We are seeing a strange issues where some of our private applications are not working through chrome or firefox. However they seem to work on Edge. If we turn off the Zscaler the use the Old VPN client Private App works fine on all of the browser.
Has anyone come across similar issue?
How are the applications being accessed - ShortName or FQDN?
Do you have ZIA enabled and in which mode (Tunnel, PAC Enforcement, TWLP)?
Are the applications performing IWA Authentication? You might find that Edge is behaving differently to Chrome/Firefox becuase of this - check the configuration in each of the browsers to Negotiate and NTLM authentication (Trusted Servers or Intranet Zone in Edge/IE)
If your ZIA configuration isn’t correct, you can find that your internal applications aren’t being bypassed correctly, which results in them being tunnelled to ZIA. Check the ZCC logs and/or ZIA logs. Note that IE automatically decides that anything that bypasses the proxy is “intranet” and therefore automatically logs on with current username/password.
Chrome has a habit of not appending DNS Suffixes correctly. If your accessing via shortname, you might want to check that the DNS suffixes in ZPA are configured with “domain validation” checkbox enabled.
The ZCC logs should indicate what is happening when your acessing in IE/Edge/Chrome/Firefox - make the request and see how ZCC identifies the segment.
It looks like most of these Apps are performing IWA which mightbe causing the issue. I’m going to add a no timeout policy as discribed in following article and see how it goes as currently due to organization MFA policy we had to change to timeout frequecy to 24hrs.
Ok - make sure you don’t confuse the ZPA Reauthentication timer with Chrome’s ability to perform IWA TO the webserver itself.
IE takes anything which bypasses the proxy as “intranet” zone. However, if you deploy ZCC in Tunnel Mode, the proxy settings disappear (since we’re transparent). As there’s no proxy, there is no proxy bypass, which means all sites are treated as external → so no transparent authentication occurs.
You need to put the sites which previously bypassed the proxy into the Intranet Zone for IWA to occur. Edit the zone and add a wildcard for you intranet sites
For Chrome you’d set the AuthServerAllowlist or AuthServerWhitelist (depending on version of Chrome). This is the same setting for Edge (since it’s Chromium Based). However Edge also appears to take settings from IE (currently) for Intranet zone.
N.B. For Chrome, also note the “DNSInterceptionChecksEnabled” flag. Chrome attempts to detect captive portals by querying 3 shortnames - and seeing the response it gets back (if it’s the same IP, it assumes there is a captive portal). Since ZPA will intercept the DNS, and append all your DNS Suffixes, you will find that this can produce additional requests through app connectors - I would recommend you disable this function in Chrome since ZCC takes care of captive portal support.