Sophos 10.0.4 Network Extension App, Big Sur and Zscaler ZCC tunnel issues?

Sophos 10.0.4 has a network extension app (doing some inspection of traffic) that when installed seems to block the ZCC tunnel process from binding to port 9000. Basically the ZCC won’t connect and shows a network error until you remove the Sophos extension. Has anyone else had this issue w/ Sophos? How did you get the 2 to play together well? I’m not seeing documentation on Sophos’s side sayings its trying to use 9000 or even blocking it but its not allowing Ztunnel to start. Also this all works fine in 10.0.3 so it can’t be the typical whitelist of the process names, etc.

Joshua - not sure if the issue is with port 9000 in particular or any ephemeral ports in general, but if the former, you can change the port ZCC uses from 9000 to something else in the ZCC portal, Administration → Client Connector Support–> Endpoint Integration tab → Zscaler Client Connector Listening Port (range: 1024 - 65535)

Mark, thanks and I know that we can change the port number but I was wondering more if anyone has run into this w/ Sophos 10.0.4 and what changes they had to make to get them both to play nice. I assume its not just 9000 that is being an issue but its more the fact that Sophos is trying to place proxy changes in place w/ their Network Extension App which is basically a transparent proxy.

Hi Joshua - I found a case where Sophos (and in one case CBL and Spamhaus) had blocked certain Zscaler IP addresses in their reputation block. This occurs sometimes as Zscaler IPs sometimes fall into ML categories for blocking erroneously. But this could explian why it didn’t happen before and you don’t see any evidence on the local device that Sophos is being blocked. Perhaps Sophos is not getting updates which cause it to fail, because the cloud component of Sphos is rejecting the Zscaler IP you are going through and not the ZCC client itself.

These were reported 4 days ago, but you may want to look at the public service edge you’v connected to and check if it is being blocked. If so, use a PAC file to change the PSE you connect to and then retry to make sure that’s the issue.

We have seen example of an IP address repeatedly blocked (of course they are subsequently removed) - here’s just one example 165.225.17.22 that is cleared now:

1 Like