Question: how to implement ZScaler proxy-awareness for our application

Hi,

I’m a developer working on a Windows desktop application. Some of our users have reported that they use the ZScaler proxy (with the ZScaler app) in Tunnel with Local Proxy mode.

Our users have indicated that they are unable (or unwilling) to configure application-specific proxy settings using the ZScaler app. Thus, I would like to know: can we make our application “play nicely” with the ZScaler app in Tunnel with Local Proxy mode, without needing the user to make any specific adjustments?

My main concern is that our application uses a TLS socket via openssl, not HTTPS. Most of the discussions I’ve seen on the forum reference HTTPS traffic. Can we implement ZScaler proxy-awareness in our application using a TLS socket through openssl?

Where would we identify the appropriate proxy IP/port to use?

Can we use openssl to open a TLS socket to our server through the ZScaler proxy?

If we can’t use the IE proxy (because it relies on HTTP/HTTPS) and we can’t (or the customer doesn’t want to) use application-specific settings, have we ruled out all the options?

1 Like

Hi ,

You can Try Full tunnel mode instead of tunnel with local proxy.

1 Like

Are you able to leverage system proxy settings in the language you’re using?

2 Likes

@ramesh.yadav @grrttmrtn Our client decided that they don’t want to change their ZScaler configuration at all, so I stopped investigating this route.

For any future readers, it does appear that ZScaler provides several methods that would work fine for our application, but I have not confirmed.

1 Like

Hi Alex,

This would be possible using the latest Ztunnel 2.0 method (which is tunnel mode, not tunnel with local proxy). But there should be no need to take any special considerations, as in that mode we just send packets down the data channel to the cloud.

In Tunnel with Local Proxy, I don’t think this would work because in this mode we are acting like a proxy on the device. We take GET/POST requests from proxy aware apps, and use CONNECT method tunneling to send it on to the cloud. I’m pretty sure this would not work with a TLS socket connection. With this mode, when people mention “80/443 only” or “HTTP/HTTPS” what this should actually mean is, HTTP/HTTPS Traffic that is proxy aware, and proxiable.

Cheers

David

1 Like

Hi dcreedy

Thank you for the detailed response. It sounds like the Ztunnel 2.0 method would be applicable; unfortunately, our client apparently prefers not to change anything at all with respect to ZScaler, so we’ve given up on trying to get our application working this way.

We are considering wrapping our traffic in HTTP/HTTPS to facilitate proxy-awareness for enterprise deployments in the future.

For future readers, ZScaler was very helpful on this point, and I think they provided several working options. I’m sure we could have gotten this working with a bit more willingness on the client’s part to make small configuration changes.

1 Like