How to Set System Proxy on W10 with Tunnel with Local Proxy

Hello Experts,

I’m struggling to see a clear difference in Zscaler admin GUI for pushing User vs System proxy settings to user machines (W10). Can you please help finding details? I could use local scripts or GPO, but using
Zscaler Client Connector seems like more elegant option.

This question is part of Cisco AnyConnect / Zscaler ZIA coexistence setup. Forwarding profile is configured as following:

  1. On VPN - Tunnel with Local Proxy (e.g PAC on 127.0.0.1:9000 for tunneled traffic)
  2. Off-VPN - Tunnel v2 (e.g PAC on 127.0.0.1:9000 for handling exclusion situations)

However i found that some applications are struggling as system account are unable to get proxy details when #1 on-vpn. What is the option to set system proxy with Zapp? Like configuring system proxy ( netsh winhttp ) to 127.0.0.1:9000 with PAC or without pac

Regards,
Serg

Hi Serg,
When you choose Tunnel with Local Proxy mode under forwarding profile, Zscaler Client Connector sets proxy settings on user devices so that all proxy-aware traffic is tunneled to Zscaler. The app does this by automatically installing a PAC file on the system to force all HTTP/HTTPS traffic to go to the local host.
Under Configure System Proxy Settings drop-down menu, define the proxy settings for your users’ systems. In Tunnel with Local Proxy mode, Zscaler recommends you to enable: Disable Loopback Restriction , Override WPAD, and Restart WinHTTP Service options to ensure the app can properly set proxy settings on Windows devices.
It looks like these Apps are not a proxy-awareness apps, and you might need to explicitly configure the proxy for these Apps (If they have a proxy settings). In tunnel mode (1.0 and 2.0), ZCC will capture 80/443 regardless whether apps are a proxy-awareness or not.

1 Like

The application in question is Microsoft Defender for Endpoint (aka MDATP). It is running as a SYSTEM. Do you know if ZCC HTTP/HTTPS capture is working for non-user space applications? The problem is in tunnel mode 1.0 with Cisco AnyConnect running. We did testing and setting system proxy settings (e.g. netsh winhttp) to 127.0.0.1:9000 instantly resolve the issue. Once applied MDATP is instantly able to connect and send receive telemetry.
However i read that 127.0.0.1:9000 is only available once user did PC login and ZCC/Zapp running. Therefore planing to use hosted PAC pointing to ZEN nodes. This will hopefully will make MDATP always connected to Security Center.

References:

The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. The embedded Microsoft Defender for Endpoint sensor runs in the system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender for Endpoint cloud service

Due to the environment where network protection runs, Microsoft is unable to see your operating system proxy settings. In some cases, network protection clients are unable to reach the cloud service. To resolve connectivity issues with network protection, configure one of the following registry keys so that network protection becomes aware of the proxy configuration:
reg add “HKLM\Software\Microsoft\Windows Defender” /v ProxyServer /d “” /f
—OR—
PowerShell reg add “HKLM\Software\Microsoft\Windows Defender” /v ProxyPacUrl /d “” /f

If you are planning to use a PAC file, the authentication will be a cookie-based AUTH. If the application does not support cookies, the connection will fail. You can bypass authentication for users on trusted networks, but not for road warriors.

1 Like