered. (all configurations in the GP gateway section)

Help the community: Like helpful comments and mark solutions

Hi Steve,

 

Thanks for your reply. I created a security policy to allow the traffic, but Outlook is still not connecting. Logs show bytes being sent, but none are being received. Was hoping the security policy would resolve this. Have logged a TAC case for advice.

@rchung54 

 

Interesting to open a TAC case.

 

If the FW bytes showed as SENT, but NONE are received, then why do you think this is a FW issue?

 

While I will agree that other apps are probably working, the question I need to ask is... can you please do a packet capture from the downstream switch to confirm that the traffic from the outlook server did, indeed, make it to the FW (as the response traffic)

 

I tend to believe that this is a network/routing issue.

 

Help the community: Like helpful comments and mark solutions

@S.Cantwell 

 

Hi Steve, managed to solve the issue myself. I needed the IPs for the specific mail servers we connect to. Once they were confirmed, I put in a static route for the IPs and Outlook now works.

 

Thanks for your tips on this.

 

Robert

This is interesting because we use O365 and I see the same kind of thing. With initial connection, if you start up Outlook right away, about 50+% of the time you will get exactly what you described in the initial post. Then, you close Outlook and open it again and all is well. It is like the routing is just not there initially and has to figure it out. Since we are using O365, the addresses are very dynamic, so I cannot add the routes. 

 

Your insight has helped me understand what is happening and I will have to see what I might be able to get done.

 

Thanks for the post and your resolution.

 


Bruce.

Learn at least one new thing every day.

Hi Bruce,

 

Perhaps getting Wireshark on to see how the packets flow and start from there. Using Wireshark helped me to see which IP MS Outlook was connecting to, then I needed to get the IP (and subnet) confirmed by the company hosting our Exchange servers. It sounds like using MS O365 is more complicated, but good luck.

 

Robert

Hello again.,

I wanted to hold my comments about this static routing, as I really do not understand why you needed to put in static routes.

I am only presuming that your FW can fwd traffic out its public interface, and let the routing of the Internet get the traffic to the Outlook servers.

 

The other question that I had... is why ONLY the GP users.

If you needed outlook to work with static routes, this also implies that your internal users could not have had their email working at all.

Again, because it was not a security policy change, but a network/routing change.

 

Am I simplifying your configuration too much?

Help the community: Like helpful comments and mark solutions

@BruceBennett , Hi.

 

I am also seeing similar issues on O365.  I only see it on a small number of devices and we have quite a few thousand corporate laptops connecting every day.

 

@rchung54 

are we talking static routes at the client end for resolution here..

@Mick_Ball Hi,

With your users that are seeing the issue:

Is it consistently the same users, or does that change?

When the users do see the issue, is it as simple as them closing Outlook and opening it up again to fix it?

 

 


Bruce.

Learn at least one new thing every day.

@BruceBennett 

@Mick_Ball 

 

Our mail is hosted by a company for the UK public health service. When on the LAN, we connect to the Exchange servers with a private IP range, via our public health ISP/WAN provider.. When off LAN, ie. in a public airport lounge, we can still connect to the same Exchange servers for our mail, via public IPs. Don't know the full set up of the Exchange servers, as this is managed externally, but that's what I've figured out.

 

I expected MS Outlook just to work, once I was logged in via GlobalProtect, as effectively, I was on the corporate LAN. Mapping to shared drives etc all worked fine along with everything else. Just seemed bizarre MS Outlook didn't.

 

How I eventually got MS Outlook to work via GlobalProtect, was I had to create a static route with the private IP range and point it back into my inside LAN facing interface (my Trust zone). All been fine since.  

@BruceBennett , Hello.

out of several thousand users it only seems to be a handful, i am currently investigating 2 particular users.

i can replicate a similar issue if i disable GP for a couple of hours and then re enable it but its not the same as outlook will connect on a restart of the app.  I think in this case i just mangle the thing by constant enable and disable.

the 2 users quite often cannot use when gp is connected.   I have used reconnect in the outlook connection status tool but never seems to work for them.

 

i am hoping to wiireshark client laptop but not had chance yet.

  • 9881 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!