Edit

Share via


Learn about Security Service Edge (SSE) coexistence with Microsoft and Zscaler

In today's rapidly evolving digital landscape, organizations require robust, and unified solutions to ensure secure and seamless connectivity. Microsoft and Zscaler offer complementary Secure Access Service Edge (SASE) capabilities that, when integrated, provide enhanced security and connectivity for diverse access scenarios.

This guide outlines how to configure and deploy Microsoft Entra solutions alongside Zscaler's Security Service Edge (SSE) offerings. By using the strengths of both platforms, you can optimize your organization's security posture while maintaining high-performance connectivity for private applications, Microsoft 365 traffic, and internet access.

  1. Microsoft Entra Private Access with Zscaler Internet Access

    In this scenario, Global Secure Access handles private application traffic. Zscaler only captures Internet traffic. Therefore, the Zscaler Private Access module is disabled from the Zscaler portal.

  2. Microsoft Entra Private Access with Zscaler Private Access and Zscaler Internet Access

    In this scenario, both clients handle traffic for separate private applications. Global Secure Access handles private applications in Microsoft Entra Private Access. Private applications in Zscaler use the Zscaler Private Access module. Zscaler Internet Access handles Internet traffic.

  3. Microsoft Entra Microsoft Access with Zscaler Private Access and Zscaler Internet Access

    In this scenario, Global Secure Access handles all Microsoft 365 traffic. Zscaler Private Access handles Private application traffic and Zscaler Internet Access handles Internet traffic.

  4. Microsoft Entra Internet Access and Microsoft Entra Microsoft Access with Zscaler Private Access

    In this scenario, Global Secure Access handles Internet and Microsoft 365 traffic. Zscaler only captures Private application traffic. Therefore, the Zscaler Internet Access module is disabled from the Zscaler portal.

Prerequisites

To configure Microsoft and Zscaler for a unified SASE solution, start by setting up Microsoft Entra Internet Access and Microsoft Entra Private Access. Next, configure Zscaler Private Access and Zscaler Internet Access. Finally, make sure to establish the required FQDN and IP bypasses to ensure smooth integration between the two platforms.

  • Set up Microsoft Entra Internet Access and Microsoft Entra Private Access. These products make up the Global Secure Access solution.
  • Set up Zscaler Private Access and Internet Access
  • Configure the Global Secure Access FQDN and IP bypasses

Microsoft Global Secure Access

To set up Microsoft Entra Global Secure Access and test all scenarios in this documentation:

Zscaler Private Access and Internet Access

To integrate Zscaler Private Access and Zscaler Internet Access with Microsoft Global Secure Access, make sure you complete the following prerequisites. These steps ensure smooth integration, better traffic management, and improved security.

Global Secure Access service FQDNs and IPs bypasses

Configure the Zscaler Client Connector app profile to work with Microsoft Entra service Fully Qualified Domain Names (FQDNs) and Internet Protocol (IP) addresses.

These entries need to be present in the app profiles for every scenario:

  • IPs: 150.171.15.0/24, 150.171.18.0/24, 150.171.19.0/24, 150.171.20.0/24, 13.107.232.0/24, 13.107.233.0/24, 151.206.0.0/16, 6.6.0.0/16
  • FQDNs: internet.edgediagnostic.globalsecureaccess.microsoft.com, m365.edgediagnostic.globalsecureaccess.microsoft.com, private.edgediagnostic.globalsecureaccess.microsoft.com, aps.globalsecureaccess.microsoft.com, auth.edgediagnostic.globalsecureaccess.microsoft.com, <tenantid>.internet.client.globalsecureaccess.microsoft.com, <tenantid>.m365.client.globalsecureaccess.microsoft.com, <tenantid>.private.client.globalsecureaccess.microsoft.com, <tenantid>.auth.client.globalsecureaccess.microsoft.com, <tenantid>.private-backup.client.globalsecureaccess.microsoft.com, <tenantid>.internet-backup.client.globalsecureaccess.microsoft.com, <tenantid>.m365-backup.client.globalsecureaccess.microsoft.com, <tenantid>.auth-backup.client.globalsecureaccess.microsoft.com.
  • Install and configure Zscaler Client Connector software.

