Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problems with GlobalProtect when not tunneling the Windows Store and Kindle applications

L1 Bithead

Hi,

 

I found this thread in General Topic (https://live.paloaltonetworks.com/t5/General-Topics/Unable-to-access-Windows-Store-Windows-10-GP-3-0...), and I have the same problem in my infraestructure; but no only with Windows Store, also with Kindle application for Windows 10.

 

The problem is that applications (Windows Store, Kindle) are not tunneled on GlobalProtect; and in the log of firewall dont show me any log. The issue I think that is of GlobalProtect.

 

I have tried with differents version of GlobalProtect, (3.1.5, 3.1.6, 4.0.2, 4.0.3, 4.0.4, 4.0.6, 4.0.7, 4.1.0), now I have installed 4.1.1; and also I have tried with differents versions of PAN-OS (7.1.14, 7.1.15, 8.0.6, 8.0.7) now I have installed 8.0.8.

 

Logically, I have been using typical traffic capture tools such as WireShark or Fiddler, without finding anything that solves it. However, as soon as I deactivate the GlobalProtect, both applications work immediately.

 

Does anyone else have this problem or know how to solve it?

 

Do you know if the TAC has proof of this problem?

 

Thanks,

 

AROMERO

 

9 REPLIES 9

Cyber Elite
Cyber Elite

Hello,

It sounds like you have split-tunneling enabled. Check your config to be sure.

 

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

Regards,

Two years ago I had a TAC case open for this ... the answer I think was "this is an issue of microsoft" ... all right, I opened a case at microsoft "this is an issue of the vpn software" ... after speaking again to palo TAC without a solution I simply gave up on this as it wasn't that important for us. 

 

But also for us this is still an issue: windows store apps are not able to connect anywhere when global protect is connected.

 

May be you @aromero have more success if you open a TAC case?

This was also an issue for me with win 10. It worked with other vpn but not pan. From what i can remember it was an issue with NLA.

 

microsoft network location awareness. The problem is that the vpn has no default gateway so NLA assumes no internet access..  not sure if it was resolved but will check next week. Google NLA and vpn default gateway 0.0.0.0 as there are some reg settings to trick NLA or turn it off... 

 

will update next week...


@Mick_Ball wrote:

This was also an issue for me with win 10. It worked with other vpn but not pan. From what i can remember it was an issue with NLA.

 

microsoft network location awareness. The problem is that the vpn has no default gateway so NLA assumes no internet access..  not sure if it was resolved but will check next week. Google NLA and vpn default gateway 0.0.0.0 as there are some reg settings to trick NLA or turn it off... 

 

will update next week...


Would be great if you post the trick(s) on how to make this work 😉

Sorry all. this was never solved. it has now just been accepted by our users that the windows store is only available from the lan.

 

I did try several reg hacks and settings but only produced a random success rate that probably had nothing to do with the hacks/changes in the first place...

 

Mick.

 

 

We have the same issue(on GP 5.0.3), You can do a ugly workaround with split-tunnel [Exclude Client Application Process name]
f.ex
C:\Program Files\WindowsApps\Microsoft.WindowsStore_11904.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe
But this is kind non manageable as version is in the path and changes frequently as windows store kind of autoupdates itself.
Will raise a ticket also.

Can I add *\winstore.app.exe as the exclusion?

We tried versions on this , but sadly we didn't get this to work with any wildcards in path.
This seems related, I think it can be solved additional changes on windows side.

https://support.microsoft.com/en-us/help/4537233/microsoft-store-not-open-after-domain-joined-comput...
/Br Stefan

Yup, this is a issue on the Windows side. This was what fixed it for us (we added the GP IP Pool).

 

https://support.microsoft.com/en-us/help/4537233/microsoft-store-not-open-after-domain-joined-comput...

  • 11384 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!