PAC File Setup for Microsoft Domains

Hello Everyone,

Can someone help me validate how pac file should be setup for login.microsoft.com and other Microsoft Service?

Zscaler Sr Engineer told me to add following entries to both app pac and forwarding pac

    //Azure Login URL Bypasses    
if (shExpMatch(host, "login.microsoftonline.com") ||  
	shExpMatch(host, "*.microsoftonline.com") || 
    shExpMatch(host, "microsoftonline.com") || 
    shExpMatch(host, "*.login.microsoft.com") || 
    shExpMatch(host, "*.login.live.com") || 
    shExpMatch(host, "*.login.office365.com") || 
    shExpMatch(host, "*.outlook.com") || 
    shExpMatch(host, "*.outlook.office.com") || 
    shExpMatch(host, "outlook.office365.com") || 
    shExpMatch(host, "*.login.windows.net"))
         return "DIRECT";    

after adding the above next day users had issue accessing Microsoft Teams, Microsoft Drive, and Microsoft Outlook.

is the above pac file entry correct or should it be changed to something else?

Is this from on-prem or Road Warriors?

For on-prem you will need to open up any internal firewalls as well.

Hello Gordon,

This was effecting both on-Prem and road warriors. No other changes were made except adding entries in App and Forward profile.

Do you have any restrictions in Azure that only allow connections from Zscaler IP ranges?

No we don’t have any restrictions in Azure. After removing the entries suggested by Sr Zscaler Support everything worked properly.

What was the original issue you were attempting to solve? If you bypass Zscaler for the above MS products, there is a complex set of firewall rules you must allow direct. You mention the issue impacted both on-prem and road warriors. do your road warriors have any type of outbound firewall (like Windows firewall)? If so, that could be the cause.

If you are using Azure AD as your IDP, you want to bypass that from Zscaler or at least from Zscaler authentication requirements otherwise users can end up in a loop where the authentication request requires authentication. The primary url for authentication is login.microsoftonline.com but components of the sign in screen like graphics and formatting pull from other domains as well.

Refer to this doc for required firewall rules: Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Docs

Hi Joe,

We have about 63 Azure SQL Servers and the original issue I was trying to resolve was connecting to Azure SQL Database via our VPN Gateway IP Address instead Zscaler super subnets to Azure SQL Firewall rule.

I was able to resolve the issue by adding all 63 Azure SQL Database URL to the bypass in Client Connector setting but everytime we add new database someone manually would need to add the database server URL to the bypass.

I thought I would redirect traffic utilizing the PAC file. Anything for XXX-XXX-XXX-XXX-sqlserver.database.windows.net to DIRECT in Application PAC file and Forwarding Profile. Since I was unable to get it working I opened support case and Sr Zscaler Tech said I need to add above URL bypass. After adding above resolved the Azure SQL Issue but caused other issues such as loging in to teams and one drive.

once we removed the //Azure Login URL Bypasses lines. Teams and OneDrive started working properly.

for testing today I created new pac files , app profile , forwarding profile, App Policy and Forwarding policy and changed shExpMatch from host to URL. We were able to login to Teams and One drive without any problem but Azure SQL traffic started going over Zscaler vs VPN Gateway.

I don’t quite follow. When you say VPN gateway, are you talking about a ZPA connector or some other product? If you are using ZPA and app connector, you don’t need to define the SQL databases in the PAC as ZPA takes traffic before it ever parses the PAC. You would need to define those in an ZPA app segment though and assign connectors.

If using another VPN product and just want to bypass Zscaler ZIA for the DB & auth traffic, you should be able to bypass it for all databases without all those other URLs you added.

//Azure Login / SQL URL Bypasses    
if (shExpMatch(host, "login.microsoftonline.com") ||  
shExpMatch(host, "*.database.windows.net"))
     return "DIRECT";

@joe.van

I tired that as well and when I try to connect to database via SSMS its still using Zscaler subnet.

Screenshot 2022-08-08 095230