This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who Me Too'd this topic

GlobalProtect | External Gateway | SAML | Reconnect Issue

BilertJulian_systemo
L0 Member

‎02-17-2024 06:44 AM - edited ‎02-17-2024 07:04 AM

Hello,
I implementing GlobalProtect as our main VPN Solution and got it working so far. 

When I stress-test the GlobalProtect Client (imitating a stressed busy user who clicks on reconnect / "erneut verbinden in a short time frame) I get "no acces to site / kein zugriff auf seite" error in the integrated browser. 
I have to close the "kein zugriff auf seite" window because global protect awaits the window to be closed to continue working.

BilertJulian_systemo_0-1708177392123.png

If I now close the "kein zugriff auf seite" window 

BilertJulian_systemo_2-1708177910134.png

When I press "connect / verbinden" the windows with "kein zugriff auf seite" appears by a 50:50 chance. But mostly the connection works than... 

BilertJulian_systemo_0-1708182174749.png

 

 


If I press "disconnect / trennen" and than on "connect / verbinden"  instead of "reconnect / erneut verbinden"  the same page with "kein zugriff auf seite" opens sometimes but not as often as when I try a reconnect....

--> the connection itself can be established if I retry closing the windows and pressing connect once or twice thats not the big deal...
--> the big problem at all is, that global protect stops working until the Window "kein zugriff auf seite" is closed... 
It would be perfect to display a custom error message: please close this window and try reconnect again ... because with the "kein zugriff auf seite" error page we will get a huge and never ending load of tickets and support calls I guess





PS: I already changed the setting in the gateway "app ribbon" already to the "default browser" and testet it -> the auth site opens at least, but sometimes (in case the browser is in the background the user does not even see the auth page)

BilertJulian_systemo_1-1708182234659.png

 

 

 

Side-Notes:
1. For successfull connected users the whole microsoft IP ranges are split tunneled (I can confirm this when I inspect the routes on the windows clients)
2. in case the integrated browser of global protect runs over our infrastructure I created some policys to the FQDN login.microsoftonline.com with no IDS, URL filtering etc) and application / service any -> the result stays the same "no access to site / kein zugriff auf seite) when the integrated browser appears.
3. I stopped the PanGPS Service on a test client and deleted the folder (C:\Users\%USERNAME%\AppData\Local\Palo Alto Networks\GlobalProtect)  -> error appears again if I reconnect shortly after connecting
4. I tested with different global protect clients (5.x, 6.2.0, but mostly i am testing with 6.2.2) -> same effects.

Any other ideas I can optimize the user experience ?


and: Is there a way to edit the Design of Global Protect with company branding or the response page for the global protect saml auth ? (see the last screenshot)

thank you very much 


1 person had this problem.
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks