Experience Z-App & Strictenforcement

Hello,

we are currently testing deployment with strictenforcement and I would like to let you know about some caveats/issues we ran into.

Initial situation:

  • we use AzureAD as IDP and doing all deployment via AzureAD/Autopilot/intune.
  • our users have no local admin permissions
  • on all our clients there is a personal local admin account which some users e.g. can use to install software
  • we have SSL inspection enabled
  • we configured app&fwd profile with Tunnel 1.0, dedicated pac-files with exemptions
  • Z-App MSI is deployed with switches STRICTENFORCEMENT, POLICYTOKEN, CLOUDNAME, USERDOMAIN
  • latest Z-App Version 3.6.1.26 (same applied to 3.7.x.xx, but we rolled back for testing)

In general this setup works for our users as configured and user is automatically signed in to Zscaler with his AzureAD-Accont and all policies work as expected.

As soon as the user logs in with his personal local admin account we would expect:

  • no Internet access except to configured exemptions via pac-files-bypasses
  • Z-App pops up with login screen stating user have to sign in due to corporate security requirements
  • Internet access possible after manual authentication with username/password/mfa.

What really happened:

  • Z-App starts instantly showing our Microsoft IDP SSO page. After some time (30s) Z-App-Auth times out with an according message and Z-App screen switches back from our MS SSO to Z-App Loginscreen stating “Internet Access Blocked”, only to switch back to MS SSO page few seconds later on. This flapping keeps going on endless.
  • Logs show Z-App tries to authenticate the local user (lets call it “supervisor”) by using “supervisor@company.tld”. Of course this user is not known within our IDP and therefore login fails - obviously because of USERDOMAIN is set
  • User can still access Internet “somehow” without login, at least some pages using SSL. Some pages work, others do not (e.g. https://www.cnn.com worked whereas https://www.spiegel.de did not). We initially assumed this has to to with IPv6 and disabled IPv6 in fwd-profile, but no success. We double checked pac-file exemptions and even removed all exemptions, no success either. Internet access still worked for a majority of tested sites. We did not drilled down why some sites worked and other didn’t. An idea was it could be caused by sites using QUIC or HSTS but as I said, we did not investigate any further.

Fixes/Workarounds:

  • To disable Internet access completly for local admin user without authenticated Z-App we had to switch fwd-profile to Tunnel 2.0 and configure bypasses in fwd AND app pac-files as stated somewhere in help.zscaler.com. Calling http-sites now shows a hint to login with Z-App, https-sites just do not work (ERR_CONNECTION_CLOSED). I have opted for Tunnel 1.0 in the beginning as it is easier to setup and maintain and seemed sufficient for our scenario.
  • To disable signin-page-flapping and authentication attempts with “supervisor@company.tld” we removed the USERDOMAIN-switch.

Yet unsolved issues:

  • After removal of USERDOMAIN-switch the app-login-screen-flapping is gone, but automatically signing in a new user to Z-App by SSO & IWA does not work anymore. A new user now must manually login to Z-App once by entering his mailaddress.
  • We now have to check for new issues as no policies or intune-scripts are applied (because of “no internet”) until the user manually authenticates in Z-App.

Maybe the issues mentioned here https://community.zscaler.com/t/msi-version-installed-zscaler-client-connector-accepting-bogus-email-id/14974 are also related to strictenforcement w/ Tunnel 1.0.

BR
Manuel