Z-App (Tunnel Local Proxy) not catching Office 365 installation/activation flows?

office365

(Vincent GOUBERT) #1

Hello,

I do have an issue running Z-app in tunnel with local proxy :

In some country (I don’t know why), the office 365 installer and/or the office 365 activation does not work (network failed).

By looking into a packet capture, it looks like it is not following the settings in the PAC files (nothing set about Microsoft’s servers there).

What is even more strange is that it is working perfectly in other countries (like in France).

The network configuration is the same worldwide : the only way to access internet is to reach a ZEN.

Does anyone already met such issue?

The countries impacted are the Panama & Italy.

There is already a ticket opened at Zscaler Support (ID 542992), but it seems that this issue is stuck for a long time now.

Regards,
Vincent.[quote=“vgo, post:1, topic:2827, full:true”]
Hello,

I do have an issue running Z-app in tunnel with local proxy :

In some country (I don’t know why), the office 365 installer and/or the office 365 activation does not work (network failed).

By looking into a packet capture, it looks like it is not following the settings in the PAC files (nothing set about Microsoft’s servers there).

What is even more strange is that it is working perfectly in other countries (like in France).

The network configuration is the same worldwide : the only way to access internet is to reach a ZEN.

Does anyone already met such issue?

The countries impacted are the Panama & Italy.

There is already a ticket opened at Zscaler Support (ID 542992), but it seems that this issue is stuck for a long time now.

Regards,
Vincent.
[/quote]


(David Creedy) #2

Hi Vincent,

I’ll have a look at the ticket.

I can shed some light on a couple of things here thoug, Microsoft apps will follow WinHTTP Proxy settings before WinINET ( Z App uses WinINET). So there can be issues if a WinHTTP proxy was configured, this might make the office apps follow that instead of Z App’s proxy. Additionally, Z App has a “Restart WinHTTP Service” setting. Generally we use this for troubleshooting, but I have seen in the past that on a system boot, as everything is coming online, Z App restarts the WinHTTP service while Office Apps are trying to use it. This causes the apps to delay. So if it’s enabled, I’d recommend disabling that setting and testing again.

Another question, have you noticed at all when you see this problem if the Windows Network Location Awareness is in an error state? This is usually the system tray showing a warning icon over the network connection. If so, there might be some bypasses needed. The NLA service reaches out to known Microsoft endpoints, www.msftconnecttest.com, and www.msftncsi.com (depending on the OS version), if it can’t reach these (important: whether there is actual internet connectivity or not!) it will show the warning icon on the network adapter. The unfortunate thing here is that Office Applications don’t actually test their own connectivity, they simply look at the NLA flag and if its in a warning state, they simply won’t try to connect (again, whether there is connectivity or not). If this is the case, you could try bypassing those addresses in Z App’s logic.

Hope this helps!

Regards

David


(Vincent GOUBERT) #3

Hello David,

Thanks a lot for your feedback.

I’ll try to disable the WinHTTP restart option for those countries.

We did have the issue about the Windows Network Location Awareness, which was solved by putting the links in the No Authentication list and by forcing Z-app to send those links to Zscaler.

On the OS part, there is no WinHTTP proxy set by default (no proxy setting): we tried to put “gateway.zscloud.net:80” and it works perfectly, but I don’t think that it is a suitable solution as it will also catch internal apps.

I’ll ask the concerned local IT to try again after disabling the WinHTTP restart option.

Could you please keep me in touch if you have any clue?

Thanks a lot,
Regards,
Vincent.


(David Creedy) #4

Hi Vincent,

Yes, I’ll update you. Can you also let me know here if the WinHTTP Restart setting makes a difference?

Regards

David


(Vincent GOUBERT) #5

Hi David,

For sure, I’ll keep you in touch :slight_smile: .

Have a good day,
Regards,
Vincent.


(Vincent GOUBERT) #6

Hello David,

Do you have any news on your side ?

I can confirm that the issue is linked to “activation.sls.microsoft.com” which seems that uses winHTTP and which is not catched by Z-App.

The ticket is not evolving so far…

Thanks in advance,
Regards,
Vincent.


(Ramesh M) #7

Hi Team,
Recently I came across the same situation and the issue fixed after changing the forwarding mode to tunnel only.

Regards / Ramesh M


(Vincent GOUBERT) #8

Hello Ramesh,

What is weird in this case is that all other countries of this customer (France/UK/US/Italy/Dubai/etc…) are using Z-App Tunnel with Local Proxy mode, and it works as expected.

Regards,
Vincent.


(Eldhose Paul) #9

I’m also getting similar error, office 365 apps do not work when LAN shows ‘No internet’, however it works fine if i change forwarding method is Tunnel.

Wireshark capture shows msftconnecttest goes direct internet, not through Zscaler, is this expected behaviour ?
I only see the issue when i’m on LAN, issue goes away with Wifi…

Regards,
Eldhose


(David Creedy) #10

Hi Eldhose,

It sounds like in your scenario your LAN’s network might be blocking the connection.
In Tunnel with Local Proxy, these connection tests might not follow system proxy settings, meaning they go direct from the machine, however in tunnel mode this is being tunneled out through to our cloud and can then reach the destination. Can you try to access those urls from a machine on the lan without Z App?

If this works, please raise a support ticket so we can have engineering look over it.

Regards

David


(Eldhose Paul) #11

Hello David,
Thanks for the reply, a support case is already raised and its being investigated (631532).

Can you brief me the how does the Z-APP behaviour in Tunnel and Tunnel with Local Proxy mode, i have gone through the documentations, but wanted to get more understanding about how it handles the traffic.

Regards,

Eldhose


(David Creedy) #12

HI Eldhose,

Perhaps it would be best to have a call to walk through the different forwarding modes.

I’ll PM you and we can coordinate.