Which SSL certificate I get

Hello everyone,
I hope somebody explains to me this situation.

I am connected and authenticated to ZIA public service edge, I want to know which SSL certificate I get when I visit google on my browser.

Based on my knowledge when I hit google.com on the browser. (Zscaler is configured as an explicit proxy all the traffic goes to Zscaler):

  1. The browser will establish a session with Zscaler (TCP handshake+TLS handshake and then an HTTPS request) this communication is based on an SSL certificate signed by Zscaler

  2. The Zscaler server will establish a session with the google web server (TCP handshake+TLS handshake and then an HTTPS request): based on the google SSL certificate

So, obviously, I get a certificate that is signed by Zscaler because I am using the Zscaler proxy for communication.

But when I tested the situation above I don’t see Zscaler certificate when I visit google.com, I only see an SSL certificate that is signed by google not Zscaler

Can somebody help me please?

if you are using chrome browser, try disabling quic protocol

I disabled QUIC protocol but nothing changed.
May I know what’s the impact of QUIC on that?

can you rule out that IPv6 was used when connecting to google.com?
(esp. when you are on zscalertwo.net cloud, as that one is not yet on v6.2)

How can I rule out the IPV6, do u have a guide please?

aside from disabling IPv6 on the client (which i would not recommend) there is a setting in the app profiles (you are using ZCC, right?) called ‘Prioritize IPv4 over IPv6’.
Enable that and your client should first try to connect with IPv4 and only if that doesn’t work IPv6.

No, I am not using ZCC. I am using an explicit proxy to forward the traffic.

But what does that has to do with the cert?

when you connect to a website/ressource in the internet which is reachable via BOTH IPv4 and IPv6 it depends on the client which of the two it uses.
If it chooses to use IPv6 and the ZS cloud you are using is not yet fully IPv6 ready essentially that connection simply bypasses ZScaler as a whole.

If you are a Win user IPv4/IPv6 prio can also be set this way:

But it’s not like my case because I am using IPV4 and the server that I reached is using IPV4 as well (I tested by reaching a specific server that I know).

I am just wanna double check;
I am supposed to get Zscaler cert not destination cert, right? Because it’s proxy based com

Hello,
any help please?