Zscaler APP causes No Internet Access exclamation mark

(Gary Evans) #1

Hi,

We are using the Zscaler app on our laptops, just recently we have noticed that the machines can surf and get to the internet fine, even though windows is saying no internet access, but this is having a knock on affect for outlook as it relies on the machine thinking it should have internet access.
If we uninstall the app, and use the normal pac file in a browser it works fine, soon as the app goes on, the error is back, but it only happens when on the local lan, if we put the traffic through the wifi the exclamation mark goes and all is well.
Double checked IP’S on the firewall and all the app ones are in there and allowed.
Anybody experienced anything similar ?
Thanks
Gary

1 Like
(Wesley) #2

Hey Gary, your not the only one with this issue! This has been happening during my deployment of zscaler app as well. Before zap no users got the yellow warning triangle on the NIC since the rollout everyone is getting it. Same PAC file. I opened a ticket with Zscaler but did not get it resolved. It does seem to be a genuine problem with the app. Did you manage to get any further with Zscaler ?

(Gary Evans) #3

Hi Wesley,

Glad its not just me, was beginning to wonder.
I have been in touch with Zscaler, they gave me a beta version of the latest app, which did the same thing, the only thing we have done, is constantly monitor what IP ranges get blocked on our firewall, noticed some that were getting blocked with app running, strangely they were not Zscaler ranges, we added a few of them in, we can surf with the app from inside the firewall, but we still get windows telling us there is no internet traffic.
So more of a temp workaround than a solution I am afraid, what firewall you using, we have Watchguards here.

Gary

(Wesley) #4

Hi Gary,

No its defiantly not just you. We rolled out version 1.4.2 as production but I have also been testing with the latest version 1.5 this did not solve the problem either. It is a problem as office products thinks it has no internet so opening SharePoint online documents does not work. I’m in the same boat: with and without the zapp internet always works. I was looking into ‘Network Connectivity Status Indicator’ as the root cause. We have a rather complex firewall setup managed by our network team but they assure me there has been no changes. Intriguing that your noticing some ranges getting blocked with the app running. Have you tried raising this with zscaler? I’m thinking about re-opening the ticket as were unhappy with this fault long term.

(Gary Evans) #5

Hi,

I currently still have a ticket open with Zscaler, they want me to upload a wireshark data capture on the machines that have the issue, will upload and see what they say.

Gary

(David Creedy) #6

Hi Gary, Wesley,

Can you provide your ticket numbers for me?

What happens with that warning icon is that the machines reach out to Microsoft for a connectivity test. This either goes to msftncsi.com or msftconnecttest.com depending on the OS version.

If those URLs are unreachable, or a bad response is received, the OS can think there is no connectivity and will show the warning icon.

The follow on effect is that Microsoft applications like Outlook don’t actually test connectivity themselves initially, they just look at that flag. So this sounds like the issue you are having.

If there are logs on the tickets, I’d like to take a look to see if this traffic is getting blocked somehow.

Regards

David

(Wesley) #7

Hi Dave, My ticket is 595904 don’t let it fool you that its closed. This was more a case of us giving up on Zscaler support assisting rather than a good resolution. I’m aware of NCSI and added the URL’s you already mentioned to my pac file to excluded from SSL inspection. This did not resolve my issue. I’m convinced this is caused by the Zscaler app when its removed from a test machine the problem goes away. I do hope you can find a fix for both of us.

Regards, Wesley.

(Gary Evans) #8

Hi,

I go through a third party so not sure what my ticket number is.
I was aware of Microsoft products trying to connect to those sites, if we use the old pac file in a browser it works fine, no exclamation mark, if we put the traffic through the app, back it appears, so that points to the app for me as nothing else has changed.

Gary

(Gary Evans) #9

Just to add, just gone to a laptop now, the only way I could get outlook to connect is by having the machine connected to the LAN as well as our wifi, without the wifi connection outlook fails to connect, again with pac file, a LAN connection is all it needs.

Gary

(David Creedy) #10

Hi Gary, Wesley,

Just to be 100% sure that it’s not getting tunneled and blocked. Can you try adding www.msftconnecttest.com and www.msftncsi.com to the VPN Gateway Bypasses field in the app profile.

This will essentially tell Z App that if it sees traffic for these destinations it should send it direct instead of tunneling.

Regards

David

(Gordon Wright) #11

We also have these in a group for “No Authentication” as well.

(Gary Evans) #12

Cheers for that Dave, that does kind of make sense, I will add that now and test.

Cheers

Gary

(Wesley) #13

Hello David,

Thanks for the feedback I have tried adding ‘www.msftncsi.com’ and ‘www.msftconnecttest.com’ to the zscaler app windows test policy under ‘hostname/IP address bypass for VPN gateway’ this however did not resolve the issue :frowning: I still see the same result of NCSI failing. Its worth pointing out that I already have an exception in the proxy.pac file for the above which did not work either. Any more ideas?

Thanks Wesley.

(David Creedy) #14

Wesley,

With Z App running, can you try to access this URL in your browser: http://www.msftconnecttest.com/connecttest.txt

You should be presented with some text.

(Wesley) #15

Hello David, Sure, the result I get is: Microsoft Connect Test
which I think is the correct response.

(Gary Evans) #16

Interesting, I have that domain in the app bypass list, but it doesn’t connect to that site, tested without the app and it connects.

Gary

(Gary Evans) #17

Guys,

After putting in the FQDN of those domains listed into our firewall and on the app bypass list, I can finally say that the app is working as expected.

Thanks Wesley.

Gary

(Wesley) #18

Hi Gary, that’s great news. Can I just check with you where did you make these changes? was it on ‘Hostname/IP Address bypass for VPN Gateway’ in the zap profile or in zscaler ‘Do Not Inspect Sessions to these Hosts’ ??

Thanks, Wesley

(Gary Evans) #19

Hi Wesley,

I added the sites to the Bypass VPN Gateway in the zap profile, then just allowed those sites access through our firewall directly.

Gary

(Wesley) #20

Hi Guys,

Well I have found what looks like the root cause and maybe a fix. The issue all seems to come from winhttp service completing the NCSI tests and failing. As the winhttp service is not proxy aware its failing to reach the internet to verify NIC status. Hence getting the yellow warning triangle and office saying it cannot see the internet.

So I added a proxy to the winhttp service and everything is now working. Even on VPN the NIC shows as ‘internet’ and office is happy.

Question for David Creedy: Is this the right approach to take or can I modify the zapp configuration to produce the same result?

Thanks chaps. Wesley.