Hello, I'm tring for a week now to configure Global Protect. And have only been partially successful. My config is PanOS 4.1.1 and GP client 1.1.2 on PA 2050 Boxes. No GlobalProtect Licence. I encountered 2 Problems which I can't solve. 1. I have configured LDAP to get the credentials from our AD server and got this part of the authentication working. I can login on the Global Protect page on the Palo Alto Box and can also connect using the GPclient. (well partially see point 2) I now want to configure the PA to only allow users to connect which are in an AD group. I created a Group in AD and placed a user in this group (not an OU). In "User Identification" I created an entry in "Group Mapping Settings", there I select the same LDAP "Server Profile" I also use in the "Authentication Profile" for Global Protect. In "Group Include List" I set the AD group I created int the AD. (here seems to be a Bug I can only navigate 2 branches in the LDAP tree, but I tricked by modifiing the Base DN of the LDAP profile until I could select the group and then setting the Base DN back to the original setting). This seems to be correct because entering "show user group list" in the CLI shows the group with the LDAP path I selected to include in the Group mapping. Calling "show user group list" in the CLI shows the user I added in the AD group and also shows the group short name. I am now unable to add this group in the allow list of the authentication profile. It only shows users and groups defined in the "Local User Database" If I enter the group name manually, authentication will fail. In PA-4.1_Administrators_Guide.pdf I can read to click Edit Allow List.. I have no such button, just add and delete. Adding an AD user manually to the list will only allow this user to log in as it should, I just can't get it working with the AD group. 2. I have a lot of trouble with the Global Protect client, I installed the client on a Dell LAtitude 2110 Netbook with windows7 32bit and sometimes can connect but most of the times the client hangs in the status "Connecting please wait". Under "Administrator" account the connection works everytime like it should. I completely disabled the Firewall and uninstalled antivirus but the connection is still just properly functional under administrator. (Tried installing as administrator, tried installing as user which has administrator rights, same result) Here is where it fails: (IP masked) (T864) 02/02/12 13:57:12:685 Debug(4497): CPanMSService::RetrieveGatewayInfo, cert is 00288D50 (T864) 02/02/12 13:57:12:685 Debug(4499): Pre-login... (T864) 02/02/12 13:57:12:685 Debug( 142): active session id is 2 (T864) 02/02/12 13:57:12:685 Debug( 167): found process id 4616 (T864) 02/02/12 13:57:12:685 Debug(5060): PrepareRequest... (T864) 02/02/12 13:57:12:685 Debug(5068): WinHttpOpenRequest... (T864) 02/02/12 13:57:12:685 Debug( 392): CPanHTTPSession::PostRequest: WinHttpSendRequest... (T864) 02/02/12 13:57:43:011 Error(5083): PostRequest failed with error code 12002. (T864) 02/02/12 13:57:43:011 Debug(4597): Failed to pre-login to the gateway ip.ip.ip.ip (T864) 02/02/12 13:57:43:011 Error(4356): Failed to retrieve info for gateway ip.ip.ip.ip. (T864) 02/02/12 13:57:43:011 Debug(4366): tunnel to ip.ip.ip.ip is not created. Does the Old SSL client still work? I downloaded it from the support site but can not figure out how to install it on the PC, I guess it can only be uploaded to the PAlo Alto Firewall running an older PanOS which did not use Globalprotect yet? By reading the discussion Groups I can see that I'm not the only one having a hard time.
... View more