Wildcard intercept stops working when a host-specific RDP service is also assigned

Hi all,

I’m running into an odd behavior with two ZTNA services assigned to the same Edge client:

• Service A (wildcard): intercepts *.subdomian.example.tld and .subdomian.example.tld for a range of TCP/UDP ports (Kerberos, LDAP, SMB, NTP, ephemeral, GC ports, etc.).

• Service B (host-specific RDP): intercepts adc01.subdomian.example.tld on TCP/3389 only.

Once both services are assigned, the wildcard *.subdomian.example.tld no longer works for the other ports. It looks like only TCP/3389 is actually captured and sent over the tunnel, while traffic to other ports that should match the wildcard service goes direct.

Expectation: When multiple services with overlapping address patterns are assigned, I expected the client to merge/union the intercepts so both sets of ports

I’ll take a look. To avoid mixups, can you please send your service configurations? Also which client/version are you using?

Thanks for the configs (sent via DM). I’d still like to know which client you’re using. I tried a similar setup with ziti-edge-tunnel on Linux and the services were correctly intercepted and distinguished from each other.

Could you increase the tunneler’s log level to TRACE/6 and send the logs after trying connections to the wildcard service and the rdp service?

Thanks!

Thanks I will an trace for you

We are using windows client newest stable version of the client