Configuration 1: Microsoft Entra Private Access with Zscaler Internet Access

In this scenario, Microsoft Entra Private Access handles private application traffic, while Zscaler Internet Access manages Internet traffic. The Zscaler Private Access module is disabled in the Zscaler portal. To configure Microsoft Entra Private Access, you need to complete several steps. First, enable the forwarding profile. Next, install the Private Network Connector. After that, set up Quick Access and configure Private DNS. Finally, install the Global Secure Access client. For Zscaler Internet Access, the configuration involves creating a forwarding profile and app profile, adding bypass rules for Microsoft Entra services, and installing the Zscaler Client Connector. Finally, the configurations are verified, and traffic flow are tested to ensure proper handling of private and Internet traffic by the respective solutions.

Microsoft Entra Private Access configuration

For this scenario you need to:

Zscaler Internet Access configuration

Perform in the Zscaler portal:

  • Set up and configure Zscaler Internet Access.
  • Create a forwarding profile.
  • Create an app profile.
  • Install the Zscaler Client Connector

Add Forwarding Profile from the Client Connector Portal:

  1. Navigate to Zscaler Client Connector admin portal > Administration > Forwarding Profile > Add Forwarding Profile.
  2. Add a Profile Name such as ZIA Only.
  3. Select Packet Filter-Based in Tunnel Driver Type.
  4. Select forwarding profile action as Tunnel and select tunnel version. For example, Z-Tunnel 2.0
  5. Scroll down to Forwarding profile action for ZPA.
  6. Select None for all options in this section.

Add App Profile from the Client Connector Portal:

  1. Navigate to Zscaler Client Connector admin portal > App Profiles > Windows (or macOS) > Add Windows Policy (or macOS).
  2. Add Name, set Rule Order such as 1, select Enable, select User(s) to apply this policy, and select the Forwarding Profile. For example, select ZIA Only.
  3. Scroll down and add the Microsoft SSE service Internet Protocol (IP) addresses and Fully Qualified Domain Names (FQDNs) in the Global Secure Access service FQDNs and IPs bypasses section, to “HOSTNAME OR IP ADDRESS BYPASS FOR VPN GATEWAY” field.

Go to the system tray to check that Global Secure Access and Zscaler clients are enabled.

Verify configurations for clients:

  1. Right-click on Global Secure Access Client > Advanced Diagnostics > Forwarding Profile and verify that Private access and Private DNS rules are applied to this client.
  2. Navigate to Advanced Diagnostics > Health Check and ensure no checks are failing.
  3. Right-click on Zscaler Client > Open Zscaler > More. Verify App Policy matches configurations in the earlier steps. Validate that it's up to date or update it.
  4. Navigate to Zscaler Client > Internet Security. Verify Service Status is ON and Authentication Status is Authenticated.
  5. Navigate to Zscaler Client > Private Access. Verify Service Status is DISABLED.

Note

For information troubleshooting health check failures, see Troubleshoot the Global Secure Access client diagnostics - Health check.

Test traffic flow:

  1. In the system tray, right-click Global Secure Access Client and then select Advanced Diagnostics. Select the Traffic tab and select Start collecting.
  2. Access these websites from the browser: bing.com, salesforce.com, Instagram.com.
  3. In the system tray, right-click Global Secure Access Client and select Advanced Diagnostics > Traffic tab.
  4. Scroll to observe that the Global Secure Access client isn't capturing traffic from these websites.
  5. Sign in to Microsoft Entra admin center and browse to Global Secure Access > Monitor > Traffic logs. Validate traffic related to these sites is missing from the Global Secure Access traffic logs.
  6. Sign in to Zscaler Internet Access (ZIA) admin portal and browse to Analytics > Web Insights > Logs. Validate traffic related to these sites is present in Zscaler logs.
  7. Access your private application set up in Microsoft Entra Private Access. For example, access a File Share via Server Message Block (SMB).
  8. Sign in to Microsoft Entra admin center and browse to Global Secure Access > Monitor > Traffic logs.
  9. Validate traffic related to File Share is captured in the Global Secure Access traffic logs.
  10. Sign in to Zscaler Internet Access (ZIA) admin portal and browse to Analytics > Web Insights > Logs. Validate traffic related to the private application isn't present in the Dashboard or traffic logs.
  11. In the system tray, right-click Global Secure Access Client and then select Advanced Diagnostics. In the Traffic dialog box, select Stop collecting.
  12. Scroll to confirm the Global Secure Access client handled only private application traffic.

Configuration 2: Microsoft Entra Private Access with Zscaler Private Access and Zscaler Internet Access

In this scenario, both clients handle traffic for separate private applications. Global Secure Access handles private applications in Microsoft Entra Private Access. Private applications in Zscaler use the Zscaler Private Access module. Zscaler Internet Access handles Internet traffic.

