Non HTTP ports communication through Z app


(Venkat) #1

I have a database application which use port 1433 for communication. And we have tunnel with local proxy as our forward method. we want to use an internal proxy server for this application traffic and we have created an exception in PAC file. But we only see that this application always goes direct to internet being this application is aware of proxy.

Is any port 80 and 443 restriction is applied here ?

Thanks


(Scott Bullock) #2

Hi Venkat,
Did you put the exemption in the PAC configured in the the TWLP (Tunnel /w local proxy) ProxyPAC, if so, when adding the exemption did you set DIRECT or so use the internal Proxy address/port? What condition did you use to match the application traffic?

Cheers,

Scott-


(Venkat) #3

Hi Scott,

Yes, I have included the exception on PAC file to match the application

if( shExpMatch(host, “*.database.windows.net”))
return “PROXY 129.230.X.X:80; PROXY 129.230.X.X:1433”;

Proxy server IP - 129.230.X.X
Port-1433

Server name is “.database.windows.net”

We are using management studio application to access the server. And what I observe is if I place the server name as URL on any browser it is redirecting proxy IP as per captures. If I use application it is just redirect to internet.

Quick question, does any application with non standard port can reach the PAC file or it has any 80& 443 exception ?’

Thanks


(Scott Bullock) #4

The Application does need to be proxy aware, given the app is going direct to Internet I’d suggest it either:

A) is not proxy aware

B) is not PAC aware/capable

What is the name of the Application making the connection?


(Venkat) #5

Microsoft SQL server management Studio

And this application is proxy aware. How can I check if it is PAC capable or not ?


(David Creedy) #6

We might need to look at logs and see if this traffic is somehow being sent to Z App and being ignored. It could be that the management studio is connecting to the IP as opposed to the FQDN, which leads it to skip this PAC statement. I’d recommend raising a ticket and attaching logs so support and engineering can comment.

To answer your other question about non standard ports, Z App will tunnel non 80/443 traffic in tunnel with local proxy mode, but these requests still need to be web requests (i.e. can be wrapped in a CONNECT request).


(Venkat) #7

Hi David,

I was already working with Zscaler support with a request and logs, but we only see that application is sending the traffic to direct internet but not to Zscaler proxy or any manual configured proxy. Unfortunately, we are still battling with issue as we can only see that application redirecting to internet and it is severely impact all remote users. We dont have a root cause for it or any evidence why that traffic is being ignored by Zscaler App. Any thoughts on it ?

And also would like to know if any client is accessing Azure PaaS Cloud while on Zscaler and how ?


(Joost Hage) #8

Note that you’re using the * wildcard (in if (shExpMatch(host, “*.database.windows.net”))) and that some browsers have problems with “*” (for instance: IE9 doesn’t support them & I’m not sure about later versions).
Try testing with dnsDomainIs(host, ".database.windows.net”) instead.