Meaning of the message displayed on ip.zscaler.com

Hi Community.

In my environment the user is using ZCC and in the PAC file the Global Public Service Edge IP address is configured as a proxy. Communications destined to the proxy reach the Zscaler cloud via a GRE registered to a known location.

If you are logged in to ZCC and go to ip.zscaler.com, you will go through Zscaler, but you will see “You’re logged out of your company’s security service” is displayed.

What does this message mean, and why am I getting this message when I am logged into ZCC?" What is the difference between this and the “Would you like to logout” message?

Hello -

In my environment the user is using ZCC and in the PAC file the Global Public Service Edge IP address is configured as a proxy. Communications destined to the proxy reach the Zscaler cloud via a GRE registered to a known location.
If you are logged in to ZCC and go to ip.zscaler.com, you will go through Zscaler, but you will see “You’re logged out of your company’s security service” is displayed.

The recommended deployment for Client Connector when running at a location with a GRE tunnel is to use “Trusted Network Detection” to detect location and disable ZTunnel since the traffic will be forwarded to Zscaler via the GRE tunnel. Your users will see better performance, especially when running with zTunnels. Secondly, you will want to “Enable IP Surrogate” for the location, so Zscaler will be able to identify the user from initial Integrated Windows Authentication (IWA). This will prevent the above issue.

1 Like

Following up on @Niladri_Datta answer you can find help docs on these two topics at the following locations:

Hello.

Thanks for the reply.

To add about our current environment, we already have the surrogate IP feature enabled in our environment.

The PAC file retrieval from within the company is done via GRE according to the SDWAN policy.
If the PAC file determines that the access is from within the company, we set the IP address of the Global Public Service Edge as the proxy and route it to GRE over SDWAN. Also, if the PAC file determines that the access is from a road warrior, the IP address returned by the GATEWAY variable is set as the proxy. Because of the need for this process, we are using both GRE and PAC files.

After looking at the reply, I understand that the following message is displayed because of the current configuration.
“You’re logged out of your company’s security service”.

What I would most like to know is if there is a security issue with the current configuration that is displaying this message.

If it is a display issue on the confirmation site, I would like to keep the configuration as it is.

thanks for the awesome information.

Correct ---- if you use Trusted Network detection — you can stand down — the ZCC completely — or if change tunnel type to Tunnel 1.0 — or off ---- this is all so that the Client plays nicely with the Local tunnel configuration — as the Tunnel can send all ports all protocols up to Zscaler -

Hello.

I have read many of your replies, but I still don’t understand how it works.

Specifically, I do not understand the following

  1. When I connect to “ip.zscaler.com”, the message that appears at the bottom of the screen has the following two patterns, but what is the difference between the two states?
    “You’re logged out of your company’s security service”.
    “Would you like to logout”

  2. As I mentioned in my previous reply, I have a GRE tunnel set up from the location to Zscaler, but in addition to that, the ZCC for the user connecting from that location has “Tunnel” selected in On Trusted Network. Is this configuration strange?