Forum Discussion
GDC1-TRG-F5
Nimbostratus
NimbostratusAPM Proxy Handling Conflict
We have a setup using F5 APM to connect to VPN and Zscaler as a Proxy.
Client proxy settings are disabled on the APM. Zscaler gives the PAC to users locally.
Machines on Windows11 were unable to connect to VPN.
Further verifying it's observed that both F5 and Zscaler are contending to enforce proxy PAC.
As per the article below, it's by design that F5 modifies the system proxy configuration, Merging users local proxy settings with the remote proxy settings.
BIG-IP APM Edge Client local and remote proxy configuration handling
With Zscaler enforcing the PAC locally, user is unable to connect and with Zscaler not giving the PAC, the configs on the local PAC are not visible to users which is not a feasible option.
Hosting the Proxy /PAC completely on F5 is also not an option.
I would like to understand:
1. Is this a known issue with windows11 machines.
2. if it's possible to disable this PAC behaviour on APM
3. Any solutions can be suggested for configuring PAC with both Zscaler(local) and f5(remote)
Enrique_PernasHi
Cause: The F5 VPN adapter keeps trying to change proxy setting because the F5 BIG-IP APM option "Use Local Proxy Settings" is disabled, which conflicts Zscaler best practice ( Best Practices for Zscaler Client Connector and VPN Client Interoperability-Step 2: Configure Proxy Settings for Users' Devices ) https://help.zscaler.com/zscaler-client-connector/best-practices-zscaler-client-connector-and-vpn-client-interoperability
Try to Enable "Use Local Proxy Settings" in F5 BIG-IP APM
Enrique Pernas
GDC1-TRG-F5Hi Enrique
Thanks
We have VPN gateway addresses defined under "Client Proxy Exclusion List", but is not part of the zscaler PAC.
Will the VPN traffic be routed through Zscaler according to the PAC settings.- Enrique_Pernas
Hi GDC1-TRG-F5
you should prevent both products from trying to configure the proxy of your clients. Either the proxy configuration is driven by the Zscaler agent or the proxy configuration is driven by F5 BUT not both.
To avoid that F5 drives the proxy configuration and the zscaler agent does it, the solution is:
- You must ensure that the VPN client is not configured to change proxy settings on users’ devices THEN "Try to Enable Use Local Proxy Settings in F5 BIG-IP APM". When Use Local Proxy Settings, is enabled, after the client f5 VPN establishes a network access connection, proxy settings configured on the client continue to be used. The Use Local Proxy Settings option instructs f5 that doesn't merge or overwrite the local Proxy configuration.
If it is not possible to change the configuration in BIG-IP APM side, you must change Zscaler agent behaviour to never alters yur client proxy settings (perhaps change the forwarding profile for Z-Tunnel 1.0 + “Proxy Action Type” to “Never" from ZCC admin portal.... Never: If you select this option, Zscaler Client Connector never alters your proxy settings).
>>Will the VPN traffic be routed through Zscaler according to the PAC settings.?
YES. In the F5 VPN tunnel connection establishment, if the zscaler agent is active, the F5 VPN traffic depends on the PAC file in zscaler or the Zscaler agent configuration. The usual way is to make an exception in the Zscaler PAC file or in the Zscaler configuration to do a “VPN Gateway bypass”.
Enrique Pernas
- GDC1-TRG-F5
Thanks Enrique
So in that case the traffic to VPN gateways has to be added to exclusion explicitly or can EdgeClient manage that- Enrique_Pernas
BIG-IP Edge Client only can manage proxy configuration after the tunnel is established:
- Local Proxy Settings disable : After BIG-IP Edge Client establishes the tunnel, it merges the remote and local proxy configuration.
- Local Proxy Settings enable : After BIG-IP Edge Client establishes the tunnel, local proxy configuration or proxy settings configured on the computer continue to be used.
Before the tunnel is established, BIG-IP Edge client use computer local proxy configuration (DIRECT if you exclude VPN gateway or via PROXY if you don´t exclude VPN gateway in computer the local proxy configuration)