Zscaler failover between Vzen and 1 Cloud ZEN don't work using only Internet Explorer

Dear all,

I have perfomed a VZEN proxy in a qatar site.
This site already use Zscaler via Cloud ZEN.
So I configured the pac fil to redirect the web trafic first to VZEN and secondly to the cloud zen (London).
The problem is using Internet explorer, the web traffic is still redirect to Cloud Zen (instead of Vzen) while for the other browser (Chrome/Firefox) the web trafic is redirected to the Vzen.
Normally, IE should redirect also the web trafic to the VZEN.
This problem seems to be due to the Internet explorer.
Do you know how we have this issue?

Thank you.

Adrien Maquin

This is may be because of caches. You may try to clear cookies

This could be caused by the proxy cache feature of IE (not sure, we have it disabled in our infra ever since i first stumbled upon it)
See https://www.thewindowsclub.com/enable-disable-automatic-proxy-caching-internet-explorer

1 Like

Hello all,

We tried but same problem.
Do you have other idea ?

can you show your pac file?
where is it hosted - on premise or on pac.zscaler.net? accessed via autosearch (wpad) or explicit path?
any decissions in he pac based on myipaddress?

Hello the pac file is hosted on our internal server.
We use ip user host to redirect the flow to his host to the vzen; cloud zen.

Here is the “code” of our pac file concerned by our problem.

############################
if (
isInNet(myIpAddress(), “XX.XX.XX.XX”, “255.255.255.255”) // Test user
) return “PROXY VZEN:80; PROXY CloudZen:8080” ;
##############################

We use pac file with wpad

nearly willing to bet that the machine with IE has more than one active IP; correct?

IE has some weird bug which can cause myipaddress to not use the correct IP (the one which is really used to connect to the proxy) but annother one when it processes the pac file.
Sometimes this can be worked around via changing binding order but i never found a bulletproof way…

BTW:
isInNet adds latency and a dependency to DNS.
The better approach to do such IP checks is like

function FindProxyForURL(url, host) {
IP_full=myIpAddress();
if (shExpMatch(IP_full,"X.X.X.X")) { return “PROXY VZEN:80; PROXY CloudZen:8080” ;break;}
}
1 Like

Hello Thomas,

Are you sure that “(shExpMatch(IP_full,“X.X.X.X”)” permit to find ip address?
Normally the function “shExpMatch” permit to resolve name no?

Thank you.

Hi Adrien,

here a more complete example, we use something like this since 10 years:

function FindProxyForURL(url, host) {
IP_full=myIpAddress(); IPv4=IP_full.split(".");
subA=parseInt(IPv4[0]); subB=parseInt(IPv4[1]); subC=parseInt(IPv4[2]); subD=parseInt(IPv4[3]);

switch (subA) {
 case 10:
  switch (subB) {
   case 1: 
   case 4: 
   case 5:
    GW="PROXY 1.2.3.4:8080"; break;
   case 2:
   case 3:
    GW="PROXY 5.6.7.8:8080";
    if (subC==200) GW="PROXY 1.2.3.4:8080";
    break;
   case 7:
    GW="PROXY 123.123.234.234:4711"; break;
   default:
    GW="PROXY 10.10.10.10:8080";
  }
}

if (isPlainHostName(host)) return "DIRECT";
else return GW;
}

So in this case you end up with

10.2.200.1 -> proxy 1.2.3.4:8080
10.2.201.1 -> proxy 5.6.7.8:8080
10.4.1.1 -> proxy 1.2.3.4:8080
10.7.1.1 -> proxy 123.123.123.123:4711
10.100.1.1 -> proxy 10.10.10.10:8080;

Hope that helps.

tS

1 Like

Where do you use “IP_full=myIpAddress()” in your example?

My goal is to redirect traffic to PROXY VZEN and if VZEN is down we want that the traffic has to be redirected to CloudZen

What command on the pac file do you suggest me to create?

isInNet(myIpAddress(), “XX.XX.XX.XX”, “255.255.255.255”) // Test user
) return “PROXY VZEN:80; PROXY CloudZen:8080”; => don’t work with IE

IP_full just takes whatever myIpAddress gives back.
This is then split into the 4 octets
With that you then can easily send individual clients, based on the IP and as granular as you want, to different proxies.

So in your case for one individual IP only, something like (xx.xx.xx.xx=7.4.0.3)

if (subA==7 && subB==4 && subC==0 && subD==3) return "proxy vzen:80; czen:8080";

You should also know that IE has a timer of 30 min. Means if vzen is down IE will fall over to czen (hopefully) but when vzen is back up IE will wait at least 30 min before using vzen again.

To be honest i don’t trust this failover mechanism; works ‘somewhat’ in best case.
It is much more reliable and quicker if you use a cname in the return statement and in case the proxy is down change the cname to point to annother proxy.

1 Like