Netscaler VPN co-existing with Client Agent for ZPA ONLY

I have a customer testing ZPA in a POV and they also use Netscaler which when launched grabs all traffic (default route) and sends it back through the VPN tunnel. Anyone have experience on how to configure the Zscaler client agent for ZPA only to work with Netscaler full VPN config? Can I just exclude 100.64.0.0/16 as well as all Zscaler ZPA data center IP’s from Netscaler’s config? Is that the right way to configure this? Any info would be greatly appreciated.

Hi Rich - I think it’s a matter of one or other proxy process capturing the packet first, in which case the destination will not resolve to the 100.64.0.0 range so you’d have to resort to URLs for every destination you wanted bypassed making it untenable.

Having spent a LOT of time on this very configuration in a PoV, my only suggestion is to build a separate PoV test team to test without Netskope. I’ve found no configuration option in ZS or Netskope to make this work without having to constantly add destinations/exceptions in ZPA Client Bypass or Netskope making the PoV process less than optimal or efficient and in no way a reflection of what a production environment would look like.

The bottom line is that if the end goal was to use both proxies for essentially the same functions, would require one or the other to be configured as the primary proxy and configure the other as a forward proxy which has a ton of its own issues and is no better a PoV configuration than the NS full tunnel configuration IMHO.

Hey Mark
So my problem is a Netscaler full VPN (ZPA) issue not a NetSkope (ZIA) issue. I agree completely double Proxy/CASB why, and good luck getting that to work. If you have any thoughts on ways to configure this to work with Netscaler let me know. We’re on an accelerated time frame.

image002.jpg

My bad, I mixed up the “Net” products. :wink: The concept is roughly the same though, the Netscaler full VPN is capturing all requests so you have to bypass the 100.64 and ZS address range to allow ZPA to pickup those destinations. That works if your using exclusively IP addresses to reach the destination. It’s the “full VPN” configuration that’s getting in the way regardless if you have ZIA or ZPA running on ZCC. The only universal recommendation is to change the fwd profile to tunnel w/local proxy as a first step. Then you may have to add the 100.64 and ZS domain to the Netscaler bypass. Other than that, I’m not privy to any other configuration changes you can make to make it work.

Hope it helps…

…and possibly attacking this from the other way around and put a client fwd profile bypassing the Netscaler destinations you want ZPA to bypass would work.