Zscaler VPN blocks network and shared drives for SOME users

Our parent company forced us to switch to this from a VPN that worked. Now, for SOME users (which I can’t figure out a common denominator for) connect to Zscaler when working remotely and can’t see ANYTHING on the network. Before the parent company (which provides terrible support if any for us when we try to escalate things) disabled the old VPN, we would connect to it on a remote user’s PC and see the shared drive for instance. We’d switch to zscaler after disconnecting and closing out of old VPN and suddenly, no matter HOW you tried to reach it (ping, searching in FE, searching by FQDN in FE etc etc etc etc etc etc etc) NOTHING!!! YES I HAVE RESTARTED A BILLION TIMES. With no support for us local admins and little info online, please someone HELP ME. BECAUSE I GET BLAMED, NOT ZSCALER AND NOT THIS AWFUL PARENT COMPANY. PLEASE HELP.

Hi Maggie, first let me say that I’m sorry you’re having these challenges. At first read it sounds like you’re dealing with the policy as it’s been set.

  1. Have you been able to discuss the challenges with the admins of your Zscaler instance to request a policy adjustment?

  2. If they are unable to adjust as needed, have they opened a support case or spoken to the sales team supporting the company?

-kb

1 Like

Hello, and thank you so much for the response. I have not but I am trying to. They are located across the globe and the challenges of finding a human to actually help me is near impossible. I would love to be able to fix it myself but I can’t find anything about this specific issue.

Thanks again for acknowledging my question. It is more than my company does.

Unfortunately, the fix you’re looking for is likely a policy change by the administrators. Once you are able to contact them, if help is required to show them how to adjust the policy, please let me know and I would be happy to facilitate a discussion.

Hopefully your day gets better.

-kb

1 Like

Maggie, first let me join Keith in saying I’m sorry you’ve encountered this issue. In almost all cases, Zscaler would normally conduct what we call an “Architectural Review” to ascertain what your network and the parent company’s network look like and recommend a Merger and Acquisition (M&A) plan. The M&A plan typically involves three core tasks listed below. Hopefully, this information will help you when you do find the right person to speak with at the parent company.

  • Because the Zscaler Private Access (ZPA) solution is based on the “Zero Trust Network Architecture” (least privilege access) as opposed to the traditional VPN solution you used in the past, you will find there isn’t the full access to any network resource you had before unless it is explicitly configured. Again, without knowing your current network architecture, but knowing some users can connect to the resources and some can’t, it may be that some users are using an alternate domain or IP address to mount file shares for example. The problem there is your private IP address range may be the same as the parent company’s internal address range, so only FQDN’s can be used. In order to support your domain infrastructure, your parent company may have to add the additional domains in your network to their ZPA configuration.
    Hint: first check to see the users having the issue are logging into ZCC agent on their local machine with the same domain name as the ones that can access the resource.

  • Integration of your company’s IdP / authentication database, so you can use your credentials in the ZCC front end, and use your companies’ authentication group to allow access to your file shares and other internal network resources mentioned above. Perhaps these users are not in the group that does have access to the resources.

  • The access policy rule that Keith referred to that would allow the sub-set of users (possibly part of a particular AD group that are not currently a part of the ZPA configuration). The quickest way to resolve this issue is ask the parent company admin to use the ZPA diagnostics, filtered by the user having the issue (generally in the form of an email address), to determine exactly what FQDN, IP, and/or port the user is attempting to access, and work backwards to find out if the user belongs to one or more of the groups that have access to the file share app segment, and then add the user to an existing rule, or create a new rule that fits the intended purpose.

Note: using the terminology in bold above will help the admin who is familiar with ZPA find the issue.

Thank you for the reply. I want to clarify that the product is great except for these few so I know it probably is something on the company side, I just figured I would try here. With great effort I have found a contact at the company who may be able to help us. Hopefully. I appreciate the responses.

Yes, definitely what communities is for and glad you found the right contact to move forward with a solution. Feel free to update us on your progress if you need more assistance.