Zapp configuration best practice to use with Exchange Online

Hi folks,

hope you’re doing great. We recently started the trial of ZApp tool and I’m facing some recurrent connections issues while on remote (out of office) with EXchange Online.

I get disconnected from Online Exchange server (Connected through Outlook 2019) and I can’t reach it anymore until I disconnect the ZApp tool.

It’s not very convenient.
I’ve read some documentation and asked our ZScaler vendor for assistance but they seem to struggle to find a solution.

Our setup is based on Kerberos auth with SSL inspection.

So far, we have implemented the following:
Advanced Settings => Authentication Exemptions : roaming.officeapps.live.com
SSL inspection => exemption hosts : Autodiscover.ourdomain.com & autodiscover.ourdomain.onmicrosoft.com
URL & Cloud App Control => Enabled Microsoft-Recommended One-Click 365 Configuration => Actived

on ZApp config
Forwarding Profile => Custom
Trusted Network Criteria => our internal DNS are set
Windows Driver selection ?> Packet Filter Based
Forwarding Profile for ZIA =>
On trusted network => Enforce Proxy (System proxy settings)
VPN Trusted Network => Tunnel with Local Proxy (System proxy settings)
Off Trusted Network => Tunnel with Local Proxy (System proxy settings) => defined pac file

on ZApp Policy, it’s just a different pac file than Off Trusted Network to allow to connect to our infrastructure via VPN Client.

Any thoughts?
Looking forward to hearing from you.
Dave

Exceptions: do not forward any company hosted urls, such as
http*://lyncdiscover*.example.com*
https://example.com/autodiscover/autodiscover.xml
https://autodiscover.example.com/autodiscover/autodiscover.xml
create a exception list in forwarding pac file, enforce pac and go direct.

1 Like

Hey

thanks a lot for your kind reply. I’ve tried your suggestion but I’m still having issues to connect via Outlook to outlook.office365.com

As said prior, we are authenticating through Kerberos. I’ve ran a Wireshark on my computer and I get the following error :

I’ve added an exclusion in pac file for this but it doesn’t work.

if ((shExpMatch(host, "login.microsoftonline.com")) ||
        (shExpMatch(host, "autodiscover.domain.com")) ||
        (shExpMatch(host, "autodiscover-s.outlook.com")) ||
        (shExpMatch(host, "www.zscaler.com")))
    return "DIRECT";

This is clearly the issue here as the computer tries to reach the realm zscloud.net and gets a 407 unauthorized.
How should I proceed to tackle this?
Cheers
Dave