Proxy authentication inside PowerShell

patrykpodlas · July 15, 2022, 8:09am

Hi everyone,

Hope you may help here.

I’m trying to create a simple Invoke-WebRequest inside PowerShell, the issue is that no matter which method of setting the proxy I chose, ZScaler keeps rejecting the access to the website.

The proxy is set through IE settings, http://URL:80, this proxy works when opening the browser and authenticating using SSO/SAML, however the same is impossible to do through PowerShell.

Specifying -Proxy as well as -ProxyCredentials, and entering my SSO credentials does not seems to work.

Invoke-WebRequest -Uri "https://github.com" -Proxy "http://gateway.zscloud.net:80" -ProxyCredential $Credentials

If I add in -Headers to act as a browser, I get the ZScaler login authentication page.

-Headers @{‘Proxy-Connection’=‘keep-alive’;‘User-Agent’=‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 Edg/103.0.1264.49’}

HTTP/1.1 200 OK
Server: Zscaler/6.1
<!--samlchecks_get.html --><!DOCTYPE html><html><head><title>Welcome To Zscaler Directory Authentication</title><meta name="viewport" content="width=device-width, initial-scale=1"><style type="text/cs…
{@{outerHTML=<img id="cmpy_info" src="https://login.zscloud.net:443/__zsig/Q32M2qt2rUvR4">; tagName=IMG; id=cmpy_info; src=https://login.zscloud.net:443/__zsig/Q32M2qt2rUvR4}}

So even though I’m already authenticated inside the browser, I still receive the SAML authentication page without it redirecting me to the actual destination host.

spatrick · July 15, 2022, 9:04am

There are various tunnelling mechanisms that can be used to send traffic to Zscaler, however using Basic auth is not supported as far as I reclal.

If you have the ability to use ZTunnel 2.0 with Zscaler Client Connector, this will capture all traffic from the host and send it to a DC - transparently.

If you capture the cookie from the browser and inject it into the request, it could work.

joe.van · July 29, 2022, 12:52pm

I’ve never run into the need to do this because we run Zscaler Client (ZCC) on our endpoints. If you only need this PS script to run on specific endpoints, consider running ZCC as a simple solution. It completely removes the need for the OS or apps to know there is a proxy and handles all the authentication. Before moving to ZCC, we always had a some thick client apps that parsed our PAC file improperly or didn’t support PAC / proxy. And apps which use basic auth (userid / password) are not supported by ZIAs authentication mechanism. All those issues are behind us now with ZCC in use.

One other option for you is to use the non-authenticated proxy port 9480. To use this port, the traffic must be coming from a defined location, not a road warrior: -Proxy “http://gateway.zscloud.net:9480”