ZIA Connectwise Control SSL Inspection bypass

,

Hi All,

We use Connectwise Control cloud to access many of our unattended devices. The connectwise agents appear to use SSL Pinning so we need to bypass SSL inspection.

Here’s where we have an issue. Our connectwise instance has one static FQDN - instance-nXXXXX-relay.screenconnect.com

This is a CNAME record which points to an AWS FQDN that changes at least once a week.

Although we’ve bypassed instance-nXXXXX-relay.screenconnect.com from SSL inspection, we cannot use Screenconnect without finding out the underlying IP address or AWS instance FQDN which changes all the time.

These are my working theories so far but I was hoping that someone who has encountered a similar scenario could help out:

  • ZIA does not resolve CNAME records
  • ZIA doesn’t update CNAME records after they change or doesn’t update them fast enough
  • It has something to do with how the ZCC intercepts and rewrites DNS requests.

Resolved our issue. It wasn’t due to the load balancing or use of a CNAME record, but a misconfiguration on our end.

What was the misconfiguration? We also use ConnectWise. I attempted to bypass ssl inspection at first but no luck. Just started looking into it today.

@ChristianAnderson We used *.screenconnect.com but should have used .screenconnect.com

URL Format Guidelines | Zscaler

@jduan Thanks for getting back, ok I did see that also the formatting guidelines, so I created a user defined url category put .screenconnect.com in there then added a new ssl inspection policy for that url category to do not inspect and bypass other policies, it is last but the other policies before it don’t apply. I am still not getting successful connections on ZIA back to digging.

@ChristianAnderson Is your tenant upgraded to the granular SSL Inspection policies?

If so, the second last auto-generated rule should be “Inspect Remote Users”. The connectwise rule needs to be above that one.

Other than that:

  • Does the SSL bypass apply to all users/groups/locations or just specific ones?
  • Screenconnect agents take up to 30 mins to re-establish a connection.
  • Does adding the IP address of your screenconnect tenant work?

Sorry for the delay. Yep it was the IP it was looking for and it keeps changing. I have 4 so far and connectwise cannot guarantee a static IP.

Yeah, it happened to me again. I think part of the problem is that Zscaler must cache DNS responses. So, for the first 10-24 hours you need to use the actual IP.

I’ll figure it out when I have some time to dig further.