(Used AI to tidy up, sorry) We are currently testing Zscaler traffic forwarding on managed Android and iOS devices enrolled through Microsoft Intune for users operating from untrusted/unknown networks (road warriors).

Our setup involves pushing the following configurations via Intune:
- Zscaler Root CA certificate
- PAC file configuration for proxy forwarding

Initially, we were using the default Mobile Proxy PAC provided by Zscaler, but traffic forwarding and authentication were not functioning correctly. We raised a TAC case, and the Zscaler TAC team provided an alternate PAC configuration.

After applying the new PAC file along with the Zscaler Root CA certificate on the devices, authentication behavior improved and we were able to complete the login flow successfully.

Current observed behavior:

1. The proxy and Root CA certificate are installed on the device.
2. When accessing an HTTP website from the browser, the captive authentication flow is triggered.
3. The user is redirected to the Zscaler authentication portal, where the corporate username is entered.
4. The flow then redirects to Microsoft Entra ID / login.microsoftonline.com for authentication.
5. After successful login, the original HTTP website loads successfully.
6. When checking ip.zscaler.com, it confirms:
7. - Traffic is going through the Zscaler cloud
8. - The user is shown as authenticated/logged in

This confirms that authentication and cloud forwarding are now working with the TAC-provided PAC file.

However, we are facing the following issues:

- Websites that should normally be blocked by our Zscaler policy are still accessible from the mobile devices.
- SSL inspection also does not appear to be occurring, as the websites are not being re-signed with the Zscaler Root CA certificate.
- In Mobile Insights/logs, we only see entries for the initial HTTP website used to trigger the captive portal authentication flow.
- After authentication, traffic to other websites such as Facebook, CNN, etc. does not appear in the logs at all, even though the websites are accessible from the device.

Based on this behavior, it appears that:
- Authentication is successful
- Traffic is reaching Zscaler at least during the captive portal flow
- But security policies, SSL inspection, and logging are not being consistently enforced for subsequent browsing traffic

Additionally, we would like to know if the captive authentication experience can be simplified or streamlined further for mobile users. Currently, users must manually trigger the authentication flow by accessing an HTTP website first before browsing normally. Is there a recommended approach to make authentication more seamless for Android/iOS road warrior deployments?

I am also attaching/posting the PAC file configuration shared by TAC for reference.

function FindProxyForURL(url, host) {
var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
var resolved_ip = dnsResolve(host);

/* Don't send non-FQDN or private IP auths to us */
if (isPlainHostName(host) || shExpMatch(host, "192.0.2.*") || privateIP.test(host))
return "DIRECT";

/* FTP goes directly */
if (url.substring(0,4) == "ftp:")
return "DIRECT";

/* test with ZPA*/
if (isInNet(resolved_ip, "100.64.0.0","255.255.0.0"))
return "DIRECT";

// ========== Bypasses for Zscaler IAM ===================================
var iam = /^.*\.(zslogin|zsloginbeta|zslogindemo|zsloginalpha).net$/;
if (iam.test(host))
return "DIRECT";

if (dnsDomainIs(host, "zsa.zscaler.com"))
return "PROXY 165.225.120.34:80; PROXY 167.103.133.129:80;DIRECT";

if (((localHostOrDomainIs(host, "trust.zscaler.com")) ||
(localHostOrDomainIs(host, "trust.zscaler.net")) ||
...
(localHostOrDomainIs(host, "trust.zdxstage.net"))) &&
(url.substring(0,5) == "http:" || url.substring(0,6) == "https:"))
return "DIRECT";

if (shExpMatch(host, "*.zoom.com") ||
shExpMatch(host, "*.zoom.us") ||
shExpMatch(host, "*.office.com") ||
shExpMatch(host, "*.microsoftonline.com") ||
shExpMatch(host, "*.cloud.microsoft") ||
shExpMatch(host, "*.static.microsoft") ||
shExpMatch(host, "*.usercontent.microsoft") ||
shExpMatch(host, "*.office365.com") ||
shExpMatch(host, "*.onmicrosoft.com") ||
shExpMatch(host, "*.outlook.com") ||
shExpMatch(host, "*.mx.microsoft") ||
shExpMatch(host, "*.svc.ms") ||
shExpMatch(host, "*.windows.net") ||
shExpMatch(host, "*.skype.com") ||
shExpMatch(host, "*.cdn.onenote.net") ||
shExpMatch(host, "*.msftidentity.com") ||
shExpMatch(host, "*.msidentity.com") ||
shExpMatch(host, "*.sharepoint.com") ||
shExpMatch(host, "login.microsoftonline.com")) {
return "DIRECT";
}

if (dnsDomainIs(host,"login.zscaler.net"))
return "DIRECT";

if (dnsDomainIs(host,"gateway.zscaler.net"))
return "DIRECT";

return "${GATEWAY}:443; ${SECONDARY_GATEWAY}:443; DIRECT";
}

Hello team, do some of you have any feedback on SSPM features ? We might be interested but we do not have the licence yet and do not know yet what could be the cost for it.

