Accessing AWS Workspaces

Does anyone have a solution for access to AWS Workspaces?

We have Zapp clients trying to connect over a GRE tunnel with SSL inspection enabled. AWS Workspaces seem to use IP addresses for connectivity and Zscaler blocks the traffic with a Bad Certificate error.

We don’t want to disable SSL inspection for the whole sub-location and adding thousands of IP addresses in a “No SSL” custom category doesn’t seem practical. In fact even though the IP address is in the “No SSL” custom category it still appears to get inspected.

Any suggestions?

Our Zscaler SE figured this out for us. If you SSL bypass the keyword “pcoip-default-sni” it should start working.

1 Like

Thanks. I will test it out.
I was nearly there.
image

Just confirming that this resolved my AWS Workspaces connectivity.

Latest update, based on testing …with workspaces 3.0 on a MAC.

SSL Bypass, Required:

  • amazonaws.com, .amazonworkspaces.com, .awsapps.com, .cloudfront.net
  • Custom Keywords required: 44.234.55. , 54.244.46. , 54.244.47. ,pcoip-default-sni
  • The above list only includes AWS WEST [PCoIP GW] you need to add worldwide if you need more coverage

CloudFirewall Controls:

  • Define a Network Service “Allow connection to PCoIP - AWS workspaces”
  • Allow destination ports 4172 and 4195

The rest of the PCoIP list is here - https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html