Windows NCSI (Network Connectivity Status Indicator) Issue with ZAPP

st3f4n · October 13, 2020, 4:02pm

Hello Zscaler Community,

I would like to check with the community if anyone has experienced an issue during the deployment as we did and how did you manage to overcome such an problem?

Summary:
We bought the ZIA for all of our users where we in process of deployment but we are having a big blocker during this process as we experiencing some quite weird issue with Yellow triangle or Globe icon
(depending on a Windows 10 build version) this problem is not appearing when we are off the VPN (Cisco Anyconnect) But as soon as we connect there is a yellow triangle appearing and causing all O365 application not to work, on other hand there is a internet connectivity all normal but it seems that WIndows NCSI process is failing to do it’s job.

What we have in our setup is ZAPP 2.1.2.81, we have on prem VZEN deployed our LB and having dual arm setup, VZEN is only handling local web traffic and some public websites that are allowing only our public IP so we are anchoring that thru VZEN.

Configuration wise we have APP profile with default PAC file that is responsible for internet traffic and routing everything thru Ztunnel 1.0, nothing fancy there except couple of bypasses for URL’s or routing something to go via on prem VZEN,
next to that we have forwarding profile with Packet Filer + tunnel mode and we are enforcing PAC file to the users by the ZAPP. In that PAC file we have have routing based on SRC and DST ip’s for certain countries to go via their own VZEN’s.

In the begining this issue with NCSI was present on all WIndows 10 Machines as soon as they connect on VPN, but later on we add line in PAC file that i will share below that we belived fixed the issue.

  	/MS
        if (shExpMatch(host, "activation.sls.microsoft.com") ||
        shExpMatch(host, "officecdn.microsoft.com") ||
        shExpMatch(host, "*.msftconnecttest.com") ||
        shExpMatch(host, "*.msftncsi.com") ||
        shExpMatch(host, "*.msedge.net") ||
        shExpMatch(host, "*.c-msedge.net") ||
        shExpMatch(host, "msftncsi.com"))
        {
        return "PROXY ${GATEWAY_FX}:443; PROXY ${SECONDARY_GATEWAY_FX}:443; DIRECT;"
        }

So once we added this in the Forwarding profile PAC file this fixed the issue so far for Windows 10 build 1909, but as majority of build version is 1809 this still remains unresolved for them.

From our firewall perspective there is no any kind of blocking toward MS domains or IP’s that are used for testing if there is internet or not (NCSI Probes)

One interesting finding was that if we disable automatic probing in registry and restart the Network Location Awareness service, the yellow triangle is gone even when you are connected on VPN, but this is not a solution since even if you dont have internet it will show normal icon as you would have it.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator |NoActiveProbe = 0|

So am curious if there is anyone in community that experienced such an issue, and how did you guys fix it?

Charles_Repain · October 14, 2020, 1:29pm

Hi @st3f4n,

I’m not 100% it was the same issue and i can’t tell about the Win10 build exactly but one of my customer solved that kind of behavior by adding:

.msftconnecttest.com
.msftncsi.com

In the App Profile - Bypass VPN List
That means you’ll bypass that two domains from being sent to Zscaler.

Hope that helps, Charles

st3f4n · October 14, 2020, 4:02pm

Hey @Charles_Repain

I try multiple things and that’s one of them fully bypassed the domains + aliases
www.msftncsi.com.edgesuite.net
www.msftncsi.com
www.msftconnecttest.com
c-msedge.net
msedge.net

And on other hand of course the flow from the VPN subnets is fully allowed on our Firewall’s toward this domains. But it didn’t help.

So far the only solution that seems to work is the registry one, or completely removing NoActiveProbe.

gtaylor · October 14, 2020, 10:26pm

Have not seen this issue in our deployment

st3f4n · October 15, 2020, 8:36am

@gtaylor Out of curiosity did you have a similar deployment as ours in your environment ?

st3f4n · October 15, 2020, 2:04pm

It seems that the root cause of the issue was the Registry entry that i mentioned in my post, after completely removing it it seems to fixed the issue, as Windows 10 relies on NlaSvc.

Active probing is enabled via the local registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet

ActiveDnsProbeContent REG_SZ 131.107.255.255

ActiveDnsProbeContentV6 REG_SZ fd3e:4f5a:5b81::1

ActiveDnsProbeHost REG_SZ dns.msftncsi.com

ActiveDnsProbeHostV6 REG_SZ dns.msftncsi.com

ActiveWebProbeContent REG_SZ Microsoft Connect Test

ActiveWebProbeContentV6 REG_SZ Microsoft Connect Test

ActiveWebProbeHost REG_SZ www.msftconnecttest.com

ActiveWebProbeHostV6 REG_SZ ipv6.msftconnecttest.com

ActiveWebProbePath REG_SZ connecttest.txt

ActiveWebProbePathV6 REG_SZ connecttest.txt

EnableActiveProbing REG_DWORD 0x1

PassivePollPeriod REG_DWORD 0xf

StaleThreshold REG_DWORD 0x1e

WebTimeout REG_DWORD 0x23

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies

Active probing is disabled via GPO:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator

(Default) REG_SZ

NoActiveProbe REG_DWORD 0x1 --> To be Removed

gtaylor · October 15, 2020, 9:52pm

not sure what you mean, we have Silver Peak devices with tunnels to ZScaler or users are on ZApp, with our previous firewall company we build a fake NCSI website internally and redirected VIA GPO.

st3f4n · October 16, 2020, 11:03am

I had this idea as well to build fake NCSI website and to chance DNS probe but it would be to much of a hustle to do it on 10k PC’s +