Microsoft Entra Private Access configuration 2

For this scenario, you need to:

Zscaler Private Access and Zscaler Internet Access configuration 2

Perform the steps in the Zscaler portal:

  • Set up and configure both Zscaler Internet Access and Zscaler Private Access.
  • Create a forwarding profile.
  • Create an app profile.
  • Install the Zscaler Client Connector.

Add Forwarding Profile from the Client Connector Portal:

  1. Navigate to Zscaler Client Connector admin portal > Administration > Forwarding Profile > Add Forwarding Profile.
  2. Add a Profile Name such as ZIA and ZPA.
  3. Select Packet Filter-Based in Tunnel Driver Type.
  4. Select forwarding profile action as Tunnel, and select tunnel version. For example, Z-Tunnel 2.0.
  5. Scroll down to Forwarding profile action for ZPA.
  6. Select Tunnel for all options in this section.

Add App Profile from the Client Connector Portal:

  1. Navigate to Zscaler Client Connector admin portal > App Profiles > Windows (or macOS) > Add Windows Policy (or macOS).
  2. Add Name, set Rule Order such as 1, select Enable, select User(s) to apply this policy, and select the Forwarding Profile. For example, select ZIA and ZPA.
  3. Scroll down and add the Microsoft SSE service Internet Protocol (IP) addresses and Fully Qualified Domain Names (FQDNs) in the Global Secure Access service FQDNs and IPs bypasses section, to “HOSTNAME OR IP ADDRESS BYPASS FOR VPN GATEWAY” field.

Go to the system tray to check that Global Secure Access and Zscaler clients are enabled.

Verify configurations for clients:

  1. Right-click on Global Secure Access Client > Advanced Diagnostics > Forwarding Profile and verify that Private access and Private DNS rules are applied to this client.
  2. Navigate to Advanced Diagnostics > Health Check and ensure no checks are failing.
  3. Right-click on Zscaler Client > Open Zscaler > More. Verify App Policy matches configurations in the earlier steps. Validate that it's up to date or update it.
  4. Navigate to Zscaler Client > Internet Security. Verify Service Status is ON and Authentication Status is Authenticated.
  5. Navigate to Zscaler Client > Private Access. Verify Service Status is ON and Authentication Status is Authenticated.

Note

For information troubleshooting health check failures, see Troubleshoot the Global Secure Access client diagnostics - Health check.

Test traffic flow:

  1. In the system tray, right-click Global Secure Access Client and then select Advanced Diagnostics. Select the Traffic tab and select Start collecting.
  2. Access these websites from the browser: bing.com, salesforce.com, Instagram.com.
  3. In the system tray, right-click Global Secure Access Client and select Advanced Diagnostics > Traffic tab.
  4. Scroll to observe that the Global Secure Access client isn't capturing traffic from these websites.
  5. Sign in to Microsoft Entra admin center and browse to Global Secure Access > Monitor > Traffic logs. Validate traffic related to these sites is missing from the Global Secure Access traffic logs.
  6. Sign in to Zscaler Internet Access (ZIA) admin portal and browse to Analytics > Web Insights > Logs.
  7. Validate traffic related to these sites is present in Zscaler logs.
  8. Access your private application set up in Microsoft Entra Private Access. For example, access a File Share via SMB.
  9. Access your private application set up in Zscaler Private Access. For example, open an RDP session to a private server.
  10. Sign in to Microsoft Entra admin center and browse to Global Secure Access > Monitor > Traffic logs.
  11. Validate traffic related to the SMB file share private app is captured and that traffic related to the RDP session isn't captured in the Global Secure Access traffic logs
  12. Sign in to Zscaler Private Access (ZPA) admin portal and browse to Analytics > Diagnostics > Logs. Validate traffic related to the RDP session is present and that traffic related to the SMB file share isn't in the Dashboard or Diagnostic logs.
  13. In the system tray, right-click Global Secure Access Client and then select Advanced Diagnostics. In the Traffic dialog box, select Stop collecting.
  14. Scroll to confirm the Global Secure Access client handled private application traffic for the SMB file share and didn't handle the RDP session traffic.

Configuration 3: Microsoft Entra Microsoft Access with Zscaler Private Access and Zscaler Internet Access

In this scenario, Global Secure Access handles all Microsoft 365 traffic. Zscaler Private Access handles Private application traffic and Zscaler Internet Access handles Internet traffic.

