Zscaler Private Access and SCCM

shmo-MS 221

Hi All,

We absolutely want our Internet based clients to use the CMG, we do not want them to behave as On prem clients unless they are indeed on prem. But we have an issue, when the CM client tries to establish its location it thinks it is an Intranet managed device as its global catalog queries are successful.

We tried using ZPA connector IPs as a AD site, but not helping as SCCM is picking the client's local IP. Then thought of adding rfc1918 addresses as a boundary group and assign to CMG, but we have some sites already using it in internal network, so skipped it. Also blocked on-prem MP traffic over ZPA and thought devices will be re-directed to CMG, no luck with that too.

How we can make the client think it is on the Internet and reidirect to CMG??

Any help is appreciated.

TIA

Jason Sandys 31,306 Reputation points Microsoft Employee

2021-06-09T20:00:09.417+00:00

Also, please DM me on Twitter (@Jason Sandys ) your organization name and size so I can build a case internally to potentially provide a mechanism to directly address this in ConfigMgr.
Williams Jeff 1 Reputation point

2021-07-19T20:25:31.76+00:00

Jason, were you able to come up with a resolution to this issue?
Jason Sandys 31,306 Reputation points Microsoft Employee

2021-07-19T20:51:24.557+00:00

Not sure exactly what you are asking here. Two possibilities for addressing this in an org is as outlined in my other answer in this thread. I'm working on a more formal solution directly in the product as well but that will take at least a little bit of time to complete and get released in a production build.

As noted, if you are blocked or face significant pain because of this, please DM on Twitter or reply here with a private message so I can add your org to our customer based evidence for this.

Accepted answer

Jason Sandys 31,306 Reputation points Microsoft Employee

2021-06-09T19:58:29.543+00:00
If (and only if) the clients are always on the Internet, then you can configure them to be always on the Internet at installation time and they will always use the CMG.

If they roam between intranet and Internet, then there are a couple of paths today:

Use AD sites as noted above. There is a way for ZPA to map clients to specific AD sites not based on their client IP. See https://community.zscaler.com/t/zscaler-private-access-active-directory/8826 for details. This is ZPA specific so if you have questions on this, please discuss with ZScalar.

Add all of the private IP address ranges as boundaries and map those to boundary groups associated with the CMG.
Please sign in to rate this answer.

1 person found this answer helpful.
shmo-MS 221 Reputation points

2021-07-26T14:18:55.23+00:00

We are working with Microsoft on this issue. And MS suggested to follow with mapping AD site to ZPA IP connectors. Need some design changes in our environment and it's in WIP now...

Rakesh Kumar 461 Reputation points

2021-09-02T12:23:19.657+00:00

Hi @shmo-MS ,

is your problem solved or not yet? I'm facing similar challenge for all VPN laptops those are using Zscaler ZPA.

if you have solved the issue please share your findings and steps to solve it.

your support will be highly appreciated.

shmo-MS 221 Reputation points

2021-09-13T06:24:01.14+00:00

Hi @Rakesh Kumar
Yes, The Mapping AD site to ZPA IP connectors helped us to solve the issue. See the link for more details. supporting-microsoft-sccm
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

2 additional answers

Williams Jeff 1 Reputation point

2021-07-19T20:56:00.283+00:00

Thank you, Jason, but I don't use Twitter making follow up there impossible. I did see your two possible answers but it was not clear if you had validated that they solve the problem or if you came up with additional solutions not in the thread.
Please sign in to rate this answer.
Jason Sandys 31,306 Reputation points Microsoft Employee

2021-07-19T22:12:00.18+00:00

They can solve the problem yes, depending on your environment but you need to review them and evaluate them for this.

Jason Sandys 31,306 Reputation points Microsoft Employee

2021-07-19T22:18:58.773+00:00

How about going to https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/629631 and messaging me directly there with your org details so that I can add your org to our customer evidence. This won't get you early access and doesn't guarantee anything, but just helps me build the business case for getting the work done in the product itself.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Falconer, Chris 1 Reputation point

2022-01-05T10:21:54.86+00:00

From ZPA client version 3.6 you can force any client connected by ZPA to return a connection type of "Currently Internet", therefore forcing the client to use Internet infra.

https://help.zscaler.com/client-connector/configuring-zscaler-client-connector-profiles#windows
Please sign in to rate this answer.
Jason Sandys 31,306 Reputation points Microsoft Employee

2022-01-05T15:14:56.6+00:00

You could always do this with ConfigMgr so not sure of the explicit advantage here. Note that if this option somehow dynamically flips the always Internet configuration of the ConfigMgr client, this is explicitly unsupported, so I'd strongly suggest caution with using this feature.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Zscaler Private Access and SCCM

2 additional answers

Your answer