I am currently trialing SD-WAN which will allow branch sites to use their local Internet bandwidth to connect to Zscaler as the default route. I have resilient IPsec tunnels configured to London and Amsterdam which are connected.
I have a laptop heavy estate which is Windows 10 using Zapp 1.4.0 to enable protection off-network, VPN (PAN Global Protect) and on-network. Zapp is configured for tunnel with local proxy mode for each network profile as was best practice. Zapp is on on-network because it is a no-default route environment so clients are routed to specific Zscaler ZEN ranges and NAT’d behind the DC firewall. ADFS is used as authentication.
When i connect my laptop to the SD-WAN site, Zapp prompts that a Captive Portal has been detected and disables the app. When i try and access the Internet i can only get to certain URLs and my traffic appears in the logs as the site IP range not the user. I was hoping that by leaving Zapp on on-trusted network it would authenticate the user traffic transparently and effectively allow me to do a tunnel-within-a-tunnel. Any ideas why i am getting the captive portal issue?
- Tried turning off authentication at the SD-WAN site, made no difference
- Turning Zapp off on-network is not an option as it will break existing users.
- Adding users to a group is not scalable as the users will float between non SD-WAN and SD-WAN sites.
- Tried upgrading my Zapp client to 1.4.2 to see if it was a bug, no change.
- I can’t think of any logic for a forwarding statement as there is no local DNS so DNS server, DNS domain and host/IP resolution will be the same at any site.
Any ideas on how to resolve this or a better way to achieve this with the constraints?