ZAPP with Citrix VPN FT

Hi Guys

We are new customer of Zscaler and currently planning to roll out Zscaler in our company.

We have some challenges in Trusted Network Criteria check.

We are using Citrix NetScaler as a VPN. I have already gone through articles mentioning ZAPP does not detect VPN in case of Citrix until we use FULL TUNNEL. In our case, we are using FULL Tunnel mode.

For network criteria check, we are using two conditions 1. DNS 2. Name Lookup. ‘Any’ condition would trigger trusted network change.

I know lot of articles mention that using name lookup caused issue in detecting a network change as it’s a dynamic property.

Network Criteria works fine 1. when we are connected to office network (On-Net) 2. When we are connected to home network (Off-Net) but having issue when user connects to Citrix VPN (Full tunnel).

ZAPP detects Trusted network change intermittently. At times, it works fine but sometime it wont work. When it does not work, it breaks all the traffic flow as we are using TWLP on VPN and TM V2.0 on Off-Network.

Reason we are using name lookup in trusted network criteria is because the way DNS works in NetScaler, when user connects to VPN it pushes virtual/dummy IP as a DNS server and when client does a lookup, NetScaler does DNS forwarding/Proxy for all the DNS request. In short, we cant use ‘DNS’ check only when we are on VPN so we had to use ‘Name Lookup’ as well.

Can any one help us to troubleshoot the issue why on VPN ZAPP having issue in detecting network change? How can we solve this?

Also, below discussion is more than a year old where user requested a ER to add Citrix in VPN adaptor list. Can I get an update on it?

Some how URL didnt paste.

You can use a DNS server IP to detect trusted network.

This is what we use for our users that use a full tunnel VPN as we are also utilizing a DNS proxy with synthetic DNS IP