We use Connectwise Control cloud to access many of our unattended devices. The connectwise agents appear to use SSL Pinning so we need to bypass SSL inspection.
Here’s where we have an issue. Our connectwise instance has one static FQDN - instance-nXXXXX-relay.screenconnect.com
This is a CNAME record which points to an AWS FQDN that changes at least once a week.
Although we’ve bypassed instance-nXXXXX-relay.screenconnect.com from SSL inspection, we cannot use Screenconnect without finding out the underlying IP address or AWS instance FQDN which changes all the time.
These are my working theories so far but I was hoping that someone who has encountered a similar scenario could help out:
- ZIA does not resolve CNAME records
- ZIA doesn’t update CNAME records after they change or doesn’t update them fast enough
- It has something to do with how the ZCC intercepts and rewrites DNS requests.