Global Protect on Catalina not displaying DUO Auth page

mbrancy · ‎10-04-2021

We moved federated domain name to our Netskope tenant SSL bypass instead of the client steering but when we did that it broke the Catalina Mac's getting to VPN. We are now getting a black page. Please see screen shot.

Has anyone seen this?

sshiflett · ‎10-06-2021

Good afternoon! Is this only impacting Catalina Macs? What happens if you try to go to that federated domain in the browser rather than the Global Protect client? Do you happen to have the Netskope client logs or a packet capture?

Sam Shiflett
Netskope Solution Architect - North America

mbrancy · ‎10-07-2021

Good morning! Thanks so much for answering. Yes, this is only affecting Catalina. If I go to the federated domain in a browser I get a 403 - forbidden. I have attached the client logs and a packet capture.

mbrancy · ‎10-07-2021

mkoyfman · ‎10-06-2021

So the issue is specific to Duo? What was working before, what is the "federated domain" in your context, and would be good to exactly understand the changes you made. You don't have to give the real domain, feel free to obfuscate, but knowing what worked and what you did to break it would be helpful.

At the same time, would be good to verify that our Best Practices for co-existence were followed: https://support.netskope.com/hc/en-us/articles/360023155053-Best-Practice-for-coexistence-of-Netskop...

mbrancy · ‎10-07-2021

No the issue is specific to Catalina. I had our federated domain in the client steering exception to bypass. I need to move that to the tenant level because I need to whitelist the Netskope IP's at our SasS vendors. When I did that Catalina users were not able to get to Global Protect (VPN). They just get a black Global Protect screen. I'm aware of the best practices and will be implementing split tunneling but really don't think that is my issue here. Windows and Mojave (Mac) were fine with my change.