May I ask if ZAC can configure the intranet to the Ziti network? If possible, is there a tutorial available? thanks!
Hi @guojinlong1, welcome to the community and to OpenZiti!
I'm not sure I understand the question. Are you looking to tunnel all traffic through an OpenZiti overlay network? Could you maybe explain the question more?
Hello! What I would like to ask is, I have built a simple OpenZiti network according to the tutorial you provided in "Routing to the Web Server". Now, I have a web service similar to "hello world" that needs to be configured into the OpenZiti network. Can I use the functions in ZAC to implement it?
The ZAC should contain all the functionality that is available from the ziti CLI tool. So, yes. I would expect you to be able to do anything with the ZAC you could do with the ziti cli. That help?
You absolutely can do that. You will need to run ziti at your webserver site.
Thank you for your reply. How should I proceed? Is there a tutorial or detailed steps available?
Thank you for your reply. How should I implement it? I have no idea, may I ask if you provide a tutorial or detailed steps?
I don't think we have any detailed walkthroughs specifically using Zac. This could be a topic for ziti tv this week though, maybe. I could show how to create services using Zac this Friday on YouTube at 11 am.
"Sure, thank you. Is it a live broadcast? Will there be a replay available? There might be a time conflict for me as I need to attend other activities and cannot watch and learn in real-time."
Yes it's in our YouTube channel at 11 am us Eastern time. You can watch all the previous streams on YouTube
Okay, thank you very much.
hopefully this helps:
Hi Clint!
i think i have followed all the step, everithing look ok, but it does not work! 
I try directly on linux host try with docker all look ok but no communication.
Do you have any cue where to look to debug and find where i $%?& up!! lol!
Thanks
Patrick
here is more info...
Hi @caspat, welcome to the community and to OpenZiti!
You didn't list the service configurations. Did you create an intercept.v1 and host.v1 config? When you say "it doesn't work", can you tell me what exactly doesn't work?
Here are the things I would do:
- run 'policy advisor':
ziti edge policy advisor identities -q. Make sure you see thevi-conteneur-01has bind andPathas dial access toGuac. Looking at what you sent, that should be the case. You could also look at the windows tunneler - if you see a service listed, you're probably fine. - make sure the service from the windows has an intercept. Click on your identity and make sure you see an 'intercept address'. Something like this:
- Assuming you see an intercept address, open your browser and go to that address. Once that happens, Open Main Menu-> Advanced Settings -> Service Logs to open your ZDEW logs. Look in there for this log:
[2024-04-16T00:59:15.446Z] INFO tunnel-cbs:ziti_dns.c:500 format_resp() found record[100.64.0.4] for query[1:guac]
- assuming you see that messsge, go to the linux tunneler and look at the logs from it.
I would look at both of those logs first for hints as to what's going wrong. If you want to DM me your logs from the windows computer and the linux tunneler, I'll take a look. There should be something very obviously wrong in there, for example here my tunneler couldn't authenticate:
[2024-04-16T01:01:02.618Z] WARN ziti-sdk:connect.c:451 connect_get_net_session_cb() conn[0.794/WfTZby7D/Connecting] failed to get 'Dial' session for service[mattermost.tools.netfoundry.io]: UNAUTHORIZED(The request could not be completed. The session is not authorized or the credentials are invalid)
[2024-04-16T01:01:02.618Z] ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: failed to authenticate
Thanks for the reply!
ok, this look good,
that too,
the log, look ok but a lots of other errors!?
(99620)[2024-04-16T02:00:03.967Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[1] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(99620)[2024-04-16T02:00:03.967Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[1] reconnecting in 126127ms (attempt = 330)
(99620)[2024-04-16T02:02:10.699Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[1] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(99620)[2024-04-16T02:02:10.699Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[1] reconnecting in 57132ms (attempt = 331)
(99620)[2024-04-16T02:03:07.838Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[1] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(99620)[2024-04-16T02:03:07.838Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[1] reconnecting in 145755ms (attempt = 332)
(99620)[2024-04-16T02:05:33.957Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[1] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(99620)[2024-04-16T02:05:33.957Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[1] reconnecting in 151686ms (attempt = 333)
(99620)[2024-04-16T02:05:52.563Z] INFO ziti-sdk:posture.c:868 ziti_endpoint_state_change() ztx[0] endpoint state change reported: woken[FALSE] unlocked[TRUE]
(99620)[2024-04-16T02:05:52.803Z] INFO ziti-sdk:posture.c:858 ziti_endpoint_state_pr_cb() ztx[0] endpoint state sent
(99620)[2024-04-16T02:07:49.356Z] INFO tunnel-cbs:ziti_dns.c:503 format_resp() found record[100.64.0.11] for query[1:guac.secure]
(99620)[2024-04-16T02:08:05.996Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[1] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(99620)[2024-04-16T02:08:05.996Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[1] reconnecting in 100150ms (attempt = 334)
On the linux tunneler i have the same message about the edge router...
Some info about the router...
Ok, enough for tonight... my bed is calling me!! 
Yes. this here:
(99620)[2024-04-16T02:00:03.967Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[1] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
That makes me the router is not reachable by your tunnelers and it MUST be reachable.
