ZApp and VPN client


(Samantha) #1

I have a SonicWALL VPN client on my device and downloaded the Zscaler App.
When I turn on the VPN client, the Zscaler App status says “Connection Error Off-trusted network”.

As for settings, when the ZApp recognizes the “trusted network” and “VPN trusted network” (under certain DNS), the ZApp is supposed to be turned off. Whereas, when in “Off trusted network” the ZApp is supposed to turn on.
But it seems that the VPN client is in full-tunnel mode, thus all traffic would be defined as “trusted network” even when it’s really supposed to be" off trusted network"

What do i need to set up in order to make it work right?


(Jones Leung) #2

Hi Ririka,

You can find more info about vpn interop with zapp here:

https://help.zscaler.com/z-app/best-practices-zscaler-app-and-vpn-client-interoperability

Zscaler recommends customer to deploy vpn in split tunnel mode, so that user will not suffer from vpn backhauling and get the best internet access performance through direct access.

If full tunnel is mandatory somehow, please note that as part of the vpn trusted network detection we will check the turned on vpn interface description with few keywords such as “vpn”, and also any added default route. These help us to understand the user is on vpn trusted network instead of pure trusted network (which is normally for office network detection).

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler


(Samantha) #3

Hi Jones,

Thanks for your reply.

I understand that it’s better to use the split-tunnel mode.

But there’s one thing I am confused about for the full tunnel mode.

Because all the traffic would be captured by the VPN client (even if Zscaler recognizes the VPN client),

does that mean no traffic would ever be sent to Zscaler?

and does that also mean we cannot make a setting where we can have it work like the split-tunnel mode?

I’m sorry if I’ve got the wrong idea in this question.

I’m very confused.


(Jones Leung) #4

Hi Samantha,

I think your goal here is to send all traffic (includes internet traffic) back to the vpn gateway when the sonic wall vpn client is on. In such case we should not have the zapp tunnel on at the same time, and so we need zapp to be aware of the sonic wall vpn is on. Once zapp realized it is in vpn trusted network the corresponding forwarding profile will be applied.

Some customers will simply turn off the zapp tunnel when the vpn is on if the office network behind the vpn getaway does have a tunnel to zscaler cloud for internet access. Some customers may apply a pac file to the browser when vpn is on the have traffic to reach zscaler. It really depends on how your office network is designed to send traffic to zscaler cloud.

If you actually want to have the vpn to only cover internal traffic, we need the vpn solution to be configured to use split tunnel mode, and in the zapp portal to bypass all traffic to that vpn gateway(s). In such case the vpn and zapp tunnel will never try to cover the same set of traffic. When vpn is off zapp will cover all internet bound 80/443 traffic; when vpn is on the vpn client will pick up internal traffic while zapp will still pick up only internet bound port 80/443 traffic.

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler


(Samantha) #5

Jones,

Thank you for the explanation. I understand now.

I have another question.
As you mentioned, I want the Zscaler App to be turned off when I turn ON the Sonicwall SMA. The SMA is set as full-tunnel mode, and I have not added the mentioned settings yet (adding keywords such as “vpn” or setting a default route). In such case, what is the predicted path of traffic?

Right now, what happens is that when I turn the SMA on while the Zscaler App is turned on, the Zscaler App shows an error saying " Connection error" and does not turn off. But I cannot go search the internet in this condition for Zscaler is not picking up any traffic, and the SMA is not picking up any internet traffic either.


(Jones Leung) #6

Hi Samatha,

In that case the zapp will think the pc is off trusted network and try to use the corresponding method to forward traffic.

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler


(Jones Leung) #7

Well, actually I should say the zapp will do the normal checking and see if the pc is in off trust or on trust network. Because once vpn is on we maybe able to tell the user is in trusted network.

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler

HK: +852 9463 6204

TW: +886 983 904 288

China: +86 186 8156 3905


(Samantha) #8

Thanks for the reply.
I understand that the Zapp tries to go check if the pc is in off trust or on trust network.
but how come there’s an error saying there’s an connection error.
i assumed that the zapp would either show that it’s on or it’s off, not an error.


(Scott Bullock) #9

Hi Samantha,
Connection Error could happen for a number of conditions, it seems like Zscaler App is not able to connect to the cloud while the VPN is up, so there’s a conflict somewhere we should be able to resolve with configuration. I’ve seen these with other VPN client in the past, though I haven’t personally touched a Sonicwall integration.

Do you have a Zscaler support case open? They will be able to review the logs in detail and help suggest the best path forward. Best to have you app profit set to debug too, this will glean the most logs for analysis.

Cheers,
@skottieb:)


(Samantha) #10

Thanks for the advice.
I will consider opening a support case.

Thank you for your support.