Log entries "loopback exception is required" in Z-App

Hello all,

we use Z-App (Windows 10) with Z-Tunnel 2.0, Tunnel-mode and PacketFilterDriver. In the ZSATunnel-Log we found entries like these:

2020-10-27 09:15:33.354039(+0100)[12860:7720] ERR Number of AppContainers in Loopback Exception List: 95
2020-10-27 09:15:33.354039(+0100)[12860:7720] ERR Loopback Exception is required! Windows8OrGreater: true, appContainerCount: 168, loopbackExceptionCount: 95 Result: 1

Sounds like we should enable “Disable Loopback Restriction”-switch, but AFAIK it should not be needed for this configuration (neither should “Restart WinHTTP Service” nor “Override WPAD”). Zscaler documentation states these switches are only applicable if using Local Proxy Mode. But maybe I am just misinterpreting this logentry.

Can someone enlighten me please what exactly that means?

Thanks and best regards

Maybe an interesting sidenote/update:

We drilled a little bit more into the “loopback error”-Mode for Z-Tunnel 2.0, which should not be neccessary for ZTunnel 2.0. When NOT enabling the “loopback” for Z-Tunnel 2.0, we had some “fuzzy” issues connecting Outlook and Teams. Sometimes (sic!) it took up to 15 minutes until connection was established. In the eventlog “Application and Services/Microsoft/Windows/AAD/Operational” we found several of these entries, especially after fresh reboot or network change:

Error: 0xCAA70004 The server or proxy was not found.
Exception of type 'class HttpException' at XMLHTTPWebRequest.cpp, line: 184, method: XMLHTTPWebRequest::ReceiveResponse.

Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at AuthorizationClient.cpp, line: 242, method: ADALRT::AuthorizationClient::AcquireToken.

See also e.g. https://www.reddit.com/r/sysadmin/comments/axevdq/aad_broker_issues_users_cant_connectauthenticate/

After enabling loopback restriction switch and a reboot in general (!) these “server or proxy not found” messages vanished and connections to Outlook and Teams worked without issues and quite fast. Sometimes we still see these errors in the eventlog, but they somehow seem (!) to be related to client sleep/wakeup issues. We still try to narrow down things here.

Zscaler support feedback so far:
“Regarding the other issue of Loopback restriction. basically it was added for Microsoft Applications only since they dont follow the restrictions enforced by Proxy and could cause issues in their applications working.”

Unfortunately it is a kind of Sisyphus work, because - as soon as we believe to have solved the problem - the connection/auth issues appear magically elsewhere.

Maybe someone else out there can verify/ack/nack these findings.

So, final statement from support:

“Regarding the loopback restrcition as I stated earlier, it was added for Microsoft Applications (like Outlook ,Teams) and other applications since they dont follow the restrictions enforced by Proxy and could cause issues in their applications working so that is why it is working fine when you enable it and I would recommend you to keep it enabled.”

Lessons learned:

The documentation at https://help.zscaler.com/z-app/configuring-zscaler-app-profiles seems to be a little fuzzy at best. You DO need to enable the “Disable Loopback Restrictions”-switch even if you are not using TWLP mode and if you want your Microsoft applications work properly. At least we do.

Good findings Manuel. Am also hard to understand this three app profile settings. hopefully Zscaler team can elaborate more or make those settings enable by default.