Gpupdate fail through AppGate Proxy VPN

Question

question

ChauLe-8759 asked Mar 28, '22 Thameur-BOURBITA commented Mar 29, '22

Gpupdate fail through AppGate Proxy VPN

Hello

We have a VPN called AppGate ... Clients using this VPN when trying to run gpupdate does not work...nothing happens no error message. On regular Cisco Anyconnect VPn GPUpdate works just fine. Found out from the network team that this AppGate is like a proxy ...so it does not hand out new IP's to the client...it proxy the client request ...so the DC would not see the client IP it see's the AppGate IP...

I believe this is why GPUpdate is not working. DC needs to know the client IP for kerberos to work and would assume same requirements here. Can someone please confirm or negate my suspicions. ?

Thanks
C

windows-active-directory windows-group-policy

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-03-28T07:59:46.227Z

Thameur-BOURBITA answered Mar 28, '22 ChauLe-8759 commented Mar 28, '22

Hi,

DC needs to know the client IP for kerberos to work and would assume same requirements here. Can someone please confirm or negate my suspicions. ?**

I confirm that the DC needs to know the client IP to identify its subnet and the closest domain controller for authentication and GPO.
The network flow should be opened between the client and domain controller to apply GPOs.

Please don't forget to mark helpful reply as answer

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChauLe-8759 · Mar 28 at 02:33 PM

HI Thameur! Thanks for the response... do you have an documentation on this? I have some hard headed peers that don't believe.

I can give documentation on how Kerberos works, I know for sure DC need to know client IP and DNS for kerberos to properly work. But how about for GPUpdate.

Is there some sort of flow diagram on GPupdate process? Like

Client -> request GP update to DC...
DC -> check for clients IP or network
DC -> response with GP ...

something like that detail? (thats just an example_)

0 ·

Answer 2 · 2022-03-28T15:07:42.803Z

Thameur-BOURBITA answered Mar 28, '22 Thameur-BOURBITA commented Mar 29, '22

Hi,
You can refer to the following link to understand the DClocator process used by client machine to identify the closest domain controller:
How-domain-controllers-are-located-in-windows.aspx

Please don't forget to mark helpful reply as answer

· 6

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChauLe-8759 · Mar 28 at 03:17 PM

THanks for that documentation..

But how does the DC locator process impact GPUpdate via VPN?

If you're on the network and the network is not defined, the client just finds some other DC not in its own site...but everything still works...

How does this apply to gpupdate ?

0 ·

Thameur-BOURBITA ChauLe-8759 · Mar 28 at 04:05 PM

If you're on the network and the network is not defined, the client just finds some other DC not in its own site...but everything still works..

In this case ,you should check if required port are opened between client from VPN via Proxy and all others domain controllers
You can use PortQryUI tools to check network flow between client and domain controllers.

config-firewall-for-ad-domains-and-trusts
PortQryUI - User Interface for the PortQry Command Line Port Scanner

Please don't forget to mark helpful reply as answer

0 ·

ChauLe-8759 Thameur-BOURBITA · Mar 28 at 07:00 PM

YEs I know portquery I use it alot..but that only check communication from client to server right? It doesn't check from server to client?

0 ·

Show more comments

ChauLe-8759 Thameur-BOURBITA · Mar 28 at 11:40 PM

But in this case the client is behind the proxy server ...the only IP the DC knows is the Proxy Server IP

0 ·

Show more comments

question