This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unresolved URLs (Zscaler) are blocked in Web Filtering with "Host not found" - exception possible ?

Dear Community,

as we need to support many customers via VPN, I often have to deal with setting rules,
to allow VPN Clients to connect to remote sites from inside our network.

Always easy until now:
A customer came up with the Zscaler Client and I wasn't able to make settings for this connection to my satisfaction.
I only get it working, when I disable Pharming Protection, which is not what I want !

Here the Details:
Regarding, what I can see on the Web Filter Log, Zscaler seems to connect in two stages
- first it connects to the Zscaler endpoint at the customer's site and promts me to login
- when this is done, it tries to connect to some URL of the Zscaler infrastructure "https://driv.com.c2.prod.zpath.net/"

And that's where the UTM (V 9.605-1) breaks it.
The URL seems to be some kind of "virtual URL", which is not resolvable.
Even an online DNS lookup delivers no result.
So Web Filtering blocks the attempt of the Client, to contact this URL with the error "Host not found"

Now it would be nice, to simply disable the URL check for this very URL.

But no matter what exception or bypass I define in the Web Filter Rules - block action takes part before regarding any exclusions.
The only way, to get around is, to disable Pharming Protection.
To me this is no real solution, as I totally disable a security feature, instead of configuring an exception just for this URL.

The issue is similar to the behaviour described in this thread

Any ideas how to resolve this issue are highly appreciated

Best Regards  RanX



This thread was automatically locked due to age.
Parents
  • Guessing why Pharming Protection is a problem:

    Normal Mode

    • Vendor DNS name returns a list of servers.
    • Application does a DNS lookup and gets a result.
    • Application establishes a connection to that server.
    • Application makes a second connection using IP address only.
    • Server verifies that both sessions can be linked.

    With Pharming Protection on:

    • Application does a DNS lookup and gets an IP
    • UTM does a DNS lookup and gets a different IP, which is the one actually used.
    • First session is connected successfully.
    • Application attempts the second connection using its cached IP.
    • The two sessions are now on different servers and the connection fails.
  • Good Morning Douglas !

    The second part of the description is not completely correct.
    I also don't know, why it was marked as answer.
    It only describes the behaviour but does not provide a solution, to get around this.

    But to give a general description, of what happens in my case and in the thread I referred to ("snapchat is blocked")

    With Pharming Protection on:

    • Application however seems to be able to do a DNS lookup of it's "special" URL and gets an IP
    • in contrary a "manual" request of official DNSes for the same URL will not give a result
    • UTM does a DNS lookup and gets no IP, as it also can request only official DNS servers
    • UTM returns "Host not found" and refuses connection

    The only way to resolve this, would be, to somehow exclude these URLs from Pharming Protection.
    But at present, I did not find any method to accomplish this.

    So either there is a way I've overseen or if this is a feature, which is still missing in Pharming Protection.

    Best Regards

    RanX

  • Hallo RanX,

    Doug is right - there's nothing you can do other than disable pharming protection.  I've done that at many client sites.  An Exception is a good suggestion.  You might mention it at Ideas and then come back here and provide a link to it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo RanX,

    Doug is right - there's nothing you can do other than disable pharming protection.  I've done that at many client sites.  An Exception is a good suggestion.  You might mention it at Ideas and then come back here and provide a link to it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data