12-21-2016 07:35 AM - edited 12-21-2016 07:36 AM
HI,
We are establishing RDP sessions through Globalprotect. These RDP sessions are closed, we went into this link: https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/globalprotect-features/rdp...
We changed this value for "User Switch Tunnel Rename Timeout" to the maximum permitted (600 seconds), but its not enough. We would like to have unlimited time for RDP. How can configure this???
12-21-2016 09:13 AM
That grace peiord is the amount of time that the tunnel stays up when someone RDPs into a computer, failing to authenticate with GP before the grace period has expired causes the RDP session to be dropped.
Your users will need to auth with the gateway once they login to actually maintain the session. If you fail to auth with the gateway then rightfully the RDP will terminate because you have missed the grace period authentication timeout, since GP knows that the RDP user is not the user allocated to that tunnel.
12-21-2016 11:32 PM - edited 12-21-2016 11:49 PM
OK, perfect, but how can i configure this???
We have configured agent on demand. What should we change to solve this timeout RDP??
thanks
01-06-2017 07:32 PM
Hello All,
I have a similar issue. Customer has Windows 2012 VM in Azure cloud. GlobalProtect run on VM. Once RDP session to VM get disconnected GlobalProtect disconnects as well. Is there the way to configure GlobalProtect to have agent connected even when RDP is disconnected?
Thank you in advance.
01-07-2017 06:52 AM - edited 01-07-2017 07:01 AM
@sryazantse if you are running a VM in a cloud service you really shouldn't be running GlobalProtect to get that traffic tunneled back to your organization. Palo has released VM versions of the firewall to manage virtual enviroments that are really meant to be used in this type of situation; purchase one of those and have it tunnel back to your office and link them together like that.
I won't say that what you are doing isn't possible with the right configuration, but it's one of those things that while it's possible, it really shouldn't be done as it's not really supported at all and you are not going to have a great experiance.
edit: To add a little bit to this you can check the same link that I just posted. Unlike with other VPN clients GlobalProtect is very much aware that somebody else has taken over the remote client and you need to authenticate, likewise when you disconnect it again registers that the user has changed and will ask the user to reauthenticate. What you are trying to do would be better suited for a IPSec VPN tunnel if you are trying to get that VM to stay connected to your network. Directions can be found HERE, again I would really recommend that you install the VM series for Azure and get something to not only protect access to that VM but tie all future VM deployments into your network and protect/connect them like that.
01-07-2017 06:55 AM
@soporteseguridad sorry I must have missed that you have ever responded. Check this link, it describes what you are running into and will describe how you can adjust the grace period in your agent.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