Do you have any feedback about it, efficiency, cost, maintenance, etc?

Thank you!

Hello! As i was doing research for SMB/DFS slowness issues on ZPA, i came across some previous posts discussing TCP Quick ACK ([1], [2]).
I am in a similar situation, where i have tried just about every recommendation from Zscaler and Reddit: dedicated App Connectors for SMB, TCP Quick ACK enabled on the App Connector Group, SMB 2 vs 3, Private Service Edge, various ZCC versions; no joy.
I raised a support case with Zscaler and i was told that they can enable TCP Quick ACK in the backend, typically kept as an optimization enabled only when needed.
The way it was presented to me, this is a tenant-level setting, which will apply broadly to all ZPA TCP traffic.
I was encouraged that there should not be any noticeable issues, other than a slight increase in ACK traffic that could potentially lead to a increased CPU/memory/network consumption.

As this is a global setting, i was wondering if anyone in the community has it enabled in their tenant and noticed any improvements from enabling it, or has faced any issues after enabling it.
Thank you!

I have completed all prerequisites for EDU 302 Hands on LAB, I was wondering if this is similar to the EDU 200, EDU 202 Labs where we are given a Lab guide and we have to perform accordingly. Can anyone who has done it shed some light? Thank you!!!!

Hello everyone, does anyone of you know how to configure ZCC through Intune to have an auto-enrollment BUT I would like to keep my ZPA working.

Apparently we can use a enrollwithmdm settings in the configuration designer within an app configuration but by doing so it looks like zscaler says that we lose our zpa, because we need to make zcaler as IdP which is annoying.

I would like to get my Zia and zpa and have an auto-enrollment and always on VPN.

I have configured the always on VPN but because enrollment is not automatic, the always on VPN is not working yet (I guess so)

Moreover, through my tenant I have several domains and end users get their company portal using SSO, SAML.

If anyone has clear and detailed instructions for this it would be welcome.

I am also considering the case we can not use the auto enroll and so we need to enable lockdown mode within decide configuration and always on VPN to guarantee that end user connects.

Thank you all

The IT department has pushed zscaler to our computers and a few of us are experiencing issues with Gong (VoIP). IT says they included all of gong in a bypass rule and that those of us having issues is most likely related to our ISP. what can I look for to help resolve the issue?

and now we are having issues and can’t get anyone from Xfinity to talk to my emplyer on how to fix - my employer IT dept says I ave to switch from Xfinity - my daughter works for same employer and has Xfinity as well but does not have the issues - PLEASE HELP - and I need it dumbed down as well do not understand any of this. thank you

Just this year, we started encountering more and more issues with users having IPv6. Zscaler is pushing back about enabling IPv6 in our tenant. We have a large mix of windows, mac, and iOS devices. I'm worried about setting a forwarding profile to drop IPv6 when it is native to the cellular iOS devices.

I have a very frustrating issue & I need some advice on where to look for troubleshooting... it's actually my system that's having the trouble. I'm our Zscaler admin and we're still onboarding and have about 15 systems on ZIA & ZPA, eventually going up to about 650 total. So far, it's gone great, but with one exception.

My laptop will enable Z-Tunnel 2.0 on every VLAN/subnet, except for one and it's the only computer like this.

My System: Z-T 2.0 on all networks, except for 10.20.30.0/24, which only turns up Z-T 1.0.
All Other Systems: Z-T 2.0 on all networks, including 10.20.30.0/24.

Obviously, there's something unique about my system, but I'm not sure what it could be or where to look. Anyone have any thoughts, comments, or suggestions?

Thanks

Wassup Zscaler gang. I'm back after more research and some further details explaining my scenario with trying to work remote in Germany with a US based job. My previous post got a LOT of chatter, opinions, and suggestions. I'm back with a part 2 going deeper into what I have going on with some screenshots of my zscaler product as well as details of my day to day operation.

Device & Security Information

• Device Type: Company-issued laptop
• Operating System: Windows 11
• Security Software Installed: Zscaler pre-installed by the company

Authentication & MFA

• No third-party MFA application is used during normal sign-in to company applications
• Initial device setup required Microsoft Authenticator when first hired and configuring the laptop
• After initial setup, Microsoft Authenticator is not used for routine application logins
• Standard login is performed using Windows/company credentials

SMS MFA Usage

• One web-based application uses SMS-based MFA
• Verification codes are sent via text message to a personal phone number

Communication & Collaboration Tools

• Microsoft Teams is used for communication and collaboration
• Microsoft Outlook is used for email communication

Calling Platform

• Genesys Cloud web client is used for inbound and outbound calls

I started researching the gl inet slate 7 travel routers and creating a personal VPN with my home cable ISP to try and make this possible. Is it worth it? Anyone out there using this method to work overseas with Zscaler and tell me about your experience?

