ZCC Tunnel 2.0 with F5 GUI APP Tunnel

,

Hi All,

I am trying to deploy ZCC on win 10 and Tunnel 2.0 for Trusted, VPN and Off Trusted network.

  • Using FWD PAC File for exceptions to be bypassed from ZCC

  • Respective entry in APP PAC File to send it either DIRECT or any other proxy.

  • Using separate FWD PAC File for Trusted ( LAN, SPLIT, FULL VPN)

  • Another FWD PAC File for Off trusted Network.

  • Trusted Network identification is based on DNS Server IP when on LAN/VPN.

All Works great, except I may have a unique use case where:

  1. User is on LAN or VPN

  2. Connects to F5 GUI App Tunnel - This is available on internal network only - so Off trusted network is out of this issue.

  3. Certain Internal Web apps are open from F5 APP Tunnel Source IP

  4. App Tunnel connects fine over https.
    So now user is on LAN + F5 APP Tunnel(only for internal web apps) + ZCC 2.0 tunnel or
    User is on VPN + F5 APP Tunnel(only for internal web apps) + ZCC 2.0 tunnel
    But any web application (browser based) which is routed through that F5 tunnel fails with ERR_EMPTY_RESPONSE on all browser that uses system proxy.

  5. Web apps through F5 App tunnel works on Firefox under Auto detect proxy or No proxy - fails if used system proxy option.

  6. At L3 syslog, client only connects to F5 App Tunnel IP on port 443, ZCC logs does show actual IP that client is trying to reach through the tunnel.

  7. SSL Bypass in place, Private IP bypass in place.

  8. ZCC Logs shows Error: Application Exception - Both Client and Server sockets are closed

Has anyone had similar use case or issue ?

Try to add those destination under IP exclusions or VPN bypasses on APP profile.

Tried that already without success.

Update:

F5 App Tunnel uses loopback addresses to the hosted/allowed web applications.
ZCC 2.0 is unable to communicate with those loopback addresses when it goes through browser.
Attached are snips of loopback addresses in use before and after F5 App tunnel is connected.

Few random questions:

  1. Are you purely using ZIA ? (No ZPA involved?)
  2. " User is on LAN or VPN" → Any PAC enforced by GPO or from F5 APM ?
  3. " User is on LAN or VPN" → VPN split or Full tunnel ?
  4. Tunnel Driver Type ? (Route or Packet Filter )
  5. Is this the kind of config you are running ?

G

  1. Yes, ZIA only.
  2. User on VPN or LAN same issue - Even Some App tunnels available over internet which doesn’t need to connect to VPN, have same issue. No PAC enforced by APM.
  3. Split VPN is unlike typical setup - we have split out ZScaler Subnets from the VPN tunnel to form direct DTLS tunnel with ZCC and it works. But regardless issue is same on this kind of Split tunnel and Full Tunnel + Issue is same without VPN for Internet facing App Tunnels.
  4. Packet Filter - that’s the only one which allows Tunnel 2.0
  5. Yes - and it works when ZCC is turned off or switched to Tunnel 1.0 with local proxy script.
  1. Valid point :wink:

Complicated challenge, have you also tried ‘Domain Exclusions for DNS Requests’ for one of the F5 App Tunnel URL’s ?
G

Tried that now - no luck.

To me it looks like some conflict or traffic interception is not working correctly while communicating between loopback addresses only when it is through browser.

I am able to telnet those App Tunnel endpoints + other SSH/RDP jump systems works fine through app tunnel while ZCC 2.0 is running.