We are using Zscaler ZIA solution for our client and today I faced a different issue where client has 5 different URL (Because of security reasons, I cannot mention details about URL's ). The setup is same for all URL's but the two URL's are not working with Zscaler ON and VPN ON.
Client is using Microsoft RAS VPN solution.
Steps we follow to fix the issue:
- By pass URL from SSL inspection exception list.
- We checked and found the two URL's are not resolving anything and DNS entries are not found. We contacted end user and get the IP address required to create A records.
- We got error on the logs and Proxy health was bad
and your network was not even able to connect to Zscaler Proxy.
- Once DNS records are created, we found the issue URL's are mapped to IP address provided but not resolving from browsers.
- We did more troubleshooting to and capture logs from Zscaler and found the URL's are redirecting to other URL's, this takes us to different direction may be blocked by Checkpoint and check logs for check point as well but found nothing and makes us clueless.
- Then we check the same URL in server environment where we Zscaler is not installed and URL's are working as expected.
- Then we raise ticket with Zscaler tech, capture logs from Zscaler APP and found both URL's are bypassed but blocking when VPN is ON.
- We can see communication till client hello however there is no server hello. Instead we are getting a reset from the destination server.
- During our discussion, we tried to bypass URL from VPN IP address/URL from Zscaler APP profile. Once we bypassed URL, url starts resolving and we fix the issue.
- We then change the pac files and added URL's as per best practices suggested by Zscaler.
- We are suspecting the URL's with ".net" profiles are not supporting and have different packet forwarding policies.
Regards
Hitesh Kumar
Comments
Post a Comment