Periodic Issues Connecting to O365 with Teams and Outlook clients

JFYI if you did not know yet: There showed up a new option in Mobile Portal especially for Application exceptions (until yet only usable for Microsoft Teams):

image

More details here:

1 Like

Quick update on our findings so far

We are not using Tunnel 2.0, but have discovered that the ‘loopback exemption’ list appears not to be working as intended. The exemption list allows UWP apps to talk to loopback interfaces, which by default is not allowed. The zscaler proxy service, and the pac file, are both on loopback interfaces. My understanding is each time zscaler service starts it checks to ensure all the UWP apps are in the exemption list.

The exemption list can be seen with: checknetisolation LoopbackExempt -s

on broken devices the list always seems to have many more entries than expected (some are 700+ despite only 70 UWP apps) and I can see the AAD broker plugin in the list (responsible for WAM auth flows)

re-adding any entry to the bypass list seems to cause some kind of validation and reduces it back down to an expected number, and so far 100% of devices we have run this command on have instantly started working again

checknetisolation LoopbackExempt -a -n=‘microsoft.aad.brokerplugin_cw5n1h2txyewy’

We still don’t know why this is breaking, and are still looking for explanations, but this may help others work around any such issues (or at least test for this specific issue)

3 Likes

@auto_mate That is very interesting. Thanks for the footwork and even more, for sharing.

Hopefully, this is enough for someone from Zscaler can look at and run with. There were some interesting changes discussed the last two days at ZenithLive 2020 with changes coming to OneClick and smarter exemptions (customers should not have to manage for OneClick). I will be pointing this thread out (again) to our account team during our meeting next week, and see if they can give this some traction internally at Zscaler.

zScaler have since advised there was a fix for this exact issue in v3.0.2 of the app.

I’ve tested and it does indeed solve the issue, although I suspect there is a bug in the Microsoft checknetisolation tool and zscaler are just working around that with a more robust method for adding items to the exemption list

Hi all, i am still facing the same issue with Zapp version 3.1.x.x running on windows pc.

Did anyone still experiencing the issues?

Hi, we have the same kind of problem.
Before using Teams, we have to disable ZIA first. Otherwise the users can not logon.
We use Zapp version 3.5.0.108

1 Like

After going a while without the app (due to a machine rebuild), I just installed ZCC 3.6.0.26 and it seems I still have the same problem. Outlook occasionally will stop connecting to/downloading email from O365, and Teams may stop showing valid status for me/users.

Hi Rob,
we had the same issues when we used the DTLS Z-Tunnel 2.0.
I can recommend the following configuration for you, as it works totally fine for us:

  • Z-Tunnel 2.0 on Standard TLS settings
  • Pre-defined Bypass for Teams Voice Traffic to ensure a good performance

Try reducing the MTU size as well.