I have Windows 10 laptops with ZIA Client Connector which is offering a proxy service at http://127.0.0.1:9000/localproxy. I’ve also rolled out Defender for Endpoint to these machine.
What I’m finding is that the Cloud App Discovery based on Defender telemetry is very patchy. I’m getting alerts when ZSATunnel.exe connects to an unsanctioned URL. However, the overall visibility in Microsoft Cloud App Security of the apps being used is very limited.
To investigate this, I’ve used “SwitchOmega” add-in to direct Edge to go Direct and bypass the System Proxy. After doing this, the cloud apps access by these test machines is accurately reported in Microsoft Cloud App Security.
I need to find a way so that Defender correctly logs the web traffic even when ZIA Client Connector is running as a proxy and tunneling the traffic to a ZEN node. NB I want to use Microsoft Cloud App Security as my device management portal to sanction and unsanction web apps rather than be jumping over to the ZScaler admin portal.