08-02-2017 09:33 PM
Hi All,
I'm currently trying to set up an SSL VPN using the global protect client on a Palo Alto FW.
I have:-
- issue a self signed root CA and CA to the palo
- set up VPN tunnel
- created VPN zone
- setup an authentication profile using RADIUS and directed it to our NPS server which currently policy to allow access to an AD group "VPN Users"which i am the only member of.
- setup portal access
- created a virtual gateway
- applied policy to allow users contacting the palo from the outside to connect to the portal
- I have also setup policy to allow VPN users to access certain routes.
I am not able to access the portal, I type https://gateway-address and it sends me to the IIS7 page.
I'm not to sure where I've gone wrong or how to locate any errors etc to resolve this issue.
any advise will be much appreciated.
Thanks
08-03-2017 01:50 AM
Do you mean you are setting up GlobalProtect on Palo Alto Firewall, and when you try to access the page: https://<ip-address-of-portal> you get a IIS7 Page?
Firewall will not return a IIS7 page. Maybe you have a port forwarding configured which is forwarding your connection to a Windows Server.
Please make sure that your connection is terminating on the firewall.
You can check your session on CLI:
show session all filter source <ip of your client> (use public IP if accessing from outside)
See if there is any NAT happening here.
08-03-2017 01:50 AM
Do you mean you are setting up GlobalProtect on Palo Alto Firewall, and when you try to access the page: https://<ip-address-of-portal> you get a IIS7 Page?
Firewall will not return a IIS7 page. Maybe you have a port forwarding configured which is forwarding your connection to a Windows Server.
Please make sure that your connection is terminating on the firewall.
You can check your session on CLI:
show session all filter source <ip of your client> (use public IP if accessing from outside)
See if there is any NAT happening here.
08-03-2017 05:58 AM
I suspect there is some Destination NAT is causing this.
Please check the session details either from the Traffic logs or via 'show session all filter source <User's public IP> destination <Portal's public IP>
Regards,
Anurag
08-10-2017 04:36 PM
Turns out the SSL CA we were using was redirecting us to another server.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
