Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

Reply
Highlighted
L1 Bithead

Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

Hi,

 

I found this thread in General Topic (https://live.paloaltonetworks.com/t5/General-Topics/Unable-to-access-Windows-Store-Windows-10-GP-3-0...), and I have the same problem in my infraestructure; but no only with Windows Store, also with Kindle application for Windows 10.

 

The problem is that applications (Windows Store, Kindle) are not tunneled on GlobalProtect; and in the log of firewall dont show me any log. The issue I think that is of GlobalProtect.

 

I have tried with differents version of GlobalProtect, (3.1.5, 3.1.6, 4.0.2, 4.0.3, 4.0.4, 4.0.6, 4.0.7, 4.1.0), now I have installed 4.1.1; and also I have tried with differents versions of PAN-OS (7.1.14, 7.1.15, 8.0.6, 8.0.7) now I have installed 8.0.8.

 

Logically, I have been using typical traffic capture tools such as WireShark or Fiddler, without finding anything that solves it. However, as soon as I deactivate the GlobalProtect, both applications work immediately.

 

Does anyone else have this problem or know how to solve it?

 

Do you know if the TAC has proof of this problem?

 

Thanks,

 

AROMERO

 

Highlighted
Cyber Elite

Re: Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

Hello,

It sounds like you have split-tunneling enabled. Check your config to be sure.

 

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

Regards,

Highlighted
Cyber Elite

Re: Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

Two years ago I had a TAC case open for this ... the answer I think was "this is an issue of microsoft" ... all right, I opened a case at microsoft "this is an issue of the vpn software" ... after speaking again to palo TAC without a solution I simply gave up on this as it wasn't that important for us. 

 

But also for us this is still an issue: windows store apps are not able to connect anywhere when global protect is connected.

 

May be you @aromero have more success if you open a TAC case?

Highlighted
L7 Applicator

Re: Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

This was also an issue for me with win 10. It worked with other vpn but not pan. From what i can remember it was an issue with NLA.

 

microsoft network location awareness. The problem is that the vpn has no default gateway so NLA assumes no internet access..  not sure if it was resolved but will check next week. Google NLA and vpn default gateway 0.0.0.0 as there are some reg settings to trick NLA or turn it off... 

 

will update next week...

Highlighted
Cyber Elite

Re: Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications


@MickBall wrote:

This was also an issue for me with win 10. It worked with other vpn but not pan. From what i can remember it was an issue with NLA.

 

microsoft network location awareness. The problem is that the vpn has no default gateway so NLA assumes no internet access..  not sure if it was resolved but will check next week. Google NLA and vpn default gateway 0.0.0.0 as there are some reg settings to trick NLA or turn it off... 

 

will update next week...


Would be great if you post the trick(s) on how to make this work ;)

Highlighted
L7 Applicator

Re: Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

Sorry all. this was never solved. it has now just been accepted by our users that the windows store is only available from the lan.

 

I did try several reg hacks and settings but only produced a random success rate that probably had nothing to do with the hacks/changes in the first place...

 

Mick.

 

 

Highlighted
L0 Member

Re: Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

We have the same issue(on GP 5.0.3), You can do a ugly workaround with split-tunnel [Exclude Client Application Process name]
f.ex
C:\Program Files\WindowsApps\Microsoft.WindowsStore_11904.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe
But this is kind non manageable as version is in the path and changes frequently as windows store kind of autoupdates itself.
Will raise a ticket also.

Highlighted
L1 Bithead

Re: Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

Can I add *\winstore.app.exe as the exclusion?

Highlighted
L0 Member

Re: Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

We tried versions on this , but sadly we didn't get this to work with any wildcards in path.
This seems related, I think it can be solved additional changes on windows side.

https://support.microsoft.com/en-us/help/4537233/microsoft-store-not-open-after-domain-joined-comput...
/Br Stefan

Highlighted
L1 Bithead

Re: Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

Yup, this is a issue on the Windows side. This was what fixed it for us (we added the GP IP Pool).

 

https://support.microsoft.com/en-us/help/4537233/microsoft-store-not-open-after-domain-joined-comput...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!