Hello @bigtone
Two things:
It is one thing for the client to be behind a web proxy:
There it is only enough that at the Proxy config level, allow or bypass the URL and/or subdomain of global protect, example:
https://yourpublicIPoryourpublicsubdomainortheoneyouuse/* https://yourpublicIPoryourpublicsubdomainorwhicheveruses globalprotect/global-protect/* https://yourpublicIPoryourpublicsubdomainortheoneyouuse globalprotect/global-protect/login.esp
Example: vpnglobalprotect.acme.com or la IP publica, si que usas la Ip publica y no un subdominio 200.200.200.200 por dar un ejemplo.
Now if apart from the client be behind the proxy and at the same time behind Palo Alto itself.
On Palo Alto you must configure a no NAT rule.
A source zone rule, the internal zone(s), pointing to the external zone, untrust, the wan zone of the firewall and the public IP and/or FQDN subdomain of the firewall and not setting any type of translation, that is, no NAT and It will already allow you to connect to Global protect from the Internal network.
Also you can check, at level App Portal Global protect config, the option:
Detect Proxy for Each Connection (Windows only) Select No to auto-detect the proxy for the portal connection and use that proxy for subsequent connections. Select Yes (default) to auto-detect the proxy at every connection.
Best regards
... View more