question

ShijinMohammed-5429 avatar image
0 Votes"
ShijinMohammed-5429 asked ShijinMohammed-5429 commented

Zscaler Private Access and SCCM

Hi All,

We absolutely want our Internet based clients to use the CMG, we do not want them to behave as On prem clients unless they are indeed on prem. But we have an issue, when the CM client tries to establish its location it thinks it is an Intranet managed device as its global catalog queries are successful.

We tried using ZPA connector IPs as a AD site, but not helping as SCCM is picking the client's local IP. Then thought of adding rfc1918 addresses as a boundary group and assign to CMG, but we have some sites already using it in internal network, so skipped it. Also blocked on-prem MP traffic over ZPA and thought devices will be re-directed to CMG, no luck with that too.

How we can make the client think it is on the Internet and reidirect to CMG??

Any help is appreciated.

TIA

mem-cm-general
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Also, please DM me on Twitter (@jasonsandys) your organization name and size so I can build a case internally to potentially provide a mechanism to directly address this in ConfigMgr.

2 Votes 2 ·

Jason, were you able to come up with a resolution to this issue?

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT WilliamsJeff-7582 ·

Not sure exactly what you are asking here. Two possibilities for addressing this in an org is as outlined in my other answer in this thread. I'm working on a more formal solution directly in the product as well but that will take at least a little bit of time to complete and get released in a production build.

As noted, if you are blocked or face significant pain because of this, please DM on Twitter or reply here with a private message so I can add your org to our customer based evidence for this.

0 Votes 0 ·
Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered ShijinMohammed-5429 commented

If (and only if) the clients are always on the Internet, then you can configure them to be always on the Internet at installation time and they will always use the CMG.

If they roam between intranet and Internet, then there are a couple of paths today:

  • Use AD sites as noted above. There is a way for ZPA to map clients to specific AD sites not based on their client IP. See https://community.zscaler.com/t/zscaler-private-access-active-directory/8826 for details. This is ZPA specific so if you have questions on this, please discuss with ZScalar.

  • Add all of the private IP address ranges as boundaries and map those to boundary groups associated with the CMG.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are working with Microsoft on this issue. And MS suggested to follow with mapping AD site to ZPA IP connectors. Need some design changes in our environment and it's in WIP now...

0 Votes 0 ·
RakeshKumar-2842 avatar image RakeshKumar-2842 ShijinMohammed-5429 ·

Hi @ShijinMohammed-5429,

is your problem solved or not yet? I'm facing similar challenge for all VPN laptops those are using Zscaler ZPA.

if you have solved the issue please share your findings and steps to solve it.

your support will be highly appreciated.

0 Votes 0 ·

Hi @RakeshKumar-2842
Yes, The Mapping AD site to ZPA IP connectors helped us to solve the issue. See the link for more details. supporting-microsoft-sccm



131491-untitled.png


0 Votes 0 ·
untitled.png (47.8 KiB)
WilliamsJeff-7582 avatar image
0 Votes"
WilliamsJeff-7582 answered Jason-MSFT commented

Thank you, Jason, but I don't use Twitter making follow up there impossible. I did see your two possible answers but it was not clear if you had validated that they solve the problem or if you came up with additional solutions not in the thread.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

They can solve the problem yes, depending on your environment but you need to review them and evaluate them for this.

0 Votes 0 ·

How about going to https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/629631 and messaging me directly there with your org details so that I can add your org to our customer evidence. This won't get you early access and doesn't guarantee anything, but just helps me build the business case for getting the work done in the product itself.

0 Votes 0 ·