Hello everyone,
I hope somebody explains to me this situation.
I am connected and authenticated to ZIA public service edge, I want to know which SSL certificate I get when I visit google on my browser.
Based on my knowledge when I hit google.com on the browser. (Zscaler is configured as an explicit proxy all the traffic goes to Zscaler):
The browser will establish a session with Zscaler (TCP handshake+TLS handshake and then an HTTPS request) this communication is based on an SSL certificate signed by Zscaler
The Zscaler server will establish a session with the google web server (TCP handshake+TLS handshake and then an HTTPS request): based on the google SSL certificate
So, obviously, I get a certificate that is signed by Zscaler because I am using the Zscaler proxy for communication.
But when I tested the situation above I don’t see Zscaler certificate when I visit google.com, I only see an SSL certificate that is signed by google not Zscaler
aside from disabling IPv6 on the client (which i would not recommend) there is a setting in the app profiles (you are using ZCC, right?) called ‘Prioritize IPv4 over IPv6’.
Enable that and your client should first try to connect with IPv4 and only if that doesn’t work IPv6.
when you connect to a website/ressource in the internet which is reachable via BOTH IPv4 and IPv6 it depends on the client which of the two it uses.
If it chooses to use IPv6 and the ZS cloud you are using is not yet fully IPv6 ready essentially that connection simply bypasses ZScaler as a whole.
If you are a Win user IPv4/IPv6 prio can also be set this way:
But it’s not like my case because I am using IPV4 and the server that I reached is using IPV4 as well (I tested by reaching a specific server that I know).