Clientless VPN - Application is not accessible

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Clientless VPN - Application is not accessible

Hello All,

 

qst.jpg

This is my topology I have configured Clientless VPN hosting two application as, paloaltonetworks.com (external-application) and amazon.forest.in (internal hosted application). But i am unable to access the application that hosted inside. In this question have attached my configuration also.  other than that there is no sent byte for clientless-VPN traffic also.

 

 

q1.jpg

 

 

 

 

q2.jpgQ3.jpgExternal application works but no sent bytes ?External application works but no sent bytes ?q5.jpg

q6.jpg

ISSUE NOTE : 1.External Application working but there is no sent bytes

                         2.Internal Application not accessible

5 REPLIES 5

L6 Presenter

This sigfnals a routing issue or DNS issue as 0 bites are send. Check if the DNS resolution is working for the Palo Alto as maybe the routing or Service route is wrong (palo alto by default uses the managment):

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes

 

 

Also check the config:

 

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vp...

 

 

Finally just check the global counters, tcdump for drops and the security policy:

 

https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-r...

 

 

 

Also there are a lot of articles for debuging web issues for clientless vpn and try using different browsers:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPizCAG

 

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vp...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POjmCAG&lang=en_US%E2%80%A...

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSiCAO

 

L6 Presenter

Hello, Did you test the DNS resolution and routing are correct ?  If so using another browser as your error seems to be seen a lot for chrome browser and then finally doing tcpdump/pcap capture for the rewrite action to see how Palo Alto rewrites the HTTP/HTML content and you can find this from the links I shared and also using Fiddler to see how direct access to application looks like without the Clientless VPN and with it and to compare.

I am having different issue, not sure if this is only for me or other users as well. If my issue is faced by everyone then I am not sure how clientless VPN is helpful.

 

So I will take example of above images:

 

User logs in to Clientless VPN at https://192.168.29.245 and on portal page, user clicks on Palo Alto tile. This opens a new tab with URL as https://192.168.29.245/https/www.paloaltonetworks.com/ , as shown in above image.

 

Now the issue is - On the Palo Alto page if I click on any link(for example 'Sign in', then it takes to login page. However on the browser URL appears to be https://signin.palolaltonetworks.com not https://192.168.29.245/https/signin.paloaltonetworks.com .

 

Former URL is not going via firewall rather it goes directly from user machine to the webpage, how can I ensure any link on the page is prefixed by VPN portal "https://192.168.29.245"?

 

Support isnt able to solve the problem from past 1 week. I am using stable PAN-OS 11.1.3 and Clientless app version 98-260(latest).

 

Thanks.

 

L6 Presenter

Support seems right to me as if traffic does not go through the firewall then it can't resolved from the firewall side as it seems that your web app design and DNS is the one that needs some reconfiguration. Nowadays DNS servers can return different IP addresses for DNS requests based on the source IP address/network of the client, so your DNS can return the firewalls IP address (you may need to change the SSL cert in that case on FW to have the CN as the fqdn) or you can direct traffic to the firewall and use static entries option.

 

How to Configure DNS Proxy on a Palo Alto Networks Firewall - Knowledge Base - Palo Alto Networks

L6 Presenter

Maybe also as the User authentication is in SAML or Oauth it can't be rewritten as it is not css, html or javascript, which seems normal to me. 

 

If the auth is SAML/OAUTH SSO you can configure the NGFW to be IsP SAML (if the app is SAML IsP then the the same thing should be done from the firewall) for example as when the user has the SAML assertion then it shouldn't be an issue to log into the backend and there to be no authentication need on the backend.

 

If this does not work may need to disable the authentication for when the source ip is the firewall as the NGFW can still forward the username to the app in a header https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/user-id/deploy-user-id-in-a-large-scale-n...  and the NGFW will do authentication for the user https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vp... 

  • 2431 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!