Integrated Windows Authentication (IWA) and Tunnel Mode

Many organisations move from an Explicit Proxy implementation to Zscaler and use Zscaler App to forward traffic to the Zscaler cloud. Some organisations have used Zscaler App in “Proxy Enforcement” or “Tunnel with Local Proxy” mode, which mimics their existing Explicit Proxy configuration - whether using a PAC file or using a browser configuration.

When the decision is made to move to Tunnel mode with Zscaler App - whether ZTunnel1.0 or ZTunnel2.0 - this will have a material change in the way your web browser authenticates to internal web sites.

In Internet Explorer Options -> Local Intranet Zone

The default level has “Automatic logon with current user name and password”

Looking in the “Sites” configuration we can see that by default this is “Automatically Detect”, which includes any website which bypasses the proxy server.

So - with an Explict Proxy configuration like this would mean * bypasses the proxy, and the browser would automatically perform IWA (NTLM/Kerberos) and the user would be transparently authenticated to the server.

When you move to Zscaler App and Tunnel Mode, there is no longer a proxy configuration in the browser. Sites which were automatically identified as being in the “Local Intranet Zone” in Internet Explorer will now be in the “Internet Zone”, which will mean that transparent authentication no longer works.

When moving from Proxy mode (Explicit/PAC/TWLP) to Tunnel Mode, it is necessary to add the internal websites to the “Local Intranet” zone.

This will ensure that the internal websites continue to be in the correct zone, and allows IWA to continue to occur.
It’s worth noting that Safari and Chrome on Windows use the Internet Explorer configuration to identify which sites are in intranet zone. FireFox has it’s own configuration for identifying which sites NTLM/Kerberos authentication should occur to. On macOS (OSX) the configuration for Chrome/Firefox needs to be set separately, and Safari reads configuration from the keychain for authentication

This YouTueb Video provides an example of the configuration and shows the effects of the changes.