- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-04-2018 05:06 AM - edited 05-04-2018 05:53 AM
Hi,
I found this thread in General Topic (https://live.paloaltonetworks.com/t5/General-Topics/Unable-to-access-Windows-Store-Windows-10-GP-3-0...), and I have the same problem in my infraestructure; but no only with Windows Store, also with Kindle application for Windows 10.
The problem is that applications (Windows Store, Kindle) are not tunneled on GlobalProtect; and in the log of firewall dont show me any log. The issue I think that is of GlobalProtect.
I have tried with differents version of GlobalProtect, (3.1.5, 3.1.6, 4.0.2, 4.0.3, 4.0.4, 4.0.6, 4.0.7, 4.1.0), now I have installed 4.1.1; and also I have tried with differents versions of PAN-OS (7.1.14, 7.1.15, 8.0.6, 8.0.7) now I have installed 8.0.8.
Logically, I have been using typical traffic capture tools such as WireShark or Fiddler, without finding anything that solves it. However, as soon as I deactivate the GlobalProtect, both applications work immediately.
Does anyone else have this problem or know how to solve it?
Do you know if the TAC has proof of this problem?
Thanks,
AROMERO
05-04-2018 07:43 AM
Hello,
It sounds like you have split-tunneling enabled. Check your config to be sure.
Regards,
05-04-2018 08:34 AM
Two years ago I had a TAC case open for this ... the answer I think was "this is an issue of microsoft" ... all right, I opened a case at microsoft "this is an issue of the vpn software" ... after speaking again to palo TAC without a solution I simply gave up on this as it wasn't that important for us.
But also for us this is still an issue: windows store apps are not able to connect anywhere when global protect is connected.
May be you @aromero have more success if you open a TAC case?
05-04-2018 11:14 AM
This was also an issue for me with win 10. It worked with other vpn but not pan. From what i can remember it was an issue with NLA.
microsoft network location awareness. The problem is that the vpn has no default gateway so NLA assumes no internet access.. not sure if it was resolved but will check next week. Google NLA and vpn default gateway 0.0.0.0 as there are some reg settings to trick NLA or turn it off...
will update next week...
05-04-2018 03:01 PM
@Mick_Ball wrote:This was also an issue for me with win 10. It worked with other vpn but not pan. From what i can remember it was an issue with NLA.
microsoft network location awareness. The problem is that the vpn has no default gateway so NLA assumes no internet access.. not sure if it was resolved but will check next week. Google NLA and vpn default gateway 0.0.0.0 as there are some reg settings to trick NLA or turn it off...
will update next week...
Would be great if you post the trick(s) on how to make this work 😉
05-10-2018 01:48 AM
Sorry all. this was never solved. it has now just been accepted by our users that the windows store is only available from the lan.
I did try several reg hacks and settings but only produced a random success rate that probably had nothing to do with the hacks/changes in the first place...
Mick.
10-24-2019 11:16 PM
We have the same issue(on GP 5.0.3), You can do a ugly workaround with split-tunnel [Exclude Client Application Process name]
f.ex
C:\Program Files\WindowsApps\Microsoft.WindowsStore_11904.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe
But this is kind non manageable as version is in the path and changes frequently as windows store kind of autoupdates itself.
Will raise a ticket also.
04-13-2020 11:08 AM
Can I add *\winstore.app.exe as the exclusion?
04-13-2020 11:00 PM
We tried versions on this , but sadly we didn't get this to work with any wildcards in path.
This seems related, I think it can be solved additional changes on windows side.
04-14-2020 08:57 AM
Yup, this is a issue on the Windows side. This was what fixed it for us (we added the GP IP Pool).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!