Undefined User Activity


(obi-wan) #1

Good morning!

I have a question related to identity management and non-browser web activity.

User —> Browser —> [PAC] —> Web —> Zscaler (identity@company.com)

User —> Non-Browser —> [PAC] —> Web —> Zscaler (Enterprise Location Only)

For example, a user received an identity when they visit any website through IE, Chrome, etc., however, if they run a PowerShell script that makes an inbound/outbound connection, I can only see their client ip address, which makes it difficult to correlate back to an individual user due to DHCP leases constantly being updated.

Also, any third party resources loaded in the browser (css, js, etc) do not receive an identity as well, just the location.

I’m wondering if it’s possible to associate a user identity (identity@company.com) to all outbound/inbound web traffic, regardless if the user used their browser or not.

Thanks for reading!

(Adrian Larsen) #2

Hi obi-wan
The best way to solve this problem is to redirect the traffic from the Location using tunnels (ipsec/gre) and to click “Enable Surrogate IP” on the location configuration.
This will associate the Non-Browser transactions to the User logged in on the Browser making easy to identify this type of transactions. In addition to this, you can configure the Association Time matching the DHCP lease time.
Best regards
Adrian Larsen
Maidenhead Bridge

(obi-wan) #3

Hi @Adrian_Larsen,

Thank you very much for your explanation - I’ll report back with my results when implemented.

(David Cooper) #4

Z-App can help too, by providing an authenticated session without a cookie.

(obi-wan) #5

Hi, @David_Cooper!

Yes, I’m currently testing out Zscaler App to remedy this issue. However, I’ve encountered several issues that I’ll explain below.

I’ve tried several options in my preliminary tests:

  1. Installed Zscaler App without passing the token and domain (no internet - PAC file disabled locally)
  2. Installed Zscaler App with token and domain using the following command: msiexec /i "<complete_path>" /quiet DEVICETOKEN=<device_token> USERDOMAIN=<your_organization's_domain> (no internet - PAC file disabled locally)

Zscaler App Admin Portal did recognize my test laptop (device model, OS version, etc.), but alas, no internet connectivity. The connectivity status on the Zscaler App agent displays the following: Endpoint FW/AV Error

Two things that I can think of which might be preventing me from connecting to the internet:

  1. Didn’t configure SAML IdP for Zscaler App - it’s still using ADFS
  2. Firewall is blocking Zscaler App: "Configure your organization’s firewall to allow the necessary connections. For detailed information about the traffic your firewalll must allow, go to https://ips./zscaler_app."

I’ve been following the following documentation, step by step: https://help.zscaler.com/z-app/zscaler-app-step-step-configuration-guide

Do you have any resources that could further assist me?

Thank you for your help.

(Nick Morgan) #6

Sounds like something local on the endpoint is preventing ZApp from connecting to our cloud.

Recommendation here is to raise a support case so they can help you further investigate the error. You can submit a ticket through your admin portal.

To speed up resolution time be sure to include an export of your ZApp logs with the ticket (you can export logs from the Zapp Tray icon)

(Timothy Shaughnessy) #7

I would suggest you review the following - https://help.zscaler.com/z-app/what-zscaler-app-processes-should-i-whitelist - provided you are running AV and FW on your endpoint.

(obi-wan) #8

Hi, @tshaughnessy!

Thank you for sharing this! I’ll give it a try and post my results.

(obi-wan) #9

Hi, @racingmonk!

I’m going to try @tshaughnessy’s recommendation first. If that doesn’t work, I’ll raise a support case.

Thank you for your help.