Machine Tunnel implementations - best practices

Tachyon · April 6, 2021, 2:31pm

I am starting a thread for Machine Tunnel Best Practices, and I’m making it a new thread because the old one here for Machine Tunnel is long, and is primarily about “when will this feature be available”. This thread is more about implementation methods, what works well/best, and what to avoid.

For example, it seems to me that setting it up can open a security concern. If I create Machine Tunnel (“MT” from here onwards) access to a particular set of (minimal) internal services, then that policy is entirely dependent on having the string of characters from the Windows Application Policy Token. If that Token gets leaked, Bad People can get access to my sensitive services.

Has anyone played with combining this with ZCC Posture features, such as a cert or a registry key?

Tachyon · April 21, 2021, 4:58pm

I just tried combining Posture (specifically, the Domain Joined option), but the Access Policy won’t accept a combination of Machine Tunnel and Posture. Perhaps my approach to this idea is incorrect.

Nilaya_Bandaru · April 29, 2021, 3:36pm

@paul: Device posture is not supported on Machine tunnel. There is an ER which you can get by reaching out to support or acocunt management.

Tachyon · April 27, 2021, 4:59pm

Thanks for pointing this out. I just noticed this in the Help information last Friday. I’ll ask for an ER, because this seems like a worrisome security gap.

Roberto_Iacone · April 29, 2021, 3:27pm

Is there any forecast to support the Machine Tunnel and Postures? As others this is a sec matter and Posture will nail any sec concerns about it.

G-Man8 · April 29, 2021, 3:36pm

Hi Roberto,
This is marked as an enhancement request(ER-8758) and is in progress.
I can only suggest you raise the ER too

Roberto_Iacone · April 29, 2021, 3:38pm

How can I raise the ER?

Tachyon · May 31, 2021, 1:17pm

Hi Roberto. ERs can be raised by your account team (SE or CSM, or even TAM if you have one). For an existing ER, these same people can attach your company name to the existing ER (i.e. no need for a duplicate ER). Usually, Zscaler prioritizes ERs based on the level of customer interest, so more customers, more priority. Having the ER number (in this case ER-8758) makes this easier.

G-Man8 · June 22, 2021, 11:08am

Hi Paul, have you tried the ‘IDP prompt’ for Machine tunnel using ZCC 3.4.1 ?
G

Tachyon · June 22, 2021, 2:16pm

Hello Gerhard,
No, I’ve not been aware of that capability until now. Reading the release notes for 3.4.1,I find the detail for this feature to be rather opaque, and a quick search of Help didn’t point to anything. Is there some documentation on how this IdP Prompt might be configured and used? Are the associated ZCC and ZPA console changes (if any) rolled out to production as well (my client is on ZS3, if that matters)?

G-Man8 · June 23, 2021, 9:24am

Hi Paul, IDP for Machine Tunnel needs to be requested for your instance of ZS3. We are waiting for it to be enabled within our BetaCloud environment. I’ll share info once enabled & tested but I’m still hoping to compliment this feature with Posture Checks

G

G-Man8 · July 1, 2021, 3:22pm

Hey Paul,

Apologies for the crap quality pics but sharing in case you haven’t had time.
IDP prompt using ZCC 3.5 is once off until the device is enrolled. Still hoping for posture check on machine tunnel like ‘domain joined’ and Certificate Trust.

Tachyon · July 2, 2021, 8:41pm

Ah, this info is very helpful. If it works as I think it does, it should at least keep out the riffraff.

I’ll see if I can test it on our dev environment.