Cannot access segment based applications from Windows hosts.
search cancel

Cannot access segment based applications from Windows hosts.

book

Article ID: 374990

calendar_today

Updated On:

Products

Symantec ZTNA

Issue/Introduction

Users accessing ZTNA applications successfully.

After integrating with Cloud SWG, WSS Agent hosts on Windows can connect but fail to successfully access any segment based applications; macOS users have no issues accessing the same resources.

users accessing ZTNA segment based applications get connectivity related errors - via browser or thick clients.

 

Environment

ZTNA segment applications.

Cloud SWG integration with ZTNA.

WSS Agent.

Cause

Cannot run WSS Agent with MCU=1 when integrating with ZTNA.

Resolution

Install WSS Agent on Windows with MCU=0 (default) or with the 'AU=Unauthenticated' option.

ZTNA requires authenticated access as part of its Zero Trust architecture because you don't want to allow access to the internal network without authentication. When the MCU parameter is set to 1, there is no way to determine which user the DNS requests (for example) are coming from because the OS sends all DNS requests from the SYSTEM user. As a result, the requests are dropped from going into the WSS Agent tunnel.

If the user needs the MCU parameter set to 1 for Windows Terminal Services so that one can connect to the machine using RDP, install the agent with "AU=unauthenticated" to force SAML authentication, which is required for ZTNA anyway.

Additional Information

Looking at the Symdiag PCAPs, one can see the requests destined for the ZTNA segment application go out the public versus the tunneled interface as shown below:

Verifying that CTC did send the correct ZTNA directives back, we checked the markIpAddresses directive to confirm that our IP address was in there.
 
  "markIpAddresses": [
    "10.0.120.4/32",
    "192.168.88.0/24",
    "10.0.120.5/32",
    "192.168.98.20/32",
    "192.168.100.0/24",
    "10.0.30.4/32",
    "10.0.100.5/32",
    "10.0.10.9/32",
    "10.0.140.4/32",
    "192.168.98.210/32",
    "192.168.88.17/32"
  ],
 
Looking at the WSS Agent logs we get a good idea as to what is happening - we have many users on this system, including the non-interactive-user, indicating that the WSS Agent is installed with MCU=1:
 
[07-16-2024 13:59:22 (UTC+1:00)]: CTC Response: ACTIVE(GEOIP)  egress: #.#.#.# GGBLO-148.64.28.164  GGBDO-170.176.242.164  geolocation: GB
[07-16-2024 13:59:22 (UTC+1:00)]: Cloud Firewall Services: Enabled
[07-16-2024 13:59:22 (UTC+1:00)]: Attempting to connect to GGBLO via UDP
[07-16-2024 13:59:22 (UTC+1:00)]: CA Tunnel#59(non-interactive-user): connecting to 148.64.28.164
[07-16-2024 13:59:22 (UTC+1:00)]: CA Tunnel#59(non-interactive-user): status:SUCCESS-authorized
[07-16-2024 13:59:22 (UTC+1:00)]: Tunnel#59(non-interactive-user) connected to concentrator: 148.64.28.164 (GGBLO-UDP), Nat IP: 10.174.154.219, RcvBuf: 2097152
[07-16-2024 13:59:22 (UTC+1:00)]: Connection to WSS successful - Tunnel#59
[07-16-2024 13:59:22 (UTC+1:00)]: CA Tunnel#60(EXAMPLE\User1): connecting to 148.64.28.164
[07-16-2024 13:59:22 (UTC+1:00)]: Tunnel#60(EXAMPLE\User1) connected to concentrator: 148.64.28.164 (GGBLO-UDP), Nat IP: 10.53.159.23, RcvBuf: 2097152
[07-16-2024 13:59:22 (UTC+1:00)]: CA Tunnel#61(EXAMPLE\User2): connecting to 148.64.28.164
[07-16-2024 13:59:22 (UTC+1:00)]: Tunnel#61(EXAMPLE\User2) connected to concentrator: 148.64.28.164 (GGBLO-UDP), Nat IP: 10.45.162.152, RcvBuf: 2097152
[07-16-2024 13:59:22 (UTC+1:00)]: Waiting for user authentication (EXAMPLE\User1)
[07-16-2024 13:59:22 (UTC+1:00)]: CA Tunnel#62(EXAMPLE\User3): connecting to 148.64.28.164
[07-16-2024 13:59:22 (UTC+1:00)]: Tunnel#62(EXAMPLE\User3) connected to concentrator: 148.64.28.164 (GGBLO-UDP), Nat IP: 10.46.161.175, RcvBuf: 2097152
[07-16-2024 13:59:22 (UTC+1:00)]: Waiting for user authentication (EXAMPLE\User2)
[07-16-2024 13:59:22 (UTC+1:00)]: CA Tunnel#63(EXAMPLE\User4): connecting to 148.64.28.164
[07-16-2024 13:59:22 (UTC+1:00)]: Waiting for user authentication (EXAMPLE\User3)
[07-16-2024 13:59:22 (UTC+1:00)]: Tunnel#63(EXAMPLE\User4) connected to concentrator: 148.64.28.164 (GGBLO-UDP), Nat IP: 10.169.148.207, RcvBuf: 2097152
[07-16-2024 13:59:22 (UTC+1:00)]: Waiting for user authentication (EXAMPLE\User4)
[07-16-2024 13:59:24 (UTC+1:00)]: Authentication succeeded (EXAMPLE\User3)
[07-16-2024 13:59:24 (UTC+1:00)]: Block notification channel connecting - Tunnel#62(EXAMPLE\User3)[11]
 

 

Powered by Wolken Software