UAC (Unified access control) in SRX interoperability with ZPA

We use secured servers protected by UAC (Multi factor authentication) configured in our SRX firewall. Our ZPA we have multiple connectors. So initial request to MFA url are passed by connector 1 and application uses random connector (1 to 10). T. SRX UAC maintains auth table while cache Source IP (connector 1) and expect rest of the connection via same connector. This breaks the connection since these application are accessed by different connectors.

Whereas we created application segment for MFA url and application reachable via single connector. By this way if multiple user tries to connect MFA url, it only authenticates one session and maintains Session. It blocks rest of the session (might be consider the rest of the connection as DDOS).

We couldn’t come up with any working scenario in ZPA with UAC. Did anyone faced similar issue?

Did Zscaler has came across this issue with any other customer?

Regards
Ganesh Krishnan

Ganesh, I would like to make sure I have understood the problem statement correctly. For the first scenario, are you seeing different connectors getting selected for the same user?

Yes. A single user first connects to MFA url and firewall capture their IP and Username. Firewall expect further request from same connector IP which is not feasible.

Regards
Ganesh Krishnan

Ganesh, you may be experiencing a specific scenario where this user stickiness is not maintained. Do you have a case # I can review to validate if your issue is similar to the one we are aware of?