So, Zscaler admins, WILL YOU CATCH ME IN GERMANY?

https://preview.redd.it/yrxr8h7vd81h1.png?width=1146&format=png&auto=webp&s=0f92d7fc4e8ca54d3cada2f51f546408fef58929

https://preview.redd.it/3v9l2h7vd81h1.png?width=1141&format=png&auto=webp&s=fd12662524e62757d13b83bba04f7739c12fe2fd

https://preview.redd.it/n18bdi7vd81h1.png?width=1150&format=png&auto=webp&s=fa21966765699906df13433283a8230881b7fad2

https://preview.redd.it/k0ryai7vd81h1.png?width=1156&format=png&auto=webp&s=152a3b5f4043ce594c6d1bf88b3f581110d91be1

https://preview.redd.it/4joalj7vd81h1.png?width=1137&format=png&auto=webp&s=98f5919137f186fdb7df68f14408aa5d1690e944

Title says it all. I’ve got a great personal relationship with my direct leader who doesn’t mind if I work internationally, but our company policies say otherwise which he is well aware of.

We are both wondering on the likelihood of it being caught by Zscaler. This isn’t just a typical I’m trying to vacation and work, but my wife is still living in Germany as we wait for her green card to be processed. I work for a big corporation with 50k + employees, and they also have jobs for our company in Germany.

I’m not trying to permanently stay there, but I usually try to go for a month at a time. Any feedback is greatly appreciated, I’m just trying to work while being able to spend time with my wife while we go thought this tough immigration transition.

Has anyone used any of the AI capabilities within Zscaler.

- AI inventory & discovery
- Securing AI access - SaaS within AI Guard
- Securing AI app & infra - Private AI access with AI guard

They are quite new, however wanting to know if anyone had experience with them. They’ve not exactly been the best when releasing new features, so very curious.

Wondering what folks do for seamless sign on at install.

We have entra joined devices and use cloud name= and user domain= in the installer command line. But the app doesn’t sign in automatically.

We have both ZIA and ZPA and I suspect the issue is MFA requirements for ZPA.

Anyone else managed to configure this properly?

Hello! I’ve seen this topic posted a couple of times but do not see a good solution. I finally left my employer and started my own tax consulting firm a month ago. I have run into some issues with being classified as phishing or in this case, malicious. According to Claude it’s possibly due to my domain age and being in a high fraud tax/financial services space. I’ve gotten syntec and bitdefender to reclassify me as clean with their public review requests. I’ve called zscaler to request someone review my website but they said only customers can request this.

Anyone know of a work around? Domain is svatax.com. Very unfortunate to be a new business trying to get my name out there then having my website blocked in many organizations. Any help would be appreciated.

Hi All,

Working with an org. that uses GSLBs to loadbalance applications across DCs. Noticed that ZPA App Connectors are not respecting TTLs for DNS records and instead seem to cache records for 20 mins regardless of TTL. Anyone else faced something similar? Raised an ER with Zscaler but not getting much traction.

Looking for guidance on Zscaler Physical Branch Connector.

We already have ZIA and ZPA deployed. Our office has two ISPs: one for production and one for guest Wi-Fi, which also acts as a backup.
The guest network currently uses separate SRX firewalls, and I’m exploring replacing them with Zscaler Physical Branch Connectors.

My understanding is that this could help us achieve the following:

• Segmentation: I saw a presentation mentioning that Zscaler can assign /32 addresses to hosts.
• Traffic inspection: Route traffic to the Zscaler cloud for security analysis.
• Centralized management: Manage all sites through a single cloud portal.

I know GRE tunnels can be configured on SRX300 to route traffic to the Zscaler cloud for inspection, but I’m looking for a simpler plug-and-play option.

mid SASE deployment, Zscaler stack. diagrams showed segmented zones with identity-based routing through ISE. firewall policies were tagged and aligned with the design. signed off on a config push.

the environment still had overlapping VLANs from an older Cisco setup. they weren’t fully removed. after the change, user traffic was mapped to the wrong segment instead of guest.

authentication traffic started hitting the control plane. routing state didn’t match segmentation tags. firewalls dropped traffic as a result.

production went down across core services. we rolled back after a few hours.

the issue was a mismatch between the segmentation model and the actual network state. diagrams assumed clean separation. the real environment still had legacy paths.

SASE enforced policy on top of that state. it didn’t surface the conflict before applying it.

for anyone running this at scale:
where does this usually break?

Hi,

I’m trying to package zscaler but it requires uninstall password without which the source msi rolls back. Any solution? There’s no password provided in previous packages too