Use case for F5 application in ZCC installed device

,

Hello there

My customer uses F5 and ZCC.
When a user runs F5, some weird behavior happens.
So he cannot use F5 and ZCC at the same time.

Current Configuration in ZCC is like as follow.

Forwarding Profile : Enforce Proxy(Enforce)
Check “Use Automatic Configuration Script”

However, when I opened ticket to investigate, the cause was proxy confliction both by ZCC and by F5.

But our customer found our that there was no proxy setting has been done in F5 application.

What I am looking for are these 2 things below.

  1. To detect other trigger/application which is pushing proxy settings.
    -> When my customer runs F5 application, so obviously F5 is pushing it though…

  2. Whether there is not such a big change from Enforce Proxy(Enforce) to None(Apply on Network Changes)
    -> This might be the solution. But we are afraid if this change will cause some other problem.

I have heard that F5 application cannot use in Enforce Proxy nor in TWLP mode.

Therefore, 1 does not matter that much.
I am looking for the differences about 2 if there is someone knows.

Regards,
Tokio

I was just discussing with F5 supported vendor about this due to similar issue in my company.

F5 client overwrites pac file when connected.
If pac file exists in user PC, F5 client add 1 line to the pac and apply added pac during connection.
It cannot be avoided by F5 configuration.

So Enforce proxy and TWLP mode and Tunnel(enforce) is not working due to confliction.

  1. When ZCC enforce proxy by any modes, confliction with F5 will be occurred.
    So None(Apply on network changes) or Tunnel (Apply on network changes) will works.
    Maybe Tunnel(Never) also works.

    Differnce between Enforce Proxy(Enforce) and None(Apply on Network Changes) is simply proxy handling.
    Enforce proxy try to enforce proxy setting always.
    Apply on network changes push only one time when ZCC detects network changes, so it will work even if there is any GPO/VPN client like F5 enforce proxy.
    User or other systems can change proxy setting in “None(Apply on network changes)”, so there is some risks.
    But if only F5 is pushing proxy, I think it may work.

Hi Jun

Thanks for your response and information.

Since I personally do not have F5 application, so this case had been so difficult to progress further.

First of all, the user runs F5, it automatically overwrites PAC File nevertheless a proxy is not configured in F5.

Second of all, in this case proxy confliction will be caused by both F5 and ZCC when Proxy Action Type is set as “Enforce” for Forwarding Profile in ZCC.

As a conclusion, F5 cannot be used under the following conditions
・Tunnel Mode (Enforce PAC File)
・Tunnel with local proxy Mode (PAC File)
・Enforce Proxy Mode (Enforce PAC File)

To avoid such, this must be configured in ZCC side.

>User or other systems can change proxy setting in “None(Apply on network changes)”, so there is some risks.
When it comes to some risks, I might need to open a ticket to check them w/ Zscaler operator then.

Anyway, I really appreciate your response. That was amazingly helpful.
Regards,
Tokio