Static IP for GP VPN Client

I can’t believe I am asking this but due to some circumstances outside of my control, I’ve been asked to find a way to share a printer over the GP-VPN. I found this KB article and tried setting the preferred IP address in the registry but it rarely worked (like it would work sometimes and then stop working and assign a new IP address).

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIMCA0

So did another search and found this article as well, but it seems like its only for configurations using LDAP. We’re using a Windows NPS server that has the Azure MFA extension installed on it but it still ties in with using AD. I am wondering if we can still follow this guide or there is another way to do this. It only needs to be configured for a single account on a single device.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UkxCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

EDIT: The printer will be connected to a laptop via USB that will use GP client to connect to the VPN. The printer will be shared through the laptop as if the laptop was a print server. The laptop will be using an LTE connection to connect to the GP VPN.

Some cell carriers have a portable “Mi-fi” with an Ethernet connection. Could possibly get one and then set up an ipsec tunnel.

This has problems written all over it.

I don’t really get what your asking. Why can’t you just route traffic to the printer. Or are you asking for the printer to be connected to GP the same way a client PC would be?

Give the printer its own /32 assignment as a standalone profile in the GP portal settings. Maybe?

That might not be a bad option. I assume the mifi will maintain a static IP?

Lol I don’t want to do it but management peeps done screwed the pooch and got us evicted from one of our branch offices because facilities manager and the CFO didn’t want to do a fixed lease. So we’re forced to using an LTE connection until we get into a building and stand up a circuit. Its a shitty situation, ngl

The printer will be connected to a laptop via USB that will use GP client to connect to the VPN. The printer will be shared through the laptop as if the laptop was a print server. The laptop will be using an LTE connection to connect to the GP VPN.

Are you referring to creating a separate authentication setting just for the shared printer in the portal configuration? I was thinking of making an ldap profile that just targets a single user account for the GP VPN client and using the documentation in the 2nd link I posted above configure the framed-ip-address attribute.

Your cell carrier probably has a Static IP feature you can add to the plan. Might be $0 or they might charge. I’ve used static IP with Verizon business, no extra charge.

When you followed the first guide you linked (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIMCA0)

In this case, the pool is 50 IP addresses and are not expecting more than 50 users to connect concurrently. The last IP will always be free on the gateway and can be used by the client.

Did you pick an IP in the middle or towards the upper end of your IP Pool? I think the firewall assigns addresses in numerical order, that’s why other GlobalProtect clients might have gotten the IP you wanted the laptop to prefer.

Is cloud print an option?

Not sure if this will work or not but what about DNS? When the client connects to GP it should register in DNS and then you can dump print traffic to \\remote-computer-name\printer-name\

Yes, give it its own LDAP user account or group that only gets a specific /32 ip address from a /32 ip pool. Assuming you can configure a /32 pool that is.

Network → GlobalProtect Gateway → → Agent → Client Settings → Add → Config Selection Criteria → Source User → , IP Pools → <new /xx subnet defined here, client will get the first IP>. Place this above your normal client config.

Anytime that user joins GP they will have a static IP. Alternatively setup an IPSEC tunnel and point the device to that instead.

The range is a full slash /24 and I tried using the last usable IP.

I am going to say no but I should maybe look that up. The problem I can see with that is that we need this printer to be accessible by another server and this printer will be used to print checks. I am hoping the solution in the 2nd link I posted will work but if not, its an “oh well, we’re screwed situation. Unfortunately, its a management decision gone wrong and like always, its IT’s responsibility to pick up the pieces

> then you can dump print traffic to \\remote-computer-name\printer-name\

This printer is going to be used to print checks and has to be added to a proprietary system that sends the print data. I am not sure if that will work or not.

Correct. File sharing has to be allowed via GPO and on the firewall settings, but this is all it takes, sharing tab of the printer properties, share, done. Don’t forget to put the FQDN for Kerberos compliance.

Last time I checked, max was /30 but if I am using the framed-ip-address attribute, the pool subnet size shouldn’t matter?

IPsec tunnel sounds like the better solution. No need to worry about gp clients, etc. And since it’s ‘infrastructure’, it makes sense