Quantcast
Channel: All about Microsoft Endpoint Manager
Viewing all articles
Browse latest Browse all 444

Microsoft Intune – zscaler client connector connectivity issues cant reach login.microsoftonline.com

$
0
0

Introduction:

I was recently involved to setup Microsoft 365 POC (zero trust) and manage the endpoints such as windows, iOS, android using Microsoft Endpoint Manager (Intune).

The windows devices were setup using the autopilot and are purely azure AD joined with Bitlocker keys in the cloud.

To secure the internet web traffic and to enforce the security policies such as tenant restrictions etc, this project uses Zscaler.

Though we had zscaler, we still went ahead and configured Windows Information Protection (WIP) to protect enterprise data along with the following configurations.

1. Device compliance policies.

2. Device configuration policies.

3. Endpoint security policies such as AV, defender etc

4. Security baseline policies for windows 10, Microsoft Edge and Defender.

5. Windows update for business (wufb)

Issue:

When the zscaler client connectivity application installed during the device provisioning, users were unable to connect to zscaler app.

Zscaler application launches automatically during the windows login, and it fails with the following error codes.

Can’t reach this page. Make sure the web address https://login.microsoftonline.com is correct

Can’t reach this page. Make sure the web address https://login.zscalerthree.com is correct

Navigation to the webpage was cancelled.

image

image

Troubleshooting:

Initially, when I saw this error code, I thought it was something to do with zscaler profile configuration; pac file that was configured at the zscaler portal or Windows 10 Network Isolation issue.

We even contemplated issues with Windows Defender Endpoint protection; Windows Defender AV or Windows Defender Application guard.

In order to confirm if the issue is at Microsoft Intune or Zscaler, I had installed the zscaler client connector app on BYOD device that is not enrolled to Microsoft Intune. On the BYOD device, I am able to sign-in to the Zscaler app. This confirms that the issue is happening only for intune enrolled devices.

To troubleshoot the issue further, i have used fiddler and Wireshark to trace the web traffic and also network traffic.

I had launched the fiddler, started to run the zscaler app, it is able to connect to the service successfully.

I have tried capturing the network trace using Wireshark, not much success with it too.

Since all these external tools not helping much to trace the problem, I have started looking at the windows defender policies and excluded the zscaler client app. This did not help too.

During the investigation of this issue, I thought to exclude (test group where user is member of ) the WIP policy and try again. This time, it works fine.

So finally, figured out that, the issue lying in the boundaries of windows information protection.

Time to play with WIP policies and see what confirmation is blocking the connectivity.

First, I have added the following URL’s to cloud resources in the WIP policy.

.zscalerthree.net|.zscaler.net|login.microsoftonline.com|login.zscalerthree.net

This configuration did not help much.

The next configuration change is to add zscalar app into WIP protected application.

You can use PowerShell command to get the publisher information which will be added to WIP policy as desktop app.

image

Get-AppLockerFileInformation -Path "C:\Program Files (x86)\Zscaler\ZSATray\ZSATray.exe"  | fl *

Path      : %PROGRAMFILES%\ZSCALER\ZSATRAY\ZSATRAY.EXE
Publisher : O=ZSCALER, INC., L=SAN JOSE, S=CALIFORNIA, C=US\CLIENT CONNECTOR\ZSATRAY.EXE,3.4.1.4
Hash      : SHA256 0xF3E5AA3EE62395DFE8BBE5D8CB5A56ADA1652D166F2739317B138750D412DDD8
AppX      : False

Add this application into WIP policy, save changes.

image

Wait for the policy sync, launch the zscaler connectivity app. This time, the application will connect to zscaler service and function correctly.

The endpoint urls that are connecting to the Azure AD,zscaler service are now allowed.

image

It took couple of days to figure out where the issue is and the fix is to add the zscalar app into app protection policy (WIP).

Hope this helps!


Viewing all articles
Browse latest Browse all 444

Trending Articles