RDP To VPN Connected User

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

RDP To VPN Connected User

L2 Linker

As the title, is this physically possible? 


Long story short, have a requirement to connect remotely to a company users laptop, which is  connected to GlobalProtect VPN... via remote desktop from another pc on the same companys LAN


Have attempted to connect from a pc on the company LAN to a user working from home who is connected to GlobalProtect VPN to no avail


As far as the users setup is conerned, port forwarding is configured to forward incoming RDP connections to there fixed IP laptop.


Can remote into the laptop from the same network, so know that it can physically except RDP connections but fail when connecting from a company LAN to vpn connected laptop



Can someone advise

a) If this is possible?

b) If so, how to configure to allow said connection?






L1 Bithead

Are you allowing the traffic from your Lan to the remote user connected via GlobalProtect?

This is the million dollar question... how does one check this? RDP traffic on port 3389 is allowed within the company.... but whats messing with my head is how to check if our domain / WAN will allow traffic to GlobalProtect connected clients...


Is there anyway to quickly check?

Logon to your PAN Device and check if there is a Security Rule Allowing Traffic (Policies Tab --> Security)  from your TrustedZone/Lan to GlobalprotectZone application ms-rdp if not create a rule and commit.


Also you can check the traffic logs on the PAN Device under the Monitor Tab.


Hope this helps..

L7 Applicator

 Im a bit confused with your rdp method.

you mentioned port forwarding which suggests that you are connecting to the users Given ISP address.


you should be able to connect if you follow the advice of @Alex_Gomez but not via the users isp but via the users ip address given by the palo alto gateway setting.

Thanks for the responses.... however I received a response from internal firewall admin who stated that incoming connections are blocked...

L1 Bithead

The setting that you are looking for is "User Switch Tunnel Rename Timeout"

which can be found at: Network > GlobalProtect > Portal > [portal_conf] > Agent > App -> User Switch Tunnel Rename Timeout



https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-portals/define... for additional details.

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!