Global Protect Split Tunnelling on Domains - client version issue?
cancel
Showing results for 
Search instead for 
Did you mean: 

Global Protect Split Tunnelling on Domains - client version issue?

L4 Transporter

Hey folks.

 

We're planning in implementing MFA for Office 365, and as part of that I want to add the Microsoft office domains into our Global protect split tunnels - since almost everyone is working from home, I want to whitelist our "corporate" IP addresses and have people who are connected from company PC's on the VPN not be bothered by MFA requests.

 

This is relatively easy in the configuration, but I've come across an issue which is perplexing me.

 

I run my personal machine on a fairly recent VPN client to check for issues before pushing it out to the main portal for users to upgrade - and when I implemented this split tunnel on the portal, it didn't work.

 

A colleague who is running the "production" release I have on the portal. So I downgraded tot hat version - and the split tunnelled domains work.

 

Does anyone know if there's something extra in the later clients which needs to be done to make this work?

 

Working client version - 5.0.8

Failed client version - 5.2.2

 

Thanks

4 REPLIES 4

Cyber Elite
Cyber Elite

@darren.g 

I am running GP version 5.2.4 and split tunnel is working fine.

We have configured all Microsoft domains and IP to bypass the tunnel.

 

Try to upgrade to 5.2.4.

 

Regards

MP

L3 Networker

I've just typed a lot at LIVEcommunity - Global Protect Office 365 Split Tunnel - LIVEcommunity - 387607 (paloaltonetworks.co...

 

We had it all working on 5.1.8 / 8.1.X

Since moving to virtual Azure appliances 5.2.X/9.1.6 we've had all kinds of issues.

 

There's a setting for GP to do split only for network or for both network & dns.

Not sure if that will solve things as we are in the middle of investigating with TAC

@sebastianvd 

 

If you want to use split tunnel based on network then it is good practice to also use split tunnel based on DNS.

That way GP agent will not contact the configured GP DNS server.

 

You should use the split tunnel based on the DNS.

 

Regards

 

 

MP


@sebastianvd wrote:

I've just typed a lot at LIVEcommunity - Global Protect Office 365 Split Tunnel - LIVEcommunity - 387607 (paloaltonetworks.co...

 

We had it all working on 5.1.8 / 8.1.X

Since moving to virtual Azure appliances 5.2.X/9.1.6 we've had all kinds of issues.

 

There's a setting for GP to do split only for network or for both network & dns.

Not sure if that will solve things as we are in the middle of investigating with TAC


I wasn't able to get it working on DNS-based names,but fortunately, Microsoft has a list of IP's you need to add into the tunnel, so I just added a whole bunch of route/groups and made it work.

 

It's a pity, because it'd be such a great feature - for anything "xx.microsoft.com", send the traffic over the tunnel - but instead it's all based on IP ranges now.

 

Made it work, but it wasn;t as easy as it should have been.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!