search cancel

Zscalar using Broadcom certificate when user trying to connect to Zscaler VPN client.

book

Article ID: 214998

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Zscalar client installed on Windows laptop

Laptop connected to corporate BYOD/Wifi network

BYOD network traffic tunneled into WSS via an IPSEC tunnel

Browsing internet traffic after enabling Zscalar client works fine, and is protected by Zscalar services

SSL inspection is disabled globally on WSS side

Trying to bring up the Zscalar VPN client fails with 'Untrusted root certificate' error as shown below

Same user has no issues when connecting from corporate network or home

Cause

We try and do an SSL protocol check, and since SSL handshake to Zscalar fails we send back an error over an TLS session that uses a WSS certificate

Environment

Zscalar client

IPSEC tunnel into WSS

Resolution

Disable protocol detection for the Zscalar IP addresses needed by the client. 

If UPE is used to manage WSS, simply disable protocol at the VPM level or with the following CPL

detect_protocol(no) http.method=CONNECT url.host.is_numeric=yes

If the WSS Portal is used, go to the Policy tab -> Content and Malware analysis tab and add scanning exemptions for the Zscalar IP address ranges you are connecting to.

Additional Information

PCAP from Zscalar workstation shows the WSS cert coming back, even though SSL inspection was disabled. This was triggered as a result of upstream SSL handshake issues as it was detecting protocol.

Attachments