Microsoft Entra Microsoft Access configuration 3

For this scenario, you need to:

Zscaler Private Access and Zscaler Internet Access configuration 3

Perform in the Zscaler portal:

  • Set up and configure Zscaler Private Access.
  • Create a forwarding profile.
  • Create an app profile.
  • Install the Zscaler Client Connector.

Add Forwarding Profile from the Client Connector Portal:

  1. Navigate to Zscaler Client Connector admin portal > Administration > Forwarding Profile > Add Forwarding Profile.
  2. Add a Profile Name such as ZIA and ZPA.
  3. Select Packet Filter-Based in Tunnel Driver Type.
  4. Select forwarding profile action as Tunnel, and select tunnel version. For example, Z-Tunnel 2.0.
  5. Scroll down to Forwarding profile action for ZPA.
  6. Select Tunnel for all options in this section.

Add App Profile from the Client Connector Portal:

  1. Navigate to Zscaler Client Connector admin portal > App Profiles > Windows (or macOS) > Add Windows Policy (or macOS).
  2. Add Name, set Rule Order such as 1, select Enable, select User(s) to apply this policy, and select the Forwarding Profile. For example, select ZIA and ZPA.
  3. Scroll down and add the Microsoft SSE service Internet Protocol (IP) addresses and Fully Qualified Domain Names (FQDNs) in the Global Secure Access service FQDNs and IPs bypasses section, to “HOSTNAME OR IP ADDRESS BYPASS FOR VPN GATEWAY” field.

Go to the system tray to check that Global Secure Access and Zscaler clients are enabled.

Verify configurations for clients:

  1. Right-click on Global Secure Access Client > Advanced Diagnostics > Forwarding Profile and verify that only Microsoft 365 rules are applied to this client.
  2. Navigate to Advanced Diagnostics > Health Check and ensure no checks are failing.
  3. Right-click on Zscaler Client > Open Zscaler > More. Verify App Policy matches configurations in the earlier steps. Validate that it's up to date or update it.
  4. Navigate to Zscaler Client > Internet Security. Verify Service Status is ON and Authentication Status is Authenticated.
  5. Navigate to Zscaler Client > Private Access. Verify Service Status is ON and Authentication Status is Authenticated.

Note

For information troubleshooting health check failures, see Troubleshoot the Global Secure Access client diagnostics - Health check.

Test traffic flow:

  1. In the system tray, right-click Global Secure Access Client and then select Advanced Diagnostics. Select the Traffic tab and select Start collecting.
  2. Access these websites from the browser: bing.com, salesforce.com, Instagram.com.
  3. In the system tray, right-click Global Secure Access Client and select Advanced Diagnostics > Traffic tab.
  4. Scroll to observe that the Global Secure Access client isn't capturing traffic from these websites.
  5. Sign in to Microsoft Entra admin center and browse to Global Secure Access > Monitor > Traffic logs. Validate traffic related to these sites is missing from the Global Secure Access traffic logs.
  6. Sign in to Zscaler Internet Access (ZIA) admin portal and browse to Analytics > Web Insights > Logs.
  7. Validate traffic related to these sites is present in Zscaler logs.
  8. Access your private application set up in Zscaler Private Access. For example, open an RDP session to a private server.
  9. Sign in to Microsoft Entra admin center and browse to Global Secure Access > Monitor > Traffic logs.
  10. Validate traffic related to the RDP session isn’t in the Global Secure Access traffic logs
  11. Sign in to Zscaler Private Access (ZPA) admin portal and browse to Analytics > Diagnostics > Logs. Validate traffic related to the RDP session is present in the Dashboard or Diagnostic logs.
  12. Access Outlook Online (outlook.com, outlook.office.com, outlook.office365.com), SharePoint Online (<yourtenantdomain>.sharepoint.com).
  13. In the system tray, right-click Global Secure Access Client and then select Advanced Diagnostics. In the Traffic dialog box, select Stop collecting.
  14. Scroll to confirm the Global Secure Access client handled only Microsoft 365 traffic.
  15. You can also validate that the traffic is captured in the Global Secure Access traffic logs. In the Microsoft Entra admin center, navigate to Global Secure Access > Monitor > Traffic logs.
  16. Validate traffic related to Outlook Online and SharePoint Online is missing from Zscaler Internet Access logs in Analytics > Web Insights > Logs.

