Issues with Outlook when working outside corporate network with Zapp


Since few weeks now, we are struggling, that some users have problems with Outlook (mainly, but sometimes Skype4 Business or Office account is affected). Problems occurring only when users are outisde office so when Zapp is started to work. Off trusted networks we have tunnel with local proxy, since in on trusted network we have proxy enforced.For other, we have route based tunnel driver type, disable loopback restriction enabled, override wpad enabled and restartwinhttp disabled. As Zapp we are using normally In addition we have ModernAuthentication and MFA enforced. Policy for MFA is that Zscaler node ip are trusted, so when user is connecting from it, he will NOT be challanged for MFA. In Azure logs, I have noticed that for this affected users, traffic from Outlook is skipping proxy settings, so in logs it is visible that thay are login from outside IP. But for whatever reason window for MFA does not appear. Outlook or is not able to connect or displays message needs password. In Azure logs it is visible that user did not pass MFA challenge. I also notice that often or affected laptops Edge or Office has issues described here, and in Windows event logs (Applications and Services logs\Microsoft\Windows\AAD\Operational) there are hundreds of errors 1908
"Error: 0xCAA70004 The server or proxy was not found.
Exception of type ‘class HttpException’ at xmlhttpwebrequest.cpp, line: 171, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at authorizationclient.cpp, line: 224, method: ADALRT::AuthorizationClient::AcquireToken.
Request: authority:, client: {268761a2-03f3-40df-8a8b-c3db24145b6b}, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157 "

When Zapp is removed or disabled, all is back to normal. User has windows to enter MFA code, Outlook is able to connect to Exchange online.

I thought, that issue maybe coused by Zapp 1.5.18, what quite often is in status “Connecting”, but even I did update for App 2.1, and it is connecting normally, issue is still there.

Unfortunately issue is more and more problematic, as since lot of people are working from home nowadays, we have lot of complains. We have ticket 02328163 opened, but for now no clear solution.

Sorry for so long post, and maybe not written good enough, but if something is not clear please let me know.

1 Like

Using ZScaler last 1 week … When in Outlook … noted that keyboard keys changed specifically ["] and [@] swap … others have reported spell checker disabled … trying to understand if this is isolated case or general.

Hey mate,

Were you able to resolve this ? I have the exact same issue.


I belive so. We had to change forwarding profile options for off-trusted network. Since we are using Tunnel mode (and packet filter based settings) issues are gone. Due to Covid 19 we did not enabled this setting globally, bu we are enabling that per request if somebody have issues. But for now it helped all afftected users, and we did not notice any issues after this change.

Thanks for the reply.

Possibly interesting side note:

Just recently we had one test-user who complained about Outlook and Teams took about 10-15 minute to connect, especially after reboot oder fresh start in the morning. Z-App reported no error and ZIA and ZPA showed as “authenticated”. Internet access also was working. Now, the problem was, the assigned profile worked flawless on all other test-clients/test-users. No one reported these issues with Teams or Outlook. Same OS, same patchlevel, same Z-App version, same app-profile. We use ZTunnel 2.0 in tunnel-only mode with PacketFilterBased driver. Notable difference on user side (besides different home office locations, internet providers and hardware involved) was the used ZEN. Only this one particular user had issues.

After several hours of crawling through logs and pcap-files we inserted the exception below again in both pac-files (fwd and app) we had removed some time ago because we experienced no issues when removing it. Instantly after policy refresh the problems of this particular user were solved. The exception:

/* Authentication URLs are directly accessible */
if ((localHostOrDomainIs(host, “”)) ||
(localHostOrDomainIs(host, “”)) ||
(localHostOrDomainIs(host, “”)) ||
(localHostOrDomainIs(host, “”))) {
return “DIRECT”; #only in app-profile-pac
return “PROXY ${ZAPP_TUNNEL2_BYPASS}”; #only in fwd-profile-pac

The exception was initially posted here by Kris.