Machine Tunnel - Detect when returning to the office

Hi All,

Thoughts or suggestions to how configure Machine tunnel not establish a tunnel when returning to the office ? I noticed when returning to the office my laptop took a while to settle before I can logon to the domain. Has anyone else noticed this ? (ZCC using ‘Machine Authentication Required’)

I thought of configuring ‘Trusted Network’ and configure the access policy as shown below

“Trusted Network” (Not Trusted :cowboy_hat_face:)

But this wont cover all home configuration or is it better idea to configuring Forwarding Policy to BYPASS ZPA using 'Trusted network for our office environment ?

1 Like

We are facing the same issue as well. We have machine tunnels enabled and when machines are connected to the corporate network, prior to logging in, Zscaler Diagnostics shows the machine tunnel is up and being detected as off-trusted network. Once the user logs in, the user tunnel kicks in, shows on the trusted network and ZPA is disabled.

Technically, it should be detected as on the trusted network and disable the machine tunnel.

Hi Raj,

Silly question, is your corporate network fully defined within ‘Trusted Network’ in mobile portal ?
Because we’ve configured ours and the ‘Forwarding Policy’ to All bypass Machine tunnel when on-trusted and it seems to work nicely. It’s strange you are being detected as off-trusted while in the office. Which ZCC version are you using ?

Hi Gerhard,

We are not using the “Trusted Networks” configuration within the Client Connector portal and instead using the “Trusted Network Criteria” within the Forwarding Profile. We are using ZCC

I haven’t configured the ZPA “Forwarding Policy” as you mentioned. I will give that whirl.


Hi Raj,

Pretty sure that’s the problem, pre-defined ‘Trusted Network’ ties in with ZPA more than we realised.
Any specific reason your not using it but manually defining “Trusted network Criteria”?
I’d say try it with a test Forwarding Profile and see the results


Hi Gerhard, I’ve just tested the configuration and when the machine is connected to the corporate network, before login, it is still being detected as Off-Trusted, and Machine Tunnel is ON.

I created a test Forwarding Profile using the Trusted Networks criteria for the same DNS Search Domain. I also created the ZPA Client Forwarding Policy where I can now select the Client Connector Trusted Networks.

The Trusted Networks feature came well after we had Trusted Network Criteria configured. We just never made the transition. But the functionality does indeed work.

Is your Corporate (internal) environment running GRE and IPsec Tunnels — if so use the Zscaler Client Connector — detect trusted networks and turn off — also Machine Tunnels end when the user logs in ------ if the User does not have access in ZPA - the Machine tunnel processes the changes at User authentication and transitions access based on USER not machine past that point ---- so the question is does this user have access to ZPA or just ZIA — the Device can have whatever access it needs ----- based on machine tunnel policy — this typically means - cert updates, GPO, password reset — set up deploy configure - new devices etc — not grant user full access to ZPA – just ensure they can get access to the machine and validated and trusted on the domain ---- bonus for Interactive - not cached credential log ins

1 Like

Support was able to determine the root cause after reviewing the tunnel logs. It turns out the machines I was testing on were assigned a different App Profile which had different trusted networks criteria defined. Once the token was deleted and assigned the correct App Profile it started working as designed. The machine provisioning key had to be set to Allow Re-enrollment.

1 Like