ZTNA users accessing Web resources from managed and unmanaged devices.

One such application uses JNLP/Applets to request and retrieve objects from the Web server.

The applets are launched via a parameter passed down to the client, which initially failed as the parameter included the internal rather than ZTNA domain.

After modifying the applet parameter (codebase) using link translation settings, the applet seemed to launch but returned an error.

ZTNA Web applications.

Applets.

Applets run with their own user-agent that could not SSO to ZTNA.

Switched from the Web application to a segment based application.

Although the user could authenticate to ZTNA successfully before connecting to the Web server, the applet could not authenticate or follow redirects when subsequently launched. This will apply to any ZTNA Web application that does not share session information with the browser - a request from the new user-agent will not have any session information, and will be challenged to authenticate. If the application cannot handle this challenge, it will error out.

To address the issue we switched to a segment application which, when accessed from a managed device using WSS Agent, sends the user auth information with every request into ZTNA and is therefor never challenged.