Who Me Too'd this topic

Who Me Too'd this topic

L7 Applicator

Global Protect + Captive Portals + Enforce GP for Network Access = Bad User Experience

Hi community

 

Do you maybe also use Global Protect with the setting "Enforce GlobalProtect for Network Access" enabled? And does this also made you a headache? Even worse do you have https website configured on the client computers as default websites in the browsers? If if this is not enough does this website also use HSTS?

 

By default a modern operating system (Windows, Android, iOS, macOs) automatically shows a notification about a captive portal or opens the browser automatically to open the captive login website. At least on windows 10 the captive portal detection mechanism breaks as soon global Protect is installed. At least in a lot of situations in my company this this confused our users heavily so they did not know what to do. We have the captive portal timeout set to 3600 s so the users should have enough time to login to a captive portal. Unfortunately the captive portal notification of global protect will be shown statically 85 seconds before this timeout is reached, so our users will never see this message. Our users started complaining that windows no longer notifies them about what to do in such captive portal situations. In fact they were simply stuck and could no longer connect to the network. As more and more websites use HSTS even when they tried to open a browser manually to open a website this did not work too because of the captive portal there was a cert error and the browser is not allowed to show a cert warning that you can ignore. Only an error page is shown that you cannot click away. Obviously no technical user will understand why only http website will work in that case because only these websites can be redirected by a captive portal without any errors and warnings.

 

If all these or at least a part of these problems sound familiar to you, then pleas vote for Feature Request 10173. With this feature request the bevaviour of the os'es should be implemented in global protect. With this feature request it should be possible to tell GP to automatically open the browser and open a configurable website (preferably http to have users automatically redirected to captive portal login websites). At least a little step is also Feature Request 9563 where the time when the captive portal notification will be shown will be configurable and not statically 85 seconds befor reaching the captive portal timeout.

 

Many thanks if you add your votes to thes feature requests.

 

Kind Regards,

Remo

Who Me Too'd this topic