Zscaler Private Access and SCCM

shmo-MS 216 Reputation points
2021-06-09T11:41:37.7+00:00

Hi All,

We absolutely want our Internet based clients to use the CMG, we do not want them to behave as On prem clients unless they are indeed on prem. But we have an issue, when the CM client tries to establish its location it thinks it is an Intranet managed device as its global catalog queries are successful.

We tried using ZPA connector IPs as a AD site, but not helping as SCCM is picking the client's local IP. Then thought of adding rfc1918 addresses as a boundary group and assign to CMG, but we have some sites already using it in internal network, so skipped it. Also blocked on-prem MP traffic over ZPA and thought devices will be re-directed to CMG, no luck with that too.

How we can make the client think it is on the Internet and reidirect to CMG??

Any help is appreciated.

TIA

Microsoft Configuration Manager
Accepted answer
  1. Jason Sandys 31,151 Reputation points Microsoft Employee
    2021-06-09T19:58:29.543+00:00

    If (and only if) the clients are always on the Internet, then you can configure them to be always on the Internet at installation time and they will always use the CMG.

    If they roam between intranet and Internet, then there are a couple of paths today:

    • Use AD sites as noted above. There is a way for ZPA to map clients to specific AD sites not based on their client IP. See https://community.zscaler.com/t/zscaler-private-access-active-directory/8826 for details. This is ZPA specific so if you have questions on this, please discuss with ZScalar.
    • Add all of the private IP address ranges as boundaries and map those to boundary groups associated with the CMG.
    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Williams Jeff 1 Reputation point
    2021-07-19T20:56:00.283+00:00

    Thank you, Jason, but I don't use Twitter making follow up there impossible. I did see your two possible answers but it was not clear if you had validated that they solve the problem or if you came up with additional solutions not in the thread.

  2. Falconer, Chris 1 Reputation point
    2022-01-05T10:21:54.86+00:00

    From ZPA client version 3.6 you can force any client connected by ZPA to return a connection type of "Currently Internet", therefore forcing the client to use Internet infra.

    https://help.zscaler.com/client-connector/configuring-zscaler-client-connector-profiles#windows