Installing GlobalProtect-4.1.3 VPN client.

pleegor
New Contributor II

Hi,

I've been facing some issues installing GlobalProtect VPN client. I created a package that simply drops Global Protect in /tmp and then I added a post-install scrip that installs and configures VPN. This is the script:

#!/bin/sh

#variables

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
portalAddress1="vpnportal.address.com"
service='GlobalProtect'

#remove already running GP client if it is running 
if ps ax | grep -v grep | grep "${service}" &> /dev/null;
then
    sh /Applications/GlobalProtect.app/Contents/Resources/uninstall_gp.sh
    echo "removed GP client"
else
    echo "Global Protect is not present"
fi

#Add GP Gateway URL in GP plist
sudo echo '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Palo Alto Networks</key><dict><key>GlobalProtect</key><dict><key>PanSetup</key><dict><key>Portal</key><string>'$portalAddress1'</string><key>Prelogon</key><integer>0</integer></dict></dict></dict></dict></plist>' >> /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist

#Install downloaded version of Global Protect
sudo /usr/sbin/installer -pkg /tmp/GlobalProtect-4.1.3.pkg -target /
echo "installed latest GP version"

#change ownership of GP client 
chown -R $loggedInUser:staff /Applications/GlobalProtect.app

#running recon
sudo jamf recon

When JAMF pushes policy, client is unable to start. According to logs I am seeing that client is unable to connect to GP port. 89356-T38423 Aug 24 11:44:45:999502 Error( 76): Failed to connect to server at port:4767
P89356-T38423 Aug 24 11:44:45:999513 Error( 215): Cannot connect to service, error: 61 However, when I ran sudo jamf policy -id <id> on the client device, Global Protect starts working.

Has anyone faced similar issues?

4 REPLIES 4

rrs
New Contributor II

It looks like you are trying to add the portal after removing the old Global Protect and before installing the new one. Does the plist exist in that window? Would it work if you added the plist change after installing the new version. Ideally delete and rebuild the plist.

pleegor
New Contributor II

@rrs thanks for looking into this! When I look at it now; logically you are 100% correct. However, when I call policy manually though sudo jamf policy -id <id> from the device, everything works as expected.

leeskade
New Contributor III

@pleegor Did you ever find a solution to this?

Thelunes
New Contributor

@pleegor @leeskade I've finally figured it out. The launchagents are not loading during the current session due to a key in the plists.

In /Library/LaunchAgents, the plists:
com.paloaltonetworks.gp.pangps.plist
com.paloaltonetworks.gp.pangpa.plist

I ommited the 'LimitLoadToSessionType' key along with the string 'Aqua' and then I was able to load these launchagents using launchctl.