Maybe an interesting sidenote/update:
We drilled a little bit more into the “loopback error”-Mode for Z-Tunnel 2.0, which should not be neccessary for ZTunnel 2.0. When NOT enabling the “loopback” for Z-Tunnel 2.0, we had some “fuzzy” issues connecting Outlook and Teams. Sometimes (sic!) it took up to 15 minutes until connection was established. In the eventlog “Application and Services/Microsoft/Windows/AAD/Operational” we found several of these entries, especially after fresh reboot or network change:
Error: 0xCAA70004 The server or proxy was not found.
Exception of type 'class HttpException' at XMLHTTPWebRequest.cpp, line: 184, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at AuthorizationClient.cpp, line: 242, method: ADALRT::AuthorizationClient::AcquireToken.
See also e.g. https://www.reddit.com/r/sysadmin/comments/axevdq/aad_broker_issues_users_cant_connectauthenticate/
After enabling loopback restriction switch and a reboot in general (!) these “server or proxy not found” messages vanished and connections to Outlook and Teams worked without issues and quite fast. Sometimes we still see these errors in the eventlog, but they somehow seem (!) to be related to client sleep/wakeup issues. We still try to narrow down things here.
Zscaler support feedback so far:
“Regarding the other issue of Loopback restriction. basically it was added for Microsoft Applications only since they dont follow the restrictions enforced by Proxy and could cause issues in their applications working.”
Unfortunately it is a kind of Sisyphus work, because - as soon as we believe to have solved the problem - the connection/auth issues appear magically elsewhere.
Maybe someone else out there can verify/ack/nack these findings.