03-06-2019 04:54 PM - edited 03-06-2019 04:57 PM
As the title, is this physically possible?
Long story short, have a requirement to connect remotely to a company users laptop, which is connected to GlobalProtect VPN... via remote desktop from another pc on the same companys LAN
Have attempted to connect from a pc on the company LAN to a user working from home who is connected to GlobalProtect VPN to no avail
As far as the users setup is conerned, port forwarding is configured to forward incoming RDP connections to there fixed IP laptop.
Can remote into the laptop from the same network, so know that it can physically except RDP connections but fail when connecting from a company LAN to vpn connected laptop
Can someone advise
a) If this is possible?
b) If so, how to configure to allow said connection?
03-06-2019 05:04 PM
Are you allowing the traffic from your Lan to the remote user connected via GlobalProtect?
03-06-2019 05:09 PM
This is the million dollar question... how does one check this? RDP traffic on port 3389 is allowed within the company.... but whats messing with my head is how to check if our domain / WAN will allow traffic to GlobalProtect connected clients...
Is there anyway to quickly check?
03-06-2019 06:24 PM
Logon to your PAN Device and check if there is a Security Rule Allowing Traffic (Policies Tab --> Security) from your TrustedZone/Lan to GlobalprotectZone application ms-rdp if not create a rule and commit.
Also you can check the traffic logs on the PAN Device under the Monitor Tab.
Hope this helps..
03-06-2019 10:58 PM
Im a bit confused with your rdp method.
you mentioned port forwarding which suggests that you are connecting to the users Given ISP address.
you should be able to connect if you follow the advice of @Alex_Gomez but not via the users isp but via the users ip address given by the palo alto gateway setting.
03-12-2019 01:20 PM
Thanks for the responses.... however I received a response from internal firewall admin who stated that incoming connections are blocked...
06-10-2020 11:28 AM
The setting that you are looking for is "User Switch Tunnel Rename Timeout"
which can be found at: Network > GlobalProtect > Portal > [portal_conf] > Agent > App -> User Switch Tunnel Rename Timeout
https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-portals/define... for additional details.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!