In this article:
- Twingate Component: Client
ZScaler has been observed to intercept the Twingate TLS session, causing the Twingate Client to be unable to open secure channels with the invalid certificate being returned.
In twingate.log on Windows devices you may see the below log snippets.
[WARN] [client] SSL check error from host: <twingate_network>.twingate.com. SSL Certificate is not pinned! [ApiCertificateValidationService.Callback]
[ERROR] [client] Failed to validate controller url [ControllerServerValidator.ValidateAsync] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
The ZScaler service on Windows devices runs even when not connected. As such, the ZScaler must be uninstalled or the ZScaler service must be stopped and disabled from running (not simply exiting the program) for Twingate to work properly.
Other OS platforms have either not been confirmed or tested with compatibility. Should any issues be present on macOS or Linux, the resolution would be the same.