Machine Tunnel implementations - best practices

I am starting a thread for Machine Tunnel Best Practices, and I’m making it a new thread because the old one here for Machine Tunnel is long, and is primarily about “when will this feature be available”. This thread is more about implementation methods, what works well/best, and what to avoid.

For example, it seems to me that setting it up can open a security concern. If I create Machine Tunnel (“MT” from here onwards) access to a particular set of (minimal) internal services, then that policy is entirely dependent on having the string of characters from the Windows Application Policy Token. If that Token gets leaked, Bad People can get access to my sensitive services.

Has anyone played with combining this with ZCC Posture features, such as a cert or a registry key?

I just tried combining Posture (specifically, the Domain Joined option), but the Access Policy won’t accept a combination of Machine Tunnel and Posture. Perhaps my approach to this idea is incorrect.

@paul: Device posture is not supported on Machine tunnel. There is an ER which you can get by reaching out to support or acocunt management.

Thanks for pointing this out. I just noticed this in the Help information last Friday. I’ll ask for an ER, because this seems like a worrisome security gap.

Is there any forecast to support the Machine Tunnel and Postures? As others this is a sec matter and Posture will nail any sec concerns about it.

Hi Roberto,
This is marked as an enhancement request(ER-8758) and is in progress.
I can only suggest you raise the ER too

How can I raise the ER?

Hi Roberto. ERs can be raised by your account team (SE or CSM, or even TAM if you have one). For an existing ER, these same people can attach your company name to the existing ER (i.e. no need for a duplicate ER). Usually, Zscaler prioritizes ERs based on the level of customer interest, so more customers, more priority. Having the ER number (in this case ER-8758) makes this easier.

Hi Paul, have you tried the ‘IDP prompt’ for Machine tunnel using ZCC 3.4.1 ?
G

Hello Gerhard,
No, I’ve not been aware of that capability until now. Reading the release notes for 3.4.1,I find the detail for this feature to be rather opaque, and a quick search of Help didn’t point to anything. Is there some documentation on how this IdP Prompt might be configured and used? Are the associated ZCC and ZPA console changes (if any) rolled out to production as well (my client is on ZS3, if that matters)?

Hi Paul, IDP for Machine Tunnel needs to be requested for your instance of ZS3. We are waiting for it to be enabled within our BetaCloud environment. I’ll share info once enabled & tested but I’m still hoping to compliment this feature with Posture Checks

G

Hey Paul,

Apologies for the crap quality pics but sharing in case you haven’t had time.
IDP prompt using ZCC 3.5 is once off until the device is enrolled. Still hoping for posture check on machine tunnel like ‘domain joined’ and Certificate Trust.

Diag533×891 102 KB

Machine_Tunnel_IDP_App_Profile1152×837 109 KB

Tunnel_Status469×538 55.4 KB

Ah, this info is very helpful. If it works as I think it does, it should at least keep out the riffraff.

I’ll see if I can test it on our dev environment.

Hi, is there any update on predicted date for the release of this?

Hi Roberto,

I’ve been told early CY 22 which I’m really hoping for.
Any specific posture check you have in mind ?
G

Check that the machine has a certificate issued by the internal AD CA would be a good one to start with.

Same here then ‘Domain Joined’.
We are hoping for a new Posture for 'Intune managed by “yourCompany” but we do understand these request are challenging while keeping security in mind.

Lets see what 2022 brings