Open your edge router's config file and find these sections:
link:
dialers:
- binding: transport
listeners:
- binding: transport
bind: tls:0.0.0.0:10080
advertise: tls:ec2-3-18-113-172.us-east-2.compute.amazonaws.com:10080
options:
outQueueSize: 4
listeners:
# bindings of edge and tunnel requires an "edge" section below
- binding: edge
address: tls:0.0.0.0:8442
options:
advertise: ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8442
connectTimeoutMs: 5000
getSessionTimeout: 60
- binding: tunnel
See how the 'advertise' address is some externally reachable url/port? I expect your edge router is to an incorrect value, or the port assigned is blocked.
Test/verify you can connect to it by using openssl:
openssl s_client -connect ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8442 </dev/null
(obviously replace the url/ip/port with yours)
Ok, Thanks agan for your help! 
Dont know why but the port was set to 3022...
link:
dialers:
- binding: transport
listeners:
- binding: transport
bind: tls:0.0.0.0:10080
advertise: tls:ziti-edge-router:10080
options:
outQueueSize: 4
listeners:
- binding: edge
address: tls:0.0.0.0:3022
options:
advertise: ziti-edge-router:3022
connectTimeoutMs: 5000
getSessionTimeout: 60 - binding: tunnel
options:
mode: host #tproxy|host
i'm now able to have an openssl response, but, i still get error.
linux tunneller:
Apr 16 07:32:06 vi-conteneur-01 systemd[1]: Stopping Ziti Edge Tunnel...
Apr 16 07:32:06 vi-conteneur-01 systemd[1]: ziti-edge-tunnel.service: Deactivated successfully.
Apr 16 07:32:06 vi-conteneur-01 systemd[1]: Stopped Ziti Edge Tunnel.
Apr 16 07:32:06 vi-conteneur-01 systemd[1]: Starting Ziti Edge Tunnel...
Apr 16 07:32:06 vi-conteneur-01 ziti-edge-tunnel.sh[679933]: NOTICE: no new JWT files in /opt/openziti/etc/identities/*.jwt
Apr 16 07:32:06 vi-conteneur-01 systemd[1]: Started Ziti Edge Tunnel.
Apr 16 07:32:06 vi-conteneur-01 ziti-edge-tunnel[679934]: (679934)[ 0.000] INFO ziti-sdk:utils.c:199 ziti_log_set_level() set log level: root=4/DEBUG
Apr 16 07:32:06 vi-conteneur-01 ziti-edge-tunnel[679934]: (679934)[ 0.000] INFO ziti-sdk:utils.c:168 ziti_log_init() Ziti C SDK version 0.36.9 @d336721(HEAD) starting at (2024-04-16T11:32:06.141)
Apr 16 07:32:06 vi-conteneur-01 ziti-edge-tunnel[679934]: (679934)[ 0.000] INFO ziti-edge-tunnel:instance-config.c:86 load_tunnel_status_from_file() Loading config file from /var/lib/ziti/config.json
Apr 16 07:32:06 vi-conteneur-01 ziti-edge-tunnel[679934]: (679934)[ 0.101] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[0] failed to connect to ER[ziti-edge-router] [-3001/temporary failure]
Apr 16 07:32:14 vi-conteneur-01 ziti-edge-tunnel[679934]: (679934)[ 8.436] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[0] failed to connect to ER[ziti-edge-router] [-3001/temporary failure]
Apr 16 07:32:18 vi-conteneur-01 ziti-edge-tunnel[679934]: (679934)[ 12.653] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[0] failed to connect to ER[ziti-edge-router] [-3001/temporary failure]
Mac tunneler:
(11770)[2024-04-16T11:35:43.560Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[0] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(11770)[2024-04-16T11:35:43.560Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[0] reconnecting in 15840ms (attempt = 2)
(11770)[2024-04-16T11:35:59.403Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[0] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(11770)[2024-04-16T11:35:59.403Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[0] reconnecting in 12818ms (attempt = 3)
(11770)[2024-04-16T11:36:12.227Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[0] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(11770)[2024-04-16T11:36:12.227Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[0] reconnecting in 65183ms (attempt = 4)
(11770)[2024-04-16T11:37:17.737Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[0] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(11770)[2024-04-16T11:37:17.737Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[0] reconnecting in 79362ms (attempt = 5)
(11770)[2024-04-16T11:38:37.337Z] ERROR ziti-sdk:channel.c:899 on_channel_connect_internal() ch[0] failed to connect to ER[ziti-edge-router] [-3008/unknown node or service]
(11770)[2024-04-16T11:38:37.337Z] INFO ziti-sdk:channel.c:775 reconnect_channel() ch[0] reconnecting in 92286ms (attempt = 6)
Patrick
the next problem you'll have is your advertise address is incorrect. You can see it shows ziti-edge-router. By chance, are you running the router from withing docker? If you used the bash-based expressInstall, if it were me, truly the easiest thing to do is to ziti edge delete that edge router, set the variables the doc page calls out, and rerun the commands to create and enroll that edge router.
Which method did you use? I can show you the commands to set to clean that router up.
I have use the docker compose...
Ok i'm gonna try to start as new again and see if it help!
Before you do, let me try to find the discourse post where I talk about how you can use compose... It's on here somewhere, I'll try to find it