We just deployed and started using GlobalProtect 5.1.1 to support the work-from-home COVID-19 initiative for thousands of remote workers. Everything is working well but my SCCM guys can't manage any of the remote clients to push patches or software updates. Our internal DNS resolves the host names to the last LAN address of the host, not the IP pool address. The same things happens with Cisco AnyConnect clients. I don't know anything about AD or SCCM. Is SCCM management of remote hosts doable and if so, how are you doing it?
Thanks for this info... It def helps... So we have the EXACT same setting applied. But what really baffles me is that we just tested by deploying a VM within the same subnet as our GP Clients & Primary SCCM server and it worked and received ALL applications and software deployments. But the GP Clients are still not getting it. Can I ask what Version of SCCM you are on? 1910 or 2002? Also, is there anything specific you had done/applied on your Palo GP Config? Our clients are using a /22 range and below is a snapshot of a device using Global Protect.
Why we require Group Policy
For various tasks such as communicating with Active Directory Discovery, Remote administration and WMI connectivity, we require these policies.
There are 3 types of settings we require:
- To Ping Client Workstations (By default this communication is blocked if Firewall is enabled)
- To connect to Clients Admin$ Share
- To connect to clients WMI ( as SCCM heavily relies on WMI repository to store all policies, deployments and other tasks)
Default Behavior of client ( before creating Group Policy)
a. By default, we cannot ping the client workstations in case the firewall is enabled. Even though the machine is switched on and connected on the same network, we will not receive the Ping response.
b. We are not able to connect to the admin$ share of the client (ie clients “c:\windows” directory). This is required for various tasks including SCCM client push installation was setup files over the network copies under client’s c:\windows directory.
c. Inbound remote administration is disabled by default, which means we cannot connect to clients WMI repository remotely. This is mandatory to install SCCM client and to download and save several SCCM policies, deployments & tasks. If we try connecting to clients WMI by using wettest (inbuilt tool on Windows), we will get error “0x800706ba“
Thanks in Advance
We had the same issues reported as the others here. We were able to get past most issues with the solution presented from the OP.. additionally we had to move from subnets within the Boundary groups to IP ranges. This was a change for us from how AnyConnect was configured, but this seemed to fix our inability to see updates as well as TS's and packages.
We still however don't have a solution for our techs inability to Remote Control or RDP consistently. I know this has something to do with DNS resolution not happening properly or timely enough.. does anyone have information that might assist with this issue or tips for our server admin team on replication timing?.. Thanks in advance!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!