Applications with independent certificate stores and environmental variables

Hello, I am tryin to get some applications to work that do not use the ms cert store and env settings. Some of the applications that fit into this are Python, Docker, Firefox, Azure Cli, CYGWIN, and many more. The main one I am working on to work now is the Azure cli. I have followed the suggestion here (Use Azure CLI effectively | Microsoft Docs) to configure it to use the proxy but can not figure out how to make this work with a pac file. I want to try and use the HTTP_PROXY settings, and also try to set the netsh winhttp set proxy : setting. The problem is again how do I tell it to use a PAC file? I know this is not windows support; but I am hoping someone else has been able to get the azcli working from behind zscaler with a pac file.

Hello Scott,

for most of the 3rd party apps please start here:

Regarding Azure CLI:
What traffic forwarding method do you use? With ZCC aka Z-App we have no issues with Azure CLI. Using “https_proxy” (https because AzureCLI uses SSL) in AzureCLI and entering any ZEN Public Service Edge will not work due to the lack of authentication (except you combine this with other Zscaler supported traffic forwarding methods).

Did you try to disable SSL verification in Powershell?

$Env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1

I would not recommend this as a permanent “solution” but it may help to get things sorted out.

BR
Manuel

1 Like

Yes I am using the ZCC 3.7.0.92, and we are using SSL intercept. I have also been all over the 3rd party app page. I have followed that article you provided before posting here. What I think I need to do is figure out how to set the httpproxy, and HTTP_PROXY env items. I do not know how to do that with a .pac file though. I hope someone here does know.

you can not set a pac file for winhttp via netsh; only static proxy FQDN:port allowed

HTTPS_PROXY syntax should be like https_proxy=http://your-proxy:your-port so eg
set HTTPS_PROXY=http://gateway,zscaler.net:8080 (or whichever cloud:port you normally use)

Alternatively to have this permanent/reboot-safe do set this via Environment Variables in Windows.

In regards to SSLi this article should cover pretty much all Qs you might have:

1 Like