GlobalProtect 适用于 iOS 的代理无法连接GP带有错误消息“此服务器的证书无效”的网关。
1985
Created On 04/04/22 03:12 AM - Last Modified 06/03/25 20:28 PM
Question
- 用户无法连接GlobalProtect从 iOS 设备。
- 尝试失败时,将显示以下日志消息GlobalProtect代理人。
The certificate for this server is invalid. You might be connecting to a server that is pretending to be "<IP_ADDRESS>" which could put your confidential information at risk.Environment
- GlobalProtect iOS 设备代理
- SAML 身份验证已配置
Answer
- 此问题可能是由于服务器证书主题不匹配引起的GP门户/网关和主机名URL您访问(重定向)。
- 在Agent.log中,会显示类似如下的日志
Error: (GPSAMLViewController.mm:238) WebView provisional navigation error <WKNavigation: 0x*********> Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<IP_ADDRESS>” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _WKRecoveryAttempterErrorKey=<WKReloadFrameErrorRecoveryAttempter: 0x********>, networkTaskDescription=LocalDataTask <xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx>.<17>, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9843, NSErrorPeerCertificateChainKey=(
"<cert(0x*********) s: vpn.example.co.jp i: 10.20.30.40>",
"<cert(0x*********) s: 10.20.30.40 i: 10.20.30.40>"
),
==snip==
- 解析,需要匹配访问的主机名URL与服务器证书中的主题。