Zscaler client installed on Windows laptop.

Laptop connected to corporate BYOD/Wifi network.

BYOD network traffic tunneled into Cloud SWG via an IPSEC tunnel.

Browsing internet traffic after enabling Zscaler client works fine, and is protected by Zscaler services

SSL inspection is disabled globally on Cloud SWG side.

Trying to bring up the Zscaler VPN client fails with 'Untrusted root certificate' error.

Same user has no issues when connecting from corporate network or home.

Zscaler client.

IPSEC tunnel into Cloud SWG.

We try and do an SSL protocol check, and since SSL handshake to Zscaler fails we send back an error over an TLS session that uses a Cloud SWG certificate.

Disable protocol detection for the Zscaler IP addresses needed by the client. 

If UPE is used to manage Cloud SWG, simply disable protocol at the VPM level or with the following CPL

detect_protocol(no) http.method=CONNECT url.host.is_numeric=yes

If the WSS Portal is used, go to the Policy tab -> Content and Malware analysis tab and add scanning exemptions for the Zscaler IP address ranges you are connecting to.

PCAP from Zscalar workstation shows the WSS cert coming back, even though SSL inspection was disabled. This was triggered as a result of upstream SSL handshake issues as it was detecting protocol.