ZTNA enabled but WSS Agent UI reporting "ZTNA configuration is not compatible with this deployment"
search cancel

ZTNA enabled but WSS Agent UI reporting "ZTNA configuration is not compatible with this deployment"

book

Article ID: 406030

calendar_today

Updated On:

Products

Symantec ZTNA Cloud Secure Web Gateway - Cloud SWG Cloud Secure Web Gateway

Issue/Introduction

Users accessing internet sites via Cloud SWG using WSS and SEP Agents.

ZTNA enabled so that managed devices can access ZTNA segment applications via Cloud SWG.

Some users with ZTNA enabled report problems accessing segment applications- connectivity errors at the application layer.

Some of the impacted users see "ZTNA configuration is not compatible with this deployment" messages on the WSS Agent UI status page as shown below:

Other impacted users do no see this message.

Environment

Cloud SWG.

ZTNA.

 

Cause

Impacted users were authenticating with Auth Connector integration.

Resolution

Make sure that the all ZTNA enabled users are authenticating with SAML.

Additional Information

  • Users reporting issue NOT using SAML but local auth with Auth Connector to retrieve groups
  • We reference 3 groups in the Cloud SWG ATM config (Okta, AD and hybrid Okta/AD)
  • Users with 9.8.3 correctly see the message that ZTNA is not compatible - this is because ZTNA needs SAML auth
  • 9.7.1 users see ZTNA is enabled, but when accessing a segment based application it fails (again normal as we have no name identifier to pass into ZTNA). WSS Agent 9.7.1 is not going to be fixed.
Powered by Wolken Software