HTTP with non default port ZCC Tunnel

Hello,

I want to confirm a point about using the Tunnel Packet Filter mode, in Zscaler documentation, in tunnel mode only port 80 and 443 are forwareded,

I did the test, and i see in ZCC logs and Zscaler portal that the traffic with port 666 for example, is forwarded by ZCC and going through Zscaler

could you confirm what is the behavior expected please

regards

Hi,
What traffic is forwarded will depend on whether you’re using Tunnel 1 or 2. Have a look at the article here that should help.
https://help.zscaler.com/z-app/about-z-tunnel-1.0-z-tunnel-2.0

Hello Jamie,

We are using tunnel 1.0 with the mode Tunnel packet filter

regards

Tunnel mode 1.0 is as you mention tcp port 80 and 443 only.

But you can configure a PAC file (forwarding profile PAC) to forward http(s) traffic on non-standard ports to be directed to client connector. This is done by using the tunnel with local proxy method to explicitly forward to localhost:9000.

1 Like

Hi @ocd

Adding to what @Marco_Put-Carstens has already written, remember that anything that has to deal with a proxy is really only web traffic.

If you’d like to be able to scan thru all the traffic sent by an endpoint, including all UDP and TCP traffic on non-standard ports(e.g. DNS being tunneled on a non-standard port), then you need to use Tunnel 2.0 in your ZIA setup.

Tunnel 2.0 will bring all the traffic to Zscaler, and it will then be subject to analysis.

Bear in mind that SSL inspection might fail in case of certificate pinning in specific applications, so be extra careful when implementing a full analysis of the traffic using Tunnel 2.0.

Hope this helps.

Bye, Luca

Hello @lucaberta

i’ am only talking about http traffic with no default port, ZCC in tunnel 1.0 packet filter mode with no pac file in forwarding profile, only in APP profile,

how we can explain this behavior, test for website: http://portquiz:666

2021-03-16 13:18:46.934563(+0100)[8572:6656] INF ID=191249590, HTTP Request Version: HTTP/1.1 Host:666=portquiz.net Method=GET Uri=http://portquiz.net:666/
2021-03-16 13:18:46.934563(+0100)[8572:6656] DBG ID=191249590, readFromClient: Port for http request: 666
2021-03-16 13:18:46.934563(+0100)[8572:6656] DBG ID=191249590, parseHttpRequest Url=http://portquiz.net:666/
2021-03-16 13:18:46.934563(+0100)[8572:6656] DBG ID=191249590, readFromClient: Host Address: portquiz.net:666
2021-03-16 13:18:46.935564(+0100)[8572:6108] INF TUN: Skipping sending dns packet to dns proxy it is not destined to tun dns!
2021-03-16 13:18:46.936564(+0100)[8572:160] DBG UDP Proxy: ID: 44 Got Udp connection from: 172.20.200.4:44 Datagram Length: 30 Forwarding packet to: X.X.X.X:53
2021-03-16 13:18:46.936564(+0100)[8572:7932] INF ===> ID=1750915980, TUN-Proxy: connection to 58.220.95.12 sock-fd=3056, src_port=52817, dst_port=80
2021-03-16 13:18:46.936564(+0100)[8572:7932] DBG ID=1750915980, Client socket SO_SNDBUF: 65536 SO_RCVBUF: 65536
2021-03-16 13:18:46.936564(+0100)[8572:7932] DBG ID=1750915980, Use Sme: 1 Sme IP: 165.225.76.41
2021-03-16 13:18:46.954312(+0100)[8572:6656] DBG ID=191249590, PAC Parse Host: portquiz.net uri=http://portquiz.net:666/ Proxy=PROXY 165.225.76.41:80; PROXY 165.225.204.24:80; DIRECT
2021-03-16 13:18:46.954312(+0100)[8572:6656] INF ID=191249590, PAC Parse Action: Proxy:165.225.76.41
2021-03-16 13:18:46.954312(+0100)[8572:6656] DBG ID=191249590, Server socket SO_SNDBUF: 65536 SO_RCVBUF: 65536
2021-03-16 13:18:46.959577(+0100)[8572:6656] INF ID=191249590, Tunnel to SME for host:666=portquiz.net, SME IP=165.225.76.41:443
2021-03-16 13:18:46.959577(+0100)[8572:6656] DBG ID=191249590, Cnonce is: fecc083f71acddc57cc53096d47f13ae
2021-03-16 13:18:46.959577(+0100)[8572:6656] DBG ID=191249590, SME request:
CONNECT portquiz.net:666 HTTP/1.1

Host: portquiz.net:666

User-Agent: Windows Microsoft Windows 10 Professionnel ZTunnel/1.0

Proxy-Connection: keep-alive

Connection: keep-alive

Hi @ocd

I was not able to reproduce this problem. I did use “curl” as the client to ensure there is no PAC file or proxy settings interaction.
Please send us complete logs to validate.

Thanks
Yogi

Agreed!
With tunnel mode LWF (version 1.0) & no exception in forwarding PAC file for non-standard web port, only port 80 & 443 will be allowed.

Z-APP logs will help to debug the anomaly if found.

Regards,
Anchal Sood

Hello,

thank you to all for your answers, i checked the configuration and i find the PAC file pushed in the browser, which explain the behavior,

once i removed, the traffic go without passing by the ZCC

regargs

1 Like