Zscalar using Broadcom certificate when user trying to connect to Zscaler VPN client.
Article ID: 214998
Updated On:
Products
Issue/Introduction
Zscalar client installed on Windows laptop
Laptop connected to corporate BYOD/Wifi network
BYOD network traffic tunneled into WSS via an IPSEC tunnel
Browsing internet traffic after enabling Zscalar client works fine, and is protected by Zscalar services
SSL inspection is disabled globally on WSS side
Trying to bring up the Zscalar VPN client fails with 'Untrusted root certificate' error as shown below
Same user has no issues when connecting from corporate network or home
Environment
Zscalar client
IPSEC tunnel into WSS
Cause
We try and do an SSL protocol check, and since SSL handshake to Zscalar fails we send back an error over an TLS session that uses a WSS certificate
Resolution
Disable protocol detection for the Zscalar IP addresses needed by the client.
If UPE is used to manage WSS, simply disable protocol at the VPM level or with the following CPL
detect_protocol(no) http.method=CONNECT url.host.is_numeric=yes
If the WSS Portal is used, go to the Policy tab -> Content and Malware analysis tab and add scanning exemptions for the Zscalar IP address ranges you are connecting to.
Additional Information
PCAP from Zscalar workstation shows the WSS cert coming back, even though SSL inspection was disabled. This was triggered as a result of upstream SSL handshake issues as it was detecting protocol.
Attachments
Feedback
