About HAI_LE

Just an update on my post from a while ago. It's unfortunate (but expected) that others are having the same issue. Since we did not have another VPN client to work with, my "fix" was to revert back to the previous 4.0.x firmware I was on and then sticking with that since (currently upgraded to 4.0.8).  The revert process was not hard at all (thanks the PAN support on some easy commands), but I did have to come in on a Saturday morning to do the revert to minimize network downtime. I solemnly agree that the NetConnect VPN client should NOT have been touched at all (esp. since it worked perfectly in the first place).  Users have been happy since we reverted back to NetConnect.  I suggest that NetConnect be separated from GlobalProtect once again.  GlobalProtect may have its place somewhere, but I believe that, for the majority of us, NetConnect is simple to use and more reliable as a VPN client, esp. those that use 2nd factor authentication technology. ... View more

I agree with mcsdemo.  At the moment, our users are having a bit of a headache using the Global Protect client.  With the addition of using a 2nd-factor authenication technology (PhoneFactor), we are experiencing difficulties connecting to the VPN that we did not experience when using NetConnect, the previous client. As mcsdemo stated, when the client is first installed, the first set of credentials used are saved into the client.  It would be great if the client, by default, did NOT allow saving of the credentials and only allow saving when configured on the firewall.  Even when the "user can save passwords" setting is disabled on the firewall, it is already too late, as the client saves the first set of credentials until it is time to change the password. The biggest headache of the Global Protect client at the moment is the two connect process: the portal and the gateway.  While this may be a feature of Global Protect from its inception, this was not part of NetConnect, which only required connection to the gateway.  Because of the additional portal authentication, this makes using the 2nd-factor authenication very difficult. For example, we use PhoneFactor as our 2nd-factor authentication technology (installs on our RADIUS server).  During the NetConnect days, when users want to connect to the VPN, all they would need to do was log into the gateway (posed as a Web site) with their credentials, then await a call to authenticate the VPN connection.  Unfortunately, with the Global Protect client requiring connection to a portal first, users will need to 2nd-factor authenticate this connection every single time they log into the OS (Windows XP/7).  Of course, they can opt to not authenticate and that phase will fail.  The Global Protect Client then goes into some kind of "la la" land, attempting to connect to the portal until something is done to allow it to connect.  Even worse, when users want to connect to the VPN, they still have to authenticate to the portal first.  With the Global Protect trying to connect over and over from the previous failed authentication, the user ends up having to re-enter their credentials to get the client to stop connecting (receiving a call to authenticate that connection), and then doing a manual connect again to connect to the gateway (receiving a call to authenticate once again).  This results in multiple, unnecesary 2nd-factor authenications which cause confusion and uneasiness in users (as well as the IT dept. that supports them). I wish that Palo Alto would not have integrated the NetConnect feature into the Global Protect without allowing some way to make the Global Protect client function just like the previous NetConnect client (i.e., the gateway-only connection requirement being the biggest issue, as well as manual start-up only).  While it may work really well without 2nd-authentication factor technology in place (tested it without this requirement and the connection to VPN is smooth), it does not seem to play very well with some of these technologies, which is a requirement in many company environments.  I do like the 4.1.x update, but at the moment, things are not looking good for the Global Protect client.  Worst comes to worst, we may end up having to revert back to 4.0.x to regain our beloved NetConnect client again. ... View more

Well, I took a look at the PanAgent installation and configuration guide: https://live.paloaltonetworks.com/docs/DOC-1166 Looks like it doesn't support Win7 for sure, but should have worked on a WinXP SP3 machine.  One other question: is the WinXP native language you are using the "English"?  I'm just pulling straws here, but it's possible that maybe the PanAgent doesn't like the native language of the OS.  Again, I've seen stranger things happen, but worth asking about. But yeah, might be good to try a Win Server 2k3 or 2k8 and see how that works for you.  Let us know your results. Whoops, didn't catch your edit.  Glad you got it working! ... View more

That's a strange error message indeed.  I thought that the PanAgents were supposed to be installed on a server (I currently have it installed on Win 2k3 Server), but I understand that you are using it for testing purposes, which is why you are probably doing it on Win7. Can you try and see if you can install it on a WinXP client (if available)?  I doubt it's an OS issue, but stranger things have happened.   ... View more

I'm wondering about this too.  It'll be a while until I have a chance to test this out myself (I would have to do this at a point in time where no one is using the VPN, which is difficult), so if someone from PAN support could provide feedback, that would be great. BTW, I've reported this issue back when SSL VPN was on 1.3.0 and was informed by support that it would be fixed in 1.3.1, but would like confirmation. ... View more

Thank you for your input.  Unfortunately, I was not able to successfully pull this "upgrade" off.  I suspect that users will require some degree of heightened privileges, as non-admin users were having issues, but admin users (e.g. myself) did not have any issues installing/using the VPN.  I'll submit a case to PAN support, but here's what is happening: 1) SSL VPN Client 1.3.0 is downloaded/activated on the firewall. 2) A non-admin user attempts to log into the VPN. 3) User is prompted to update the VPN software. 4) During update, user experiences a session hang and does not complete the VPN logon. 5) User attempts to log in again to the VPN, but is not able to.  User experiences the an error message indicating that the "NetConnect service is not running.  Please restart it." 6) After investigating the issue, I find that, while the "NetConnect Installer" component seems to install fine, the "NetConnect" component itself is now listed twice in the Add/Remove Programs.  This tells me that both the old and new versions of the NetConnect Installer still reside on the computer.  The result is the user not able to log into the VPN, either due to a conflict of the two versions or an incomplete uninstallation of the old version. The only way that I was able to fix this issue was to do a local manual uninstall both the NetConnect Installer and the NetConnect components and local manual reinstall of the VPN client. There definitely needs to be a better way of deploying this software to users.  FYI, Group Policy installation of the software does not work properly either. ... View more

Regarding the SSL-VPN Client 1.3.0, if I were to download and activate this on the PA firewall, will users that have the existing 1.2.0 client be subjected to downloading and installing the client upon their next VPN login?  Since users do not have admin rights to install an application, what will happen when they try to log in when the new client has been activated? Also, is there a way that the SSL-VPN client can be remotely (and silently) installed on users' computer?  This will certainly make things more convenient for both the users and the administrator if the client can be installed without interrupting the users at work.  Users are using a mix of Win7 and WinXP Pro. ... View more

In response to mgoodnow's issue, we are having the same issue as well.  We are blocking aim and aim-express.  When I check my discards, we are showing that we are discarding aim-express and showing that aim-mail is flowing through, but still cannot access mail (tells me that "An error occurred while retrieving your messages.  Try again." When I try to access the "Settings", it gets stuck in "Loading", but nothing ends up loading. The one difference is I don't see "aim-base" in my sessions like you have in your screenshot. Looks like a support case will need to be created for further troubleshooting. ... View more