search cancel

Zscalar using Broadcom certificate when user trying to connect to Zscaler VPN client.


Article ID: 214998


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Zscalar client installed on Windows laptop

Laptop connected to corporate BYOD/Wifi network

BYOD network traffic tunneled into WSS via an IPSEC tunnel

Browsing internet traffic after enabling Zscalar client works fine, and is protected by Zscalar services

SSL inspection is disabled globally on WSS side

Trying to bring up the Zscalar VPN client fails with 'Untrusted root certificate' error as shown below

Same user has no issues when connecting from corporate network or home


Zscalar client

IPSEC tunnel into WSS


We try and do an SSL protocol check, and since SSL handshake to Zscalar fails we send back an error over an TLS session that uses a WSS certificate


Disable protocol detection for the Zscalar IP addresses needed by the client. 

If UPE is used to manage WSS, simply disable protocol at the VPM level or with the following CPL

detect_protocol(no) http.method=CONNECT

If the WSS Portal is used, go to the Policy tab -> Content and Malware analysis tab and add scanning exemptions for the Zscalar IP address ranges you are connecting to.

Additional Information

PCAP from Zscalar workstation shows the WSS cert coming back, even though SSL inspection was disabled. This was triggered as a result of upstream SSL handshake issues as it was detecting protocol.