is anyone using Autopilot with zscaler (successfully)?
Currently we are bypassing zscaler and everything works fine. However after routing the traffic to zscaler (PBR through an IPSec Tunnel) the device registration stucks with no specific error message from Windows.
SSL and Authentication bypass is done. No blocks or errors in the zscaler logs.
Would you be able to share your feedback in 1-2-1 on list of url or domains you took into consideration as we see urls or domains change every day and difficult to have it continued running service for autopilot
There is no real way to get around SSL or AUTH bypasses for Autopilot unless you can pre-load the certificate you are using to decrypt the SSL traffic.
Even then you might still need to Authenticate bypass the FQDN’s that Autopilot is using.
To get around it you can either create a Location with no enforced Authentication and SSL inspection. or run a bypass list.
Hi, we are yet to get autopilot provisioning to work on the lan as all no-auth traffic is blocked by default. So until the user can authenticate with Z via the client connector, all traffic seemingly is blocked apart from certain URL’s required for SSO to sites.
We’re using a ZPA proxy which enables us to build off network and authenticate with the DC but this is only helpful when your off network, and we face the same issues when we plug the device back into the LAN. Any ideas?
The vast majority of Enterprise Applications are Certificate pinned ----- by the vendor — in some cases you can bring your PKI to the table for use — however ------ most do not do that ---- they enforce full logging on the cert pined apps — and have executive leadership accept the risk of the bypass to the Zscaler Platform ------
Tenable is a good example of vendor that is opposed to any and all SSL interception on their deployed product – while another vendor in the same vertical Qualys is not -------
Microsoft non-Office 365 versions of the Office Suite and Exchange Online — totally cert pinned ---- the Tenant directed installed client that auto updates — not fully pinned and plays actually much nicer with Zscaler ----
DocuSign ----- totally cert pinned ---- does not like interception at all ----- look at your Advanced Sandbox for DocuSign — same file - same name - every touch new cert - new hash —
Box Sign ---- allows bring your own PKI and works fine with Zscaler ----
it all comes down to choices ----- and acceptance of Risk -----