Configuration 4: Microsoft Entra Internet Access and Microsoft Entra Microsoft Access and with Zscaler Private Access

In this scenario, Global Secure Access handles Internet and Microsoft 365 traffic. Zscaler only captures private application traffic. Therefore, the Zscaler Internet Access module is disabled from the Zscaler portal.

Microsoft Entra Internet and Microsoft Access configuration 4

For this scenario, you need to configure:

Adding a custom bypass for Zscaler in Global Secure Access:

  1. Sign in to Microsoft Entra admin center and browse to Global Secure Access > Connect > Traffic forwarding > Internet access profile. Under Internet access policies select View.
  2. Expand Custom Bypass and select Add rule.
  3. Leave destination type FQDN and in Destination enter *.prod.zpath.net.
  4. Select Save.

Zscaler Private Access configuration 4

Perform the procedure in the Zscaler portal:

  • Set up and configure Zscaler Private Access.
  • Create a forwarding profile.
  • Create an app profile.
  • Install the Zscaler Client Connector.

Add Forwarding Profile from the Client Connector Portal:

  1. Navigate to the Zscaler Client Connector admin portal > Administration > Forwarding Profile > Add Forwarding Profile.
  2. Add a Profile Name such as ZPA Only.
  3. Select Packet Filter-Based in Tunnel Driver Type.
  4. Select forwarding profile action as None.
  5. Scroll down to Forwarding profile action for ZPA.
  6. Select Tunnel for all options in this section.

Add App Profile from the Client Connector Portal:

  1. Navigate to Zscaler Client Connector admin portal > App Profiles > Windows (or macOS) > Add Windows Policy (or macOS).
  2. Add Name, set Rule Order such as 1, select Enable, select User(s) to apply this policy, and select the Forwarding Profile. For example, select ZPA Only.
  3. Scroll down and add the Microsoft SSE service Internet Protocol (IP) addresses and Fully Qualified Domain Names (FQDNs) in the Global Secure Access service FQDNs and IPs bypasses section, to “HOSTNAME OR IP ADDRESS BYPASS FOR VPN GATEWAY” field.

Open the system tray to check that Global Secure Access and Zscaler clients are enabled.

Verify configurations for clients:

  1. Right-click on Global Secure Access Client > Advanced Diagnostics > Forwarding Profile and verify that Microsoft 365 and Internet Access rules are applied to this client.
  2. Expand the Internet access rules > Verify that the custom bypass, *.prod.zpath.net exists in the profile.
  3. Navigate to Advanced Diagnostics > Health Check and ensure no checks are failing.
  4. Right-click on Zscaler Client > Open Zscaler > More. Verify App Policy matches configurations in the earlier steps. Validate that it's up to date or update it.
  5. Navigate to Zscaler Client > Private Access. Verify Service Status is ON and Authentication Status is Authenticated.
  6. Navigate to Zscaler Client > Internet Security. Verify Service Status is DISABLED.

Note

For information troubleshooting health check failures, see Troubleshoot the Global Secure Access client diagnostics - Health check.

Test traffic flow:

  1. In the system tray, right-click Global Secure Access Client and then select Advanced Diagnostics. Select the Traffic tab and select Start collecting.
  2. Access these websites from the browser: bing.com, salesforce.com, Instagram.com, Outlook Online (outlook.com, outlook.office.com, outlook.office365.com), SharePoint Online (<yourtenantdomain>.sharepoint.com).
  3. Sign in to Microsoft Entra admin center and browse to Global Secure Access > Monitor > Traffic logs. Validate traffic related to these sites is captured in the Global Secure Access traffic logs.
  4. Access your private application set up in Zscaler Private Access. For example, using Remote Desktop (RDP).
  5. Sign in to Zscaler Private Access (ZPA) admin portal and browse to Analytics > Diagnostics > Logs. Validate traffic related to the RDP session is present in the Dashboard or Diagnostic logs.
  6. Sign in to Zscaler Internet Access (ZIA) admin portal and browse to Analytics > Web Insights > Logs. Validate traffic related to Microsoft 365 and Internet Traffic such as Instagram.com, Outlook Online, and SharePoint Online is missing from ZIA logs.
  7. In the system tray, right-click Global Secure Access Client and then select Advanced Diagnostics. In the Traffic dialog box, select Stop collecting.
  8. Scroll to observe that the Global Secure Access client isn't capturing traffic from the private application. Also, observe that the Global Secure Access client is capturing traffic for Microsoft 365 and other internet traffic.