u/necromok

(Used AI to tidy up, sorry) We are currently testing Zscaler traffic forwarding on managed Android and iOS devices enrolled through Microsoft Intune for users operating from untrusted/unknown networks (road warriors).

Our setup involves pushing the following configurations via Intune:
- Zscaler Root CA certificate
- PAC file configuration for proxy forwarding

Initially, we were using the default Mobile Proxy PAC provided by Zscaler, but traffic forwarding and authentication were not functioning correctly. We raised a TAC case, and the Zscaler TAC team provided an alternate PAC configuration.

After applying the new PAC file along with the Zscaler Root CA certificate on the devices, authentication behavior improved and we were able to complete the login flow successfully.

Current observed behavior:

1. The proxy and Root CA certificate are installed on the device.
2. When accessing an HTTP website from the browser, the captive authentication flow is triggered.
3. The user is redirected to the Zscaler authentication portal, where the corporate username is entered.
4. The flow then redirects to Microsoft Entra ID / login.microsoftonline.com for authentication.
5. After successful login, the original HTTP website loads successfully.
6. When checking ip.zscaler.com, it confirms:
7. - Traffic is going through the Zscaler cloud
8. - The user is shown as authenticated/logged in

This confirms that authentication and cloud forwarding are now working with the TAC-provided PAC file.

However, we are facing the following issues:

- Websites that should normally be blocked by our Zscaler policy are still accessible from the mobile devices.
- SSL inspection also does not appear to be occurring, as the websites are not being re-signed with the Zscaler Root CA certificate.
- In Mobile Insights/logs, we only see entries for the initial HTTP website used to trigger the captive portal authentication flow.
- After authentication, traffic to other websites such as Facebook, CNN, etc. does not appear in the logs at all, even though the websites are accessible from the device.

Based on this behavior, it appears that:
- Authentication is successful
- Traffic is reaching Zscaler at least during the captive portal flow
- But security policies, SSL inspection, and logging are not being consistently enforced for subsequent browsing traffic

Additionally, we would like to know if the captive authentication experience can be simplified or streamlined further for mobile users. Currently, users must manually trigger the authentication flow by accessing an HTTP website first before browsing normally. Is there a recommended approach to make authentication more seamless for Android/iOS road warrior deployments?

I am also attaching/posting the PAC file configuration shared by TAC for reference.

function FindProxyForURL(url, host) {
var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
var resolved_ip = dnsResolve(host);

/* Don't send non-FQDN or private IP auths to us */
if (isPlainHostName(host) || shExpMatch(host, "192.0.2.*") || privateIP.test(host))
return "DIRECT";

/* FTP goes directly */
if (url.substring(0,4) == "ftp:")
return "DIRECT";

/* test with ZPA*/
if (isInNet(resolved_ip, "100.64.0.0","255.255.0.0"))
return "DIRECT";

// ========== Bypasses for Zscaler IAM ===================================
var iam = /^.*\.(zslogin|zsloginbeta|zslogindemo|zsloginalpha).net$/;
if (iam.test(host))
return "DIRECT";

if (dnsDomainIs(host, "zsa.zscaler.com"))
return "PROXY 165.225.120.34:80; PROXY 167.103.133.129:80;DIRECT";

if (((localHostOrDomainIs(host, "trust.zscaler.com")) ||
(localHostOrDomainIs(host, "trust.zscaler.net")) ||
...
(localHostOrDomainIs(host, "trust.zdxstage.net"))) &&
(url.substring(0,5) == "http:" || url.substring(0,6) == "https:"))
return "DIRECT";

if (shExpMatch(host, "*.zoom.com") ||
shExpMatch(host, "*.zoom.us") ||
shExpMatch(host, "*.office.com") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.cloud.microsoft") ||
shExpMatch(host, "*.static.microsoft") ||
shExpMatch(host, "*.usercontent.microsoft") ||
shExpMatch(host, "*.office365.com") ||
shExpMatch(host, "*.onmicrosoft.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "*.mx.microsoft") ||
shExpMatch(host, "*.svc.ms") ||
shExpMatch(host, "*.windows.net") ||
shExpMatch(host, "*.skype.com") ||
shExpMatch(host, "*.cdn.onenote.net") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "*.sharepoint.com") ||
shExpMatch(host, "login.microsoftonline.com")) {
return "DIRECT";
}

if (dnsDomainIs(host,"login.zscaler.net"))
return "DIRECT";

if (dnsDomainIs(host,"gateway.zscaler.net"))
return "DIRECT";

return "${GATEWAY}:443; ${SECONDARY_GATEWAY}:443; DIRECT";
}

I have completed all prerequisites for EDU 302 Hands on LAB, I was wondering if this is similar to the EDU 200, EDU 202 Labs where we are given a Lab guide and we have to perform accordingly. Can anyone who has done it shed some light? Thank you!!!!

Let's see how Pay has changed around Mumbai in the last 6 years.

As we enter 2026, the survival threshold in Mumbai has shifted significantly and what was a comfortable salary in 2021 now barely covers basic rent and utilities in many suburban pockets

The company you work for likely doesn't allow you to share your salary information with anyone. You likely don't even talk about your salary with your colleagues and friends.

Companies use this lack of information to underpay you, give you low raises and more..

We all deserve to be paid the money we deserve. But to understand what we deserve - we must first know how much everyone else is earning.

Let's help each other by sharing CTC, Experience, Industry and role.

Here is link to the 2025 Thread-

2025 Post

Here is link to the 2023 Thread-

2023 Post

Here is link to the 2021 Thread-

2021 Post