Microsoft AD Connect

Currently we have our Microsoft Cloud Connectors, used for connecting on premise AD with Azure AD.
Traffic is http/https running through our Foritigate firewalls to Microsoft.
If we move this traffic to the ZScaler GRE tunnel with SSL inspection, will this break the connection?
Should we use specific URL’s as described by MS and/or combine it with allowed categories: CAT: Professional Services CAT: Internet Services CAT: Operating System and Software Updates?

Hello Henk,

prenote: we do not use AD connect here and hence everything below is only “theoretical knowledge”.

AD Connect uses only TCP 80, 443 (see Hybrid Identity required ports and protocols - Azure | Microsoft Docs) and also the same URLs as Office 365 (see Azure AD Connect: Troubleshoot Azure AD connectivity issues | Microsoft Docs) there should be no issue if you enable the famous Zscaler " Microsoft One Click Options" (see About Microsoft One Click Options | Zscaler). ADFS on the other hand may need some more “fine-tuning”…

But maybe someone else here can report from a “real world”-setup :slight_smile:

If in doubt I would create a ticket with Zscaler support.


Hello Henk,

If you want to be 100% sure that any SSL communication from the server is not broken by SSL inspection, the best is to create a “Sub-Location” (under the GRE location created) and to include the “server IP” on it. After, you need to create an SSL policy for this “Sub-Location” with Action = “Do not inspect”.

Best regards

Adrian Larsen
Maidenhead Bridge

1 Like