Cloud app policies don't work for road warriors users

Hello Team,

I’ve following scenario:

  • Forwarding method only PAC file, no client connector
    Cloud app file_sharing_block_rule + ssl inspection rule
  • ACME location, traffic appear in cloud app dashboard, access to site blocked, ssl cert by Zscaler, all works fine
  • Road Warriors users, traffic ssl cannot appear in dashboard, access to site is not blocked, ssl cert issued by pubblic certification auth, rule not work.

Any suggestions are welcome.
Thank you

Piergiorgio

Do I understand correctly that the Road Warrior traffic is forwarded by Zscaler but the SSL policy is not working correctly. Are those Road Warriors PAC file only?

There can be multiple reasons why the SSL policy is not applied.

  1. In the new SSL policy for Road Warrior, probably the Windows and Mac operating systems are selected, but not the “No Client Connector” option. So check the box and apply and test again.

  1. Do you know if the instance has a Dedicated Proxy Port. In that case the DDP port is assigned to a location. You can then apply a SSL policy to this location.

  2. App Traffic (browser traffic) is not reaching Zscaler (like QUIC protocol that is following the PAC file). Mainly occurs when you are using Google Chrome. You can find out by testing with another browser or disable QUIC in the browser.

  3. Something else…

Hope this helps…

Hi Marco,
I enabled “No client connector” option but same issue.
PAC file is hosted in Zscaler cloud and same for all users, Road Warriors also.
All Traffic is forwarded to 9400 tcp port

Hi Marco,
I solved changing following string in proxy pac
return “PROXY ${GATEWAY}:9443; PROXY ${SECONDARY_GATEWAY}:9443; PROXY ${GATEWAY}:80; PROXY ${SECONDARY_GATEWAY}:80; DIRECT”;
}
instead of
return “PROXY ${GATEWAY}:9400; PROXY ${SECONDARY_GATEWAY}:9400; PROXY ${GATEWAY}:80; PROXY ${SECONDARY_GATEWAY}:80; DIRECT”;
}

I think the best solution and most seamless experience will be using Client Connector.
With a PAC file only deployment, using Dedicated Proxy Port is the only option that allows you to define SSL inspection policy and authenticate Road Warriors.

Using port 9443 will force SSL inspection. This does work, but it will no longer authenticate users or allow any SSL bypasses in your policy. So if sites or applications are Certificate Pinned, you need to bypass them in the PAC file. Not the best option.

Check out this:
https://help.zscaler.com/zia/deployment-scenarios-ssl-inspection

Check under “HTTPS Traffic from Remote Users”

Please consider Client Connector. Otherwise check out this:
https://help.zscaler.com/zia/configuring-dedicated-proxy-ports

Hi Marco,
thank you for detailed explanation

Hi Marco, Could you please explain a bit more when you say Using port 9443 will force SSL inspection. This does work, but it will no longer authenticate users or allow any SSL bypasses in your policy.

what do you mean by no longer authenticate users .

thanks you
Amir

Using proxy port 9443 for roaming users will force SSL decryption on all traffic. There is no bypass policy. Users from unknown location will be authenticated. But when user is coming to a known location and connects on port 9443, authentication is bypassed.

This means you still need to have a way to differentiated in PAC file logic between users on-trusted and off-trusted network.

1 Like