Zscaler connector winhttp and defender

Hi,

We are facing an implementation issue and we are seeking for some advices.
We are currently deploying some security software (Defender, intune / win10) and we like that theirs respectives services will be able to talk to the defender server and Intune server regardless of user logged in or not.

We have Zscaler Connector, and the services will use winhttp proxy in system context to communicate with microsoft server.

We are thinking about setting winhttp proxy to localhost:9000. but we fear that it will be unreachable when no user is logged in. so defender services and intunes services will be unavailable without reaching the MS endpoints.

We faced another, issue where ideally we would like to have winhttp proxy set to while on trusted site, and winhttp proxy set to while off site.

Do you faced this kind of issues ? If so what’s the best practices did you implement ?

All opinions would be welcome…
(I have a support ticket open but for the moment no real answer)

Thanks

1 Like

@sperson did you get any fix for this? We have the same issue - deploying defender on VDI with a zscaler connector.

We have a .pac file on the desktop machines for user traffic, but because Defender uses SYSTEM/LocalSystem traffic , it doesn’t appear to work. I have exhausted the MS documentation that involves configuring a winhttp proxy on the system (doesn’t work) and setting the ‘Connected User Experience and Telemetry’ and ‘Disable Authenticated Proxy’ usage - these are the two options for Registry based proxy configuration covered under ‘Network requirements’ for Defender. We have not had any response from zscaler on how their appliances handle local system traffic (which is unauthenticated, I assume).

we are using registry settings as mentioned here : Configure device proxy and Internet connection settings - Windows security | Microsoft Docs

this settings :
The policy sets two registry values TelemetryProxyServer as REG_SZ and DisableEnterpriseAuthProxy as REG_DWORD under the registry key HKLM\Software\Policies\Microsoft\Windows\DataCollection .

because : “When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can’t access the defined proxy.”

so we assume that if a proxy is reachable it will be used otherwise we go direct.
regarding Zscaler, as we didn’t managed to handle user authentification from system context we go direct.
we digged the dedicated port path, or authentication bypass but our tenant settings won’t fit requirements for this scenarios

1 Like

I have just read your reply a month later (thank you!) - we have changed our configuration slightly, perhaps you can help? When I wrote my initial reply, I was trying to configure the VM’s to fetch definitions (and I assumed this would happen automatically - which is not true) - so I configured a UNC shared for the definition downloads which is all good and working. We are now trying to onboard the VM’s to the defender portal, and, after running an off-boarding script on our master image (which is recommended by MS) the child VM’s now do not appear to on-board/check-in to the defender security centre. I suspect this is a proxy issue. Currently we have no netsh show winhttp proxy configured on the master image, just a .pac file configured in IE (under SYSTEM context). Is this probably the issue (we need a winhttp proxy setup?)

We are E3 license using Defender for Endpoint Antivirus (only) - not ATP. Do you still use the above two reg values for this type of setup? Could you provide some insight into what license/configuration you’re using on VDI for defender please? Thanks for your help, much appreciated!

I believe that the recently “Machine Tunnels“ feature added to ZPA would be what is needed in this kind of scenario:

https://help.zscaler.com/zscaler-client-connector/about-machine-tunnels

Also, from the ZCC release notes for ZCC 3.2.0.87:

  • Includes support of machine tunneling to ZPA resources before login to Windows (also referred to as Pre-Windows Login). To learn more, see About Machine Tunnels.

Too bad that we’re talking about ZIA here, so this is not applicable.

Yet another case in which the split between ZPA and ZIA hurts a little.

Since the logic is already in ZCC, I wonder how complicated it would be to trigger something similar in the ZIA domain.

Bye, Luca

Hi, can you please confirm that localhost:9000 only running after interactive login? Where is this documented? I’m trying to sort out similar issue, here is my post - How to Set System Proxy on W10 with Tunnel with Local Proxy

Thanks!

To all folks troubleshooting Defender ATP and zscaler coexistence. Here is great indicator if things are going well in your deployment. Just check “Defender for Endpoint Telemetry” query. You can see historic data for last 30 days. It is available in old and new portals (old portal link - Microsoft Defender for Endpoint)

This sample demo screenshot is not impressive, but if you check on your live tenant you can see how many failed connections there is. You can also customize the duration (from last day to last 30 days) and URLs. For example you can to this query for each individual URL from the default list in the query.

Hi all,
Same query here.
We have many applications which use winhttp context.
Today we have PAC file for internal network with GRE/IPSeC tunnela and not using transparent proxy .
Same for remote users with tunel 1.0 with local proxy.
We have mainly issue faced related to hybrid domain join to azure and next think agent communication and also sccm app store communication.
Today we perform URL bypass for these domains in PAC file and for azure ad hybrid domain we route via ghost Zen IP internal through our internal corporate vpn to go via Internal DC GRe tunnels to zscaler tunnels which is like tromboning.

What are the ways to solve this,any help would be appreciated