Canon Printer unable to access Internet

My canon printers are unable to access below urls :

e-maintenance: https://b01.ugwdevice.net
Firmware : https://device02.c-cdsknn.net

Forwarding Method : GRE Tunnel

Can you please post your troubleshooting steps that you have already taken? Checking protocol compatibility etc.

Thanks!

We have added Lan subnet in the location management and disabled authentication however it didn’t resolve the issue. unable to find logs on Zscaler.

Deepakpal,

Question: Are those URLs expecting you to connect with a certain source public-IP address? When traversing through a Zscaler Service Edge you will egress with a source IP of one of our service edges, which may not be a “trusted IP” for those websites.

I have tried going to the URLs listed myself and got denied access, which may provide additional evidence to the line of thinking.

Yes, these urls should only be accessed by Printers. IN Printer, it is asking for proxy settings like proxy server, username & password.

Is this a known scenario?

Earlier we used Iboss proxy and in that case, we added proxy server and credential.
But not sure what needs to be done in Zscaler.

Hi,
in a GRE or IPSec scenario we had also some devices that caused some issues.
What we usually did to solve this:

  • disable authentication for the “sublocation with the devices”, if applicable

  • hard code proxy in device with “no-auth port 9480” like muc1.sme.zscloud.net:9480 - and make sure that the firewall allows traffic with destination port 9480 to the Zscaler Data Centers/routes the traffic via the IPSec/GRE tunnel to Zscaler. Proxy-authentication is not needed in that case.

  • disable ssl inspection for the accessed URLs (or complete sublocation, if applicable)

  • check/make sure that the accessed web server does not use IP address filtering tools that prevent the access from the Zscaler Data Center IP ranges.

  • Check Zscaler Weblogs (and FW logs if available) for the Client IP address of the device/printer. If there is no entry, traffic does not arrive at Zscaler. Check local Firewall / Routing in that case.

Best regards
Andreas

1 Like

Is it possible to set a policy so that only URLs in category ‘approved for auth-free access’ are accessible without proxy-auth if&when the access arrived at ZScaler on port 9480 but auth would be asked for when the request arrives via port 80?

Hi,
yes, I could think of two options:

First in a special PAC like:
if(is_authfree_accessURL())
return “PROXY muc1.sme.zscloud.net:9480”;
else
return “PROXY muc1.sme.zscloud.net:80”; // or use dedicated proxy port

I would use this, if the auth-free URLs are not “global”. You could configure this pac on devices with this special requirement.

Other option is to create a Custom URL Category “No-Auth-Category” and add all “auth-free” URLs there, preferably under “retain parent category”. Configure this category under authentication exemptions. (Administration/Advanced Settings).
This is of course a global setting valid for all traffic from “known locations”.
Port 9480 also only works on “known locations”.

Best regards
Andreas

We use dedicated networks for hosting things like printers, scanners, digital signage etc.
In Zscaler we configure these as a sub-location and disable Authentication and SSL Inspection but have all the security stack enabled.

We also heavily restrict the URL Categories they can access.

1 Like

Hi Andreas,

that’s not what i mean, we already use a ‘auth-free’ category, auth-free sublocations etc.

But as long as there is no option in the policy to check for ‘came in via port 9480’ - how do i prevent that someone (using a machine in a subloc configured for proxy-auth) succeeds doing a curl http://www.disney.com --proxy gatway.zscalertwo.net:9480 ?
Or does ‘subloc set for proxy-auth needed’ take priority over the fact that the request reached ZS via ‘no proxy-auth here’ port?

Thx in advance.

tS

Hi,
I think no-auth proxy port will “win” if the user comes from a sublocation with “authentication-enabled”.

On clients, changing the proxy settings should be “as much as possible” forbidden. Furthermore edge firewalls should also be configured to avoid illegal bypasses, either complete or to special ports.

Under Advanced Settings, you can enable “Enable Policy For Unauthenticated Traffic”, with that enabled you can create policies for “unauthenticated proxy port” users.

image

You can create a policy that allows access via 9480 only to dedicated URLs and block for everything else.

Best regards
Andreas

And this can be a challenge :wink:

So as i understand it when we talk about client machines where ZCC is not installed on there is no option on ZIA side of things to allow a sublocation to be restricted for ‘only explicitly allowed to be accessed via port 9480’ and block anything else (coming in via that port) - correct?
I’d call that a loophole; could only be fixed by own additional firewalls checking for FQDN:port combinations (thus replicating what is possible with ZCC) or other extra measures.
If one does not have a local FW but only a router establishing a GRE tunnel and no (very strict) rules around who can connect in that LAN etc… bad luck…

where is this ‘advanced settings’ thing? Couldn’t find it.

Hi,
Yes, I am referring to PAC via IPSec or PAC via GRE.
If ZCC is used, there is no requirement for authentication since this is done via “Z-Tunnel”.

I think I have heard something like ZCC may be used for pure-machine traffic. But I have not yet seen it in real life.

The settings can be activated und administration/advanced settings.

Make sure that you read the URL policy help pages as activating the special users may cause some side effects.

I do not see why the following two policies will not work to allow certain 9480 traffic and block everything else, however could be tricky to maintain the allowed URLs. And you may need to configure also a Sub Location in such a rule, so it is not global.

Of course everything depends on your requirements. But I would not worry too much about users not being authenticated. If GRE / IPSec is used, you still can see the RFC1918 client IP address that identifies the machine.

Best regards
Andreas

1 Like

Thanks, found the setting now… had to wash my eyeballs :innocent: