In this article:
Applicable to:
- Twingate Component: Client
Overview
ZScaler has been observed to intercept the Twingate TLS session, causing the Twingate Client to be unable to open secure channels with the invalid certificate being returned.
Symptoms
In twingate.log on Windows devices you may see the below log snippets.
[WARN] [client] SSL check error from host: <twingate_network>.twingate.com. SSL Certificate is not pinned! [ApiCertificateValidationService.Callback]
[ERROR] [client] Failed to validate controller url [ControllerServerValidator.ValidateAsync] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
Resolution
The ZScaler service on Windows devices runs even when not connected. As such, the ZScaler must either be uninstalled or the ZScaler service must be stopped and disabled from running (not simply exiting the program) for Twingate to work properly.
In some cases it is possible for Twingate and Zscaler to run at the same time with the following configuration changes:
Step 1:
Go to the Zscaler admin console and under Administration → IP & FQDN Groups → Destination IPv4 Groups, create a group for ssl inspection bypass and add the following to it: .twingate.com
Step 2:
In the Zscaler admin console, under Policy → Zscaler Client Connector Portal → Windows, edit the applicable policy under HOSTNAME OR IP ADDRESS BYPASS FOR VPN GATEWAY and
add the following as an exception (replacing <tenant> with your own tenant name): <tenant>.twingate.com
Step 3:
Update Policy on ZScaler local agent
Other OS platforms have either not been confirmed or tested with compatibility. Should any issues be present on macOS or Linux, the resolution would be the same.