- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-31-2025 03:49 PM
Thanks for everyone's insights on this in advance.
We are trying to expose an internally available web application (a self-hosted Git repository) through our GlobalProtect Clientless VPN. The challenge I'm trying to solve is setting the callback URL from our external authentication provider (Auth0) to redirect back to the portal address of the application, rather than the internal network address.
Since the application is being reverse proxied through the Clientless VPN, it isn't aware that it's being accessed through a Clientless VPN. After it reaches out to the auth provider, the redirect goes back to the internally hosted domain, which isn't publicly accessible.
Reviewing the docs at https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vp... led me to believe that perhaps I'm approaching this differently than I should be. Not seeing anything in there about modifying HTTP headers, it's leading me to think that either there's another way to do this directly within Panorama, or the recommendation is to use an intermediary proxy between the Clientless VPN and our application to set the appropriate headers, allowing the authentication callback to complete.
Additionally, in our portal configuration advanced settings, we've configured our auth provider's tenant URL to be on the rewrite exclude domain list. That part is working as expected.
Our VPN gateways are licensed with the necessary subscriptions, including Advanced URL Filtering and GlobalProtect Gateway. Our Panorama instance is running on PAN-OS 11.1.x.
If anyone has guidance that I can follow to configure this correctly, your time and input would be greatly appreciated. Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!