GlobalProtect Error 'The server certificate is invalid. Please contact your IT administrator.' error on GlobalProtect when client connections are being proxied.

51041

Created On 01/11/21 15:35 PM - Last Modified 09/28/23 23:26 PM

Certificate Profile

GlobalProtect Agent

GlobalProtect App

GlobalProtect Gateway

GlobalProtect Portal

Advisory

Best Practice

Basic Configuration

Authentication

Certificate Management

Deployment

Installation

VPNs

8.1

9.0

9.1

10.0

GlobalProtect

Hardware

PAN-OS

VM-Series

Symptom

Client systems are successfully able to connect to GlobalProtect Portal and Gateway without any Proxying mechanism involved.
Whenever a certain Proxying mechanism is enabled, client systems are not able to connect to GlobalProtect Gateway with the following error message on the GlobalProtect App

The GlobalProtect Portal address is reachable using a web browser:

Correct GlobalProtect certificates are installed on the client systems.
Issuer/Root CA certificate signing the GlobalProtect Server certificate in SSL/TLS service profile is trusted by the client systems
This can be verified by clicking on the "lock" icon beside the GlobalProtect Portal URL on the web browser.

Environment

Palo Alto Firewall
PAN-OS 8.1 and above
GlobalProtect VPN Infrastructure.
A client-side proxying mechanism in place for GlobalProtect and/or other network connections.

Cause

It has been observed that some proxy services use their own certificates or change the certificates on the fly in certain circumstances to establish the TLS channel (e.g. Policy based proxy services may perform decryption on the traffic).
The GlobalProtect application is not aware nor able to verify these certificates.
So GlobalProtect users will not be able to connect to VPN, despite correct certificates for GlobalProtect server are being already trusted by the client systems.

Resolution

Under GUI: Network > GlobalProtect > Portal > Agent > External, if FQDN is used to refer to GlobalProtect Gateway, try using IP address instead:

If Possible, disable the Proxy service when connecting to GlobalProtect VPN.
If using proxy service is absolutely mandatory, seek help from the Proxy service vendor to understand if:
1. The SSL connections can be transparently proxied using the original certificate presented by GlobalProtect e.g. SSL Passthrough or similar mechanisms may be offered?
2. The Proxy service can be bypassed for the GlobalProtect application?
3. The GlobalProtect server certificate can be used to establish the Proxy SSL connection?
4. Any other alternative that may retain the SSL certificate presented by GlobalProtect to the clients?

Additional Information

To reaffirm that this issue is experienced due to the modification of server certificate by proxy service, the GlobalProtect logs file (PanGPS) can be searched for similar messages:

...... try to connect to proxy, nProxyIP=964fa79d, proxyPort=8081, proto=6
...... connect to proxy now
...... s=908, destName=1.2.3.4, nPort=443, nProxyIP=964fa79d, nProxyPort=8081, proxyuser=, proxypass=
...... Proxy connection established
...... Unable to verify server cert. Result is unable to get local issuer certificate 
...
...... Failed to verify server certificate of gateway example.com.
...... Show Gateway GP-External-Gateway: The server certificate is invalid. Please contact your IT administrator.
...... Failed to retrieve info for gateway example.com.