Zscaler certificate

Hello Community,

I’ve help deploy multiple sites with Zscaler, for specific locations like servers where the proxy mode was transparent and the SSL inspection is enabled, we didn’t install the Zscaler certificate on the servers and everything worked fine with no errors. Is this normal?

It would only be an issue if you accessed something that was in your SSL Inspect policy.

2 Likes

It can be that the Zscaler Certificate is distributed via GPO. I assume you are not using Custom Root Certificate for inspection.

It is strange indeed, so:

  • Verify traffic forwarding from the servers that you are going through Zscaler
  • Is SSL inspection enabled also for the server (sub-location)
  • Test with your browser
  • Verify the policy
  • Verify the logs (there is a field that shows if traffic is inspected or not).

Let me know what you find out.

1 Like

Hello Marco,

thank you so much for your answer. It’s much appreciated.
That’s why this is strange because we aren’t discributing the certificate via GPO.

  • the ssl inspection is enabled for the sub location
  • I can see the traffic going through the GRE tunnels to Zscaler.
  • I can see the ssl inspected value is “yes” on the logs
  • the URL policy should be fine.
    We have the untrusted server certificate option to pass through. I don’t know if this is relevant.

I’m open to suggestions.

Jenny

Have you checked that the Zscaler Certificate is not present in the Certificate Store on the Server.
You can only browse the internet with SSL inspection if the certificate is present.

You can check the Padlock on the browser bar or view the developer tools security tab to see the certificate chain of the visited website.

If the Zscaler certificate is not present, you definitely should get an security message on the browser session. Applications can work fine if they don’t validate the CA, but this is very likely.

Untrusted server certificate in bypass might be related. User will have the opportunity to allow the untrusted / self signed server certificate presented to the user, same as without Zscaler. These are then added to the trusted certificates on the server. But if you visit a random site you should get a message that the certificate is untrusted.

It will still be intercepted and signed by the Zscaler CA, because we will create a untrusted certificate for the website that has an untrusted server certificate.

So, there must be a reason for this. Do you see the same on all servers or just one?

1 Like