Hi @nnaik  Your articles are great! They will be very useful for our split tunnels.   I was also able to modify the PS a little and pull the ExpressRoute addresses too. That is something that I have needed to be able to do in the past, but was not able to find. (edit: I was wrong, I was not getting the ExpressRoute addresses, I will have to keep working on that.)   That only leaves my issue with MS Network Location Awareness.    Again, thank you very much!   ... View more

@jdelio Thanks for your response.   Unfortunately, we have "Premium Partner Support" and I cannot convince them that this needs to be pushed up to PAN Support. They are convinced this is a Microsoft issue. So we opened a case with Microsoft and they are sure it is not their problem. We are stuck between two stubborn support teams at this point. We will get there, just slower than we wanted.   ... View more

@jdelio  I appreciate what you guys are doing here, just took me a while to find it. One issue that we are running into is that once we get connected with GP, our O365 apps like Outlook, will say there is no network connection if you try to use it right away. If you take your time to start Outlook there is no problem. So we tracked it down to MS NLA not checking the internet connection fast enough. What can we do to resolve this issue? Thanks again for your team in this challenging time. ... View more

Thank you. I found out today the entry needed to be a PTR record. As soon as I changed the entry to one with a PTR record it started working.   ... View more

I am still having a problem with pre-logon in the mornings, but it is connecting after a logout or reboot. One of the things that you may need to look at is the authentication for your pre-logon. If you have the client certificate as required, that may be part of the problem ( I am speculating). I have that set to none and pre-logon works for me after a logout and reboot, just not after a night with the computer off, booting in the morning.   Also, I am sure you have them right, but I messed that up the first time setting it up. Do you have the pre-logon agent config as the first config?   I am still chasing my demon related to the initial boot of the day, and hope that someone else responds to the thread and has the magic answer, but I wanted to try and help since we are chasing similar issues.   Bruce.   ... View more

Thank you for the replies, I appreciate the help. I have decided to back out the internal gateway changes I made and go with no internal gateway for further testing. Unfortunately, I am not going to get to test this with an internal user until next week. Based on the comments, it looks like I was headed the right direction.  Testing config: no internal gateway, block access to external gateway, internal host detection enabled. Thanks again to everyone that replied!   ... View more

@vsys_remo That is how I understood what I had read, that I did not have to define an internal gateway as long as the DNS lookup was working. But some working in your response has me questioning it a little. I am confident that I put in the FQDN and IP address correctly, but you mentioned "It tries to resolve the specified IP and if the specified name is coming back from the DNS". if I lookup the address by FQDN I get the IP address, but if I try to look up the IP address, I do not get the FQDN. The direction of that lookup seems odd, but would explain why it is not seeing it as internal.   @SteveCantwell I have setup an internal gateway for testing, but it just does not seem like it is necessary, based on Remo's response and the configurations I have looked at. The internal gateway that I setup is pretty basic and will not create a tunnel, so I think it addresses what I need, but will have to wait for my internal test user to become available for testing again.   Thank you both for the responses. This one has just got me twisted a bit. I think I am following the steps, and even talking through them with my PAN contact, but things are just not flowing as expected